Signing Mozilla apps for Mac OS X

  • Revision slug: Mozilla/Signing_Mozilla_apps_for_Mac_OS_X
  • Revision title: Signing Mozilla apps for Mac OS X
  • Revision id: 237083
  • Created:
  • Creator: Bhearsum
  • Is current revision? No
  • Comment 2 words added, 2 words removed

Revision Content

Signing Mozilla Apps Without the Signing Server

Firefox and Thunderbird are built using Mozilla's Release Automation infrastructure. On Mac OSX, part of this infrastructure is automatic signing of the '.app' folder using Apple's codesign tool. For projects that don't use Mozilla's Release Automation and would like to prepare for the release of OS 10.8 Mountain Lion, this guide should provide some insight into how to make sure applications are signed correctly using Apple's codesign tool. Apple's Code Signing Guide, available here http://developer.apple.com/library/m...roduction.html is also a good resource on the subject.

Getting a Signing Certificate

Testing and Debugging

For test and debug purposes, the easiest way to get a signing certificate is to use Apple's Keychain to create one. There are good instructions available at http://developer.apple.com/library/m...rocedures.html under "To use the Certificate Assistant to Create a self-signed signing identity".

Official Signing Certificate (Developer ID)

Creating a Developer ID requires a paid Apple Developer Account. Once you have that you can do the following to create your ID: # Open [https://developer.apple.com/certific...on#maccertlist the Developer Certificate Utility] # Click "Certificates" from the left hand menu # Click "Create a Certificate" from the top right corner # Select the "Developer ID" radio button and uncheck the "Developer ID Installer Certificate" box. # Click "Create" and follow the instructions in the wizard. It will guide you through creating a private key, certificate signing request, and importing your new Developer ID into Keychain Access. If the "Developer ID" radio button is greyed out you probably have a group account. These types of accounts only allow for the "Agent" role to create Developer IDs. Contact the person who created your group Apple Developer Account if you get stuck here.

The Codesign Tool

Apple provides a tool called 'codesign' this command line application that's used to add a signature to a '.app' directory. The man page for codesign is available at https://developer.apple.com/library/...odesign.1.html . The main options of note are as follows:

  • -s your-signing-identity : This option lets you specify the signing certificate that you would like to use to sign the application. Use the name of the certificate.
  • --keychain /path/to/keychain : This option lets you specify which keychain contains the signing certificate above. Use the full path to the keychain: Usually it's something like /Users/username/Library/Keychains/keychain-name.keychain
  • --resource-rules /path/to/coderesources : This option specifies a file to be used to generate the rules which will be applied to the signing. When signing Mozilla applications, using a custom CodeResources file will be necessary. More information about the CodeResources follows below.
  • -f : Force codesign to overwrite an existing signature on the application
  • -v : Get a little bit of verbosity
  • --requirement 'designated requirement' : Add additional requirements for verifying signature & application metadata.
    • identifier : This must be the same as the CFBundleIdentifier in your application's Info.plist
    • leaf[subject.OU] : This is the subject ou of your Developer ID. You can find it by running the following command:
      openssl x509 -text -noout -inform DER -in devloperID_application.cer | grep Subject | grep "Developer ID"
      

This is the command that you'll probably want to use (with modifications to specify the correct signing ID, keychain, .app folder, and requirments):

codesign -s Mac-Testing -fv \
         --keychain /Users/user/Library/Keychains/MyKeychain.keychain \
         --resource-rules ./Application.app/Contents/_CodeSignature/CodeResources \
         --requirements '=designated =>  identifier "org.you.yourapp" and ( (anchor apple generic and    certificate leaf[field.1.2.840.113635.100.6.1.9] ) or (anchor apple generic and    certificate 1[field.1.2.840.113635.100.6.2.6]  and    certificate leaf[field.1.2.840.113635.100.6.1.13] and    certificate leaf[subject.OU] = "43AQ936H96"))'
         Application.app

Depending on the keychain preferences, the codesign command may display a popup asking for the password for the specified keychain. Once the application has been signed, the signature of a .app folder can be validated by calling

codesign -vvvv Application.app

Where 'Application.app' is the .app folder you wish to validate. The folder will fail to validate if any of these cases occur (there may be other cases not listed here):

  • If any files that were included in the signature have been removed or modified
  • If any files have been added to a folder that should have all files signed, the folder will not validate

The CodeResources File

This file is located in x.app/Contents/_CodeSignature/CodeResources . If the file is not specified, codesign will automatically generate it. However, to modify Apple's automatic signing process (for example, to exclude a file or folder) this file will need to be used. Once the .app folder is signed, this file will contain the hashes/checksums of all files that are included in the signature. If any file is subsequently changed, the folder will no longer validate. The CodeResources file used to sign Official Firefox and Thunderbird builds is available in mozilla-central (see http://mxr.mozilla.org/mozilla-centr.../CodeResources ). For more detail on using the CodeResources file, refer to the Code Resources section here: http://www.erickdransch.com/blog/201...ng-mac-builds/

More Information

Some good resources for code signing for OSX are available at:

Revision Source

<h2 id="Signing_Mozilla_Apps_Without_the_Signing_Server">Signing Mozilla Apps Without the Signing Server</h2>
<p>Firefox and Thunderbird are built using Mozilla's Release Automation infrastructure. On Mac OSX, part of this infrastructure is automatic signing of the '.app' folder using Apple's codesign tool. For projects that don't use Mozilla's Release Automation and would like to prepare for the release of OS 10.8 Mountain Lion, this guide should provide some insight into how to make sure applications are signed correctly using Apple's codesign tool. Apple's Code Signing Guide, available here <a class=" external" href="http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html" rel="freelink">http://developer.apple.com/library/m...roduction.html</a> is also a good resource on the subject.</p>
<h2 id="Getting_a_Signing_Certificate">Getting a Signing Certificate</h2>
<h3 id="Testing_and_Debugging">Testing and Debugging</h3>
<p>For test and debug purposes, the easiest way to get a signing certificate is to use Apple's Keychain to create one. There are good instructions available at <a class=" external" href="http://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html" rel="freelink">http://developer.apple.com/library/m...rocedures.html</a> under "To use the Certificate Assistant to Create a self-signed signing identity".</p>
<h3 id="Official_Signing_Certificate_(Developer_ID)">Official Signing Certificate (Developer ID)</h3>
<p>Creating a Developer ID requires a paid Apple Developer Account. Once you have that you can do the following to create your ID: # Open [<a class=" link-https" href="https://developer.apple.com/certificates/index.action#maccertlist" rel="freelink">https://developer.apple.com/certific...on#maccertlist</a> the Developer Certificate Utility] # Click "Certificates" from the left hand menu # Click "Create a Certificate" from the top right corner # Select the "Developer ID" radio button and uncheck the "Developer ID Installer Certificate" box. # Click "Create" and follow the instructions in the wizard. It will guide you through creating a private key, certificate signing request, and importing your new Developer ID into Keychain Access. If the "Developer ID" radio button is greyed out you probably have a group account. These types of accounts only allow for the "Agent" role to create Developer IDs. Contact the person who created your group Apple Developer Account if you get stuck here.</p>
<h2 id="The_Codesign_Tool">The Codesign Tool</h2>
<p>Apple provides a tool called 'codesign' this command line application that's used to add a signature to a '.app' directory. The man page for codesign is available at <a class=" link-https" href="https://developer.apple.com/library/mac/#documentation/Darwin/Reference/Manpages/man1/codesign.1.html" rel="freelink">https://developer.apple.com/library/...odesign.1.html</a> . The main options of note are as follows:</p>
<ul> <li><strong>-s your-signing-identity :</strong> This option lets you specify the signing certificate that you would like to use to sign the application. Use the name of the certificate.</li> <li><strong>--keychain /path/to/keychain :</strong> This option lets you specify which keychain contains the signing certificate above. Use the full path to the keychain: Usually it's something like /Users/username/Library/Keychains/keychain-name.keychain</li> <li><strong>--resource-rules /path/to/coderesources :</strong> This option specifies a file to be used to generate the rules which will be applied to the signing. When signing Mozilla applications, using a custom CodeResources file will be necessary. More information about the CodeResources follows below.</li> <li><strong>-f :</strong> Force codesign to overwrite an existing signature on the application</li> <li><strong>-v :</strong> Get a little bit of verbosity</li> <li><strong>--requirement 'designated requirement' : </strong>Add additional requirements for verifying signature &amp; application metadata. <ul> <li><strong>identifier : </strong>This must be the same as the CFBundleIdentifier in your application's Info.plist</li> <li><strong>leaf[subject.OU] : </strong>This is the subject ou of your Developer ID. You can find it by running the following command: <pre>openssl x509 -text -noout -inform DER -in devloperID_application.cer | grep Subject | grep "Developer ID"
</pre> </li> </ul> </li>
</ul>
<p>This is the command that you'll probably want to use (with modifications to specify the correct signing ID, keychain, .app folder, and requirments):</p>
<pre>codesign -s Mac-Testing -fv \
         --keychain /Users/user/Library/Keychains/MyKeychain.keychain \
         --resource-rules ./Application.app/Contents/_CodeSignature/CodeResources \
         --requirements '=designated =&gt;  identifier "org.you.yourapp" and ( (anchor apple generic and    certificate leaf[field.1.2.840.113635.100.6.1.9] ) or (anchor apple generic and    certificate 1[field.1.2.840.113635.100.6.2.6]  and    certificate leaf[field.1.2.840.113635.100.6.1.13] and    certificate leaf[subject.OU] = "43AQ936H96"))'
         Application.app
</pre>
<p>Depending on the keychain preferences, the codesign command may display a popup asking for the password for the specified keychain. Once the application has been signed, the signature of a .app folder can be validated by calling</p>
<pre>codesign -vvvv Application.app
</pre>
<p>Where 'Application.app' is the .app folder you wish to validate. The folder will fail to validate if any of these cases occur (there may be other cases not listed here):</p>
<ul> <li>If any files that were included in the signature have been removed or modified</li> <li>If any files have been added to a folder that should have all files signed, the folder will not validate</li>
</ul>
<h2 id="The_CodeResources_File">The CodeResources File</h2>
<p>This file is located in x.app/Contents/_CodeSignature/CodeResources . If the file is not specified, codesign will automatically generate it. However, to modify Apple's automatic signing process (for example, to exclude a file or folder) this file will need to be used. Once the .app folder is signed, this file will contain the hashes/checksums of all files that are included in the signature. If any file is subsequently changed, the folder will no longer validate. The CodeResources file used to sign Official Firefox and Thunderbird builds is available in mozilla-central (see <a class=" external" href="http://mxr.mozilla.org/mozilla-central/source/browser/app/macbuild/Contents/_CodeSignature/CodeResources" rel="freelink">http://mxr.mozilla.org/mozilla-centr.../CodeResources</a> ). For more detail on using the CodeResources file, refer to the Code Resources section here: <a class=" external" href="http://www.erickdransch.com/blog/2012/02/signing-mac-builds/" rel="freelink">http://www.erickdransch.com/blog/201...ng-mac-builds/</a></p>
<h2 id="More_Information">More Information</h2>
<p>Some good resources for code signing for OSX are available at:</p>
<ul> <li><a class=" link-https" href="https://developer.apple.com/library/mac/#documentation/Darwin/Reference/Manpages/man1/codesign.1.html" rel="freelink">https://developer.apple.com/library/...odesign.1.html</a></li> <li><a class=" link-https" href="https://developer.apple.com/library/mac/#documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html#//apple_ref/doc/uid/TP40005929-CH3-SW3" rel="freelink">https://developer.apple.com/library/...005929-CH3-SW3</a></li> <li><a class=" external" href="http://developer.apple.com/library/mac/#documentation/ToolsLanguages/Conceptual/OSXWorkflowGuide/CodeSigning/CodeSigning.html#//apple_ref/doc/uid/TP40011201-CH7-SW1" rel="freelink">http://developer.apple.com/library/m...011201-CH7-SW1</a></li> <li>Ping erick, bhearsum, or smichaud on IRC for more information</li>
</ul>
Revert to this revision