I have Windows application that can run on OS X under Wine. For convenience I want to pack the application as OS X app (ZIP archive of xxx.app
folder based on WineBottler).
Note that the main executable of the app (as defined by CFBundleExecutable
tag of Info.plist
) is a shell script, not a binary.
I want to sign the application to pass through OS X Gatekeeper. As my complete build process runs on Windows (and as I actually do not have Mac at all) I need to sign it on Windows.
I already found that signing the app creates _CodeSignature
folder with four files:
CodeDirectory
CodeRequirements
CodeResources
CodeSignature
I have not found any specification describing contents of these files.
Experimentally, I've found that CodeResources
is an XML file with SHA-1 hashes of all files in the app. I can generate that.
The contents of CodeRequirements
binary file seems to be fixed. It does not seem to change with contents of the app. Confirmation is appreciated. What is this file good for?
As for the binary files CodeDirectory
and CodeSignature
I have no clue.
Both files change with app contents. It seems that any app file change (including plain text license file) affects them.
The CodeSignature
obviously contains the signature. I can see plain-text information about code signing certificate in the file. Is there any tool that can generate the file? As it is a signature, it should be pretty standard. Though there can be some additional binary metadata that can make generation more difficult. Does anyone know what does it specifically sign? I can imagine that it signs only CodeResources
file as that describes all other files in the app. Or does it actually sign all the files in the app recursively?
Native OS X apps have CodeResources
only. So there's actually no signature in _CodeSignature
. I suppose it's because they have embedded signature in the main executable binary. Note that my [Windows] binary (though it's not directly referred to by Info.plist
as mentioned above) is code-signed using Windows signtool.exe
. Apparently OS X recognizes the signature even without the reference as codesign -d -vvv xxx.app
output includes information about the certificate:
Executable=/Applications/WinSCP.app/Contents/MacOS/startwine
Identifier=WinSCP
Format=bundle with generic
CodeDirectory v=20100 size=135 flags=0x0(none) hashes=1+3 location=embedded
Hash type=sha1 size=20
CDHash=a1ef4f04b2c1b4b793788ce3ab9d7881528f3d95
Signature size=4867
Authority=Martin Prikryl
Authority=VeriSign Class 3 Code Signing 2010 CA
Authority=VeriSign Class 3 Public Primary Certification Authority - G5
Signed Time=23.4.2014 23:51:18
Info.plist entries=14
Sealed Resources version=2 rules=12 files=846
Internal requirements count=2 size=136
Confusing is that is does not mention binary name at all. Anyway, it does not make Gatekeeper happy. Note the the above test is run against app that already includes CodeResources
file (that's probably what the Sealed Resources version
refers too as rules
and files
counts match with the file contents).
CodeRequirements
is not part of the signature as such and that I should be looking mainly atCodeDirectory
andCodeSignature
. Unfortunately there's no description of their structure.