« Two weeks left for ea… | Home | MBS Xojo Plugins, ver… »

Code Signing FileMaker 17 Runtimes

This week I prepared a new code singing script for runtimes made with FileMaker 17.

A few things changed in the runtimes with a new Cloud framework, addition of the swift libraries and removal of OmniORB4 framework.

If you distribute your runtimes, you need to sign the app and the disk image for Gate Keeper. If your runtime is not signed, the Finder will ask the user when launching the application after download to delete the app! Or you may get a message that the database is not found. To avoid users get confused or not use the runtime, we sign the runtime.

How?

Signing the runtime got harder with new requirements in Mac OS X 10.9 and the upcoming Yosemite release. We not just need to sign the actual application, but also make sure we sign all the components. For the frameworks inside the runtime, we need to fix them to give them a few standard symlinks which are missing. Without those modifications, the bundle will not sign. If you like to save a few bytes, you can delete the icon files: FM12Dict.icns, FM12Label.icns and FM12Plug.icns inside the runtime. Those are not referenced and never used.

Developer Account

In order to sign, you need to sign up for a Mac Developer Account with Apple. This costs $99 USD per year. In the Certificates, Identifiers & Profiles section, please go in Mac Apps section and there in Certificates. Create a new Developer ID certificate, follow the instructions and download the certificate file. Double click it to add it to Keychain Manager and voila, it is installed and ready to use.

Sign Script

When you edit the script in a text editor (like BBEdit or TextWranger), you can change the path to the runtime, the name of the app and the name of the certificate. Please note that this script will not work without correct values. If your file name or path contain special character, escaping may be needed. For example a space character needs to be escaped with putting a backslash character just before the space character. You can learn how to escape a path by dragging and dropping the file or folder into the window of the Terminal application. The path is inserted and you can copy & paste it.

Now when everything is setup for your runtime in the script, you can drop the script on a Terminal window and press return key to start it. You'll see a couple of messages. This may include some complains from rm command trying to delete files which are not there. Nothing to worry about, the script just makes sure everything is correct. Further you see a couple of sign message for various parts of the application. The final line should show "signed bundle with Mach-O thin" and report success for signing your runtime app.

Verification

To check if app is okay for Gate Keeper you can first verify code signature using a call to codesign with a couple of v for more details and -d to display certificate:

codesign -d -vvvv /Users/cs/Desktop/Test/test.app

Next with spctl utility you can show if app is accepted. So we run spctl utility with verbose messages and -a parameter:

spctl -a -vv /Users/cs/Desktop/Test/test.app

Please change path to your runtimes before running above commands. The output should say "accepted" and now you are lucky and can archive and upload your runtime. Good luck!
Now you can build disk image and sign it.

New script will be included with MBS Plugin.
19 05 18 - 10:35