Your Search Results

    Signing Mozilla apps for Mac OS X

    Mac OS X's Gatekeeper functionality prevents users from launching applications that haven't been code-signed, in order to help keep their computers secure. Firefox and Thunderbird releases are both signed before shipping; this article describes the process.

    Signing Mozilla apps without the signing server

    Firefox and Thunderbird are built using Mozilla's Release Automation infrastructure. On Mac OS X, part of this infrastructure is automatic signing of the ".app" folder using Apple's codesign tool. For projects that don't use Mozilla's Release Automation and would like to be signed for secure launching on OS 10.8 Mountain Lion and later, this guide should provide some insight into how to make sure applications are signed correctly using Apple's codesign tool. Apple's Code Signing Guide is also a good resource on the subject.

    Getting a signing certificate

    In order to code-sign an application, you need a signing certificate.

    While testing and debugging

    For test and debug purposes, the easiest way to get a signing certificate is to use Apple's Keychain feature to create one. There are good instructions available under "To use the Certificate Assistant to Create a self-signed signing identity".

    For release

    Creating a Developer ID requires a paid Apple Developer Account. Once you have that you can do the following to create your ID:

    1. Open the Developer Certificate Utility.
    2. Click "Certificates" from the left hand menu.
    3. Click "Create a Certificate" at the top right corner
    4. Select the "Developer ID" radio button and uncheck the "Developer ID Installer Certificate" box.
    5. Click "Create" and follow the instructions in the wizard. It will guide you through creating a private key, certificate signing request, and importing your new Developer ID into the Keychain Access application on your Mac. If the "Developer ID" radio button is greyed out you probably have a group account. These types of accounts only allow for the "Agent" role to create Developer IDs. Contact the person who created your group Apple Developer Account if you get stuck here.

    The codesign tool

    Apple provides a tool called codesign; this command-line application is used to add a signature to an application bundle. The man page for codesign is available online, or you can simply type "man codesign" in a Terminal window. The main options of note are:

    • identifier: This must be the same as the value of the CFBundleIdentifier specified in your application's info.plist file.
    • leaf[subject.OU]: This needs to be the subject OU of your Developer ID. You can find it by running this command in the terminal:
    -s your-signing-identity
    Lets you specify the signing certificate you want to sign the application with your-signing-identity is the name of your certificate.
    --keychain /path/to/keychain
    Lets you specify which keychain contains the signing certificate specified by your-signing-identity. The path specified must be a full path; it's usually something similar to /Users/username/Library/Keychains/keychain-name.keychain.
    --resource-rules /path/to/coderesources
    Specifies a file to use when generating the rules to be applied to the code signing. When you're signing Mozilla applications, you'll need to specify a custom CodeResources file here.
    Forces codesign to overwrite an existing signature on the application.
    Increases the verbosity of the codesign tool's output.
    --requirement 'designated requirement'
    Adds additional requirements for verifying the signature and application metadata. At a minimum, you need to provide:
    openssl x509 -text -noout -inform DER -in devloperID_application.cer | grep Subject | grep "Developer ID"

    Putting it all together, you'll wind up using a command similar to the one below to sign your app. You'll of course need to change the signing ID, keychain, bundle path, and requirements.

    codesign -s Mac-Testing -fv \
             --keychain /Users/user/Library/Keychains/MyKeychain.keychain \
             --resource-rules ./ \
             --requirements '=designated =>  identifier "" and ( (anchor apple generic and certificate leaf[field.1.2.840.113635.] ) or (anchor apple generic and    certificate 1[field.1.2.840.113635.]  and    certificate leaf[field.1.2.840.113635.] and    certificate leaf[subject.OU] = "43AQ936H96"))'

    Depending on your keychain preferences, the codesign command may display a popup asking for the password for the specified keychain. Once the application has been signed, the signature of an application bundle can be validated by calling:

    codesign -vvvv

    Where is the application bundle you wish to validate. The folder will fail to validate if any of these cases occur (there may be other cases not listed here):

    • If any files that were included in the signature have been removed or modified
    • If any files have been added to a folder that should have all files signed

    The CodeResources file

    This file is located in your application's bundle at Contents/_CodeSignature/CodeResources. If you don't provide one, codesign will automatically generate it. However, to modify Apple's automatic signing process (for example, to exclude a file or folder), you'll need to provide this file.. Once the application bundle is signed, this file will contain the hashes/checksums of all files that are included in the signature. If any file is subsequently changed, the folder will no longer validate.

    The CodeResources file used to sign official Firefox and Thunderbird builds is available in mozilla-central. For more details on using the CodeResources file, refer to the Code Resources section on Erick Dransch's blog post about code signing.

    See also

    Some good resources for code signing for Mac OS X are available at:

    Document Tags and Contributors

    Contributors to this page: kscarfone, Bhearsum, Sheppy
    Last updated by: Sheppy,