Signing Mozilla Apps Without the Signing Server
Firefox and Thunderbird are built using Mozilla's Release Automation infrastructure. On Mac OS X, part of this infrastructure is automatic signing of the '.app' folder using Apple's codesign tool. For projects that don't use Mozilla's Release Automation and would like to prepare for the release of OS 10.8 Mountain Lion, this guide should provide some insight into how to make sure applications are signed correctly using Apple's codesign tool. Apple's Code Signing Guide, available here http://developer.apple.com/library/m...roduction.html is also a good resource on the subject.
Getting a Signing Certificate
Testing and Debugging
For test and debug purposes, the easiest way to get a signing certificate is to use Apple's Keychain to create one. There are good instructions available at http://developer.apple.com/library/m...rocedures.html under "To use the Certificate Assistant to Create a self-signed signing identity".
Official Signing Certificate (Developer ID)
Creating a Developer ID requires a paid Apple Developer Account. Once you have that you can do the following to create your ID: # Open [https://developer.apple.com/certific...on#maccertlist the Developer Certificate Utility] # Click "Certificates" from the left hand menu # Click "Create a Certificate" from the top right corner # Select the "Developer ID" radio button and uncheck the "Developer ID Installer Certificate" box. # Click "Create" and follow the instructions in the wizard. It will guide you through creating a private key, certificate signing request, and importing your new Developer ID into Keychain Access. If the "Developer ID" radio button is greyed out you probably have a group account. These types of accounts only allow for the "Agent" role to create Developer IDs. Contact the person who created your group Apple Developer Account if you get stuck here.
The Codesign Tool
Apple provides a tool called 'codesign'; this command line application is used to add a signature to a '.app' directory. The man page for codesign is available at https://developer.apple.com/library/...odesign.1.html. The main options of note are as follows:
- -s your-signing-identity : This option lets you specify the signing certificate that you would like to use to sign the application. Use the name of the certificate.
- --keychain /path/to/keychain : This option lets you specify which keychain contains the signing certificate above. Use the full path to the keychain: usually it's something like /Users/username/Library/Keychains/keychain-name.keychain.
- --resource-rules /path/to/coderesources : This option specifies a file to be used to generate the rules which will be applied to the signing. When signing Mozilla applications, using a custom CodeResources file will be necessary. More information about the CodeResources follows below.
- -f : Force codesign to overwrite an existing signature on the application.
- -v : Get a little bit of verbosity.
- --requirement 'designated requirement' : Add additional requirements for verifying signature & application metadata.
- identifier : This must be the same as the CFBundleIdentifier in your application's Info.plist.
- leaf[subject.OU] : This is the subject ou of your Developer ID. You can find it by running the following command:
openssl x509 -text -noout -inform DER -in devloperID_application.cer | grep Subject | grep "Developer ID"
This is the command that you'll probably want to use (with modifications to specify the correct signing ID, keychain, .app folder, and requirements):
codesign -s Mac-Testing -fv \ --keychain /Users/user/Library/Keychains/MyKeychain.keychain \ --resource-rules ./Application.app/Contents/_CodeSignature/CodeResources \ --requirements '=designated => identifier "org.you.yourapp" and ( (anchor apple generic and certificate leaf[field.1.2.840.1136220.127.116.11.9] ) or (anchor apple generic and certificate 1[field.1.2.840.113618.104.22.168.6] and certificate leaf[field.1.2.840.113622.214.171.124.13] and certificate leaf[subject.OU] = "43AQ936H96"))' Application.app
Depending on the keychain preferences, the codesign command may display a popup asking for the password for the specified keychain. Once the application has been signed, the signature of a .app folder can be validated by calling:
codesign -vvvv Application.app
Where 'Application.app' is the .app folder you wish to validate. The folder will fail to validate if any of these cases occur (there may be other cases not listed here):
- If any files that were included in the signature have been removed or modified
- If any files have been added to a folder that should have all files signed
The CodeResources File
This file is located in x.app/Contents/_CodeSignature/CodeResources. If the file is not specified, codesign will automatically generate it. However, to modify Apple's automatic signing process (for example, to exclude a file or folder) this file will need to be used. Once the .app folder is signed, this file will contain the hashes/checksums of all files that are included in the signature. If any file is subsequently changed, the folder will no longer validate. The CodeResources file used to sign Official Firefox and Thunderbird builds is available in mozilla-central (see http://mxr.mozilla.org/mozilla-centr.../CodeResources ). For more details on using the CodeResources file, refer to the Code Resources section here: http://www.erickdransch.com/blog/201...ng-mac-builds/.
Some good resources for code signing for OSX are available at:
- Ping erick, bhearsum, or smichaud on IRC for more information