About Authentication and Code-Signing Support for OS or OS X–Based Installers
InstallAnywhere 2025 R1
InstallAnywhere has support for signing OS or OS X–based installers with a Developer ID Application certificate at build time. Signing an installer with this type of certificate enables you to distribute it outside the App Store. When an end user downloads and runs your installer, Gatekeeper allows the installer to run.
If an end user tries to launch an unsigned, downloaded installer on an OS X Mountain Lion or later (including OS) system on which Gatekeeper is turned on, the system displays an alert and blocks the installer from running.
If you want your OS or OS X–based installers and uninstallers to install files to and remove files from locations where write permissions are restricted for standard users, you can configure your project to require authentication. When authentication is required and standard users who are not root users or administrative users with adequate privileges try to launch your installer or uninstaller, they are prompted to enter an administrator name and password in order to proceed.
If your installer and uninstaller installs files to and removes files from unrestricted locations such as the user’s home directory, authentication is not required on OS or OS X–based target systems.
Note that in order to require authentication for OS or OS X–based installers and uninstallers, they must be code signed.
Run-Time Behavior for a Code-Signed Installer that Includes Authentication Support
An installer that includes authentication support consists of the following primary files:
| • | An authentication wrapper |
| • | A helper tool-the file that is used to launch the installer or uninstaller with elevated privileges |
| • | The installer application-that is, the Java installer |
| • | Optionally, the uninstaller application. Note that InstallAnywhere generates the uninstaller and bundles it into the installer at build time. |
The authentication wrapper, helper tool, installer, and uninstaller must all be code signed with the same Developer ID Application certificate.
At run time on target systems, the following process occurs for a properly code-signed installer or uninstaller that includes authentication support:
| 1. | The end user launch the authentication wrapper on a OS or OS X–based system. |
| 2. | The authentication wrapper prompts for elevation (if needed for a standard user) and installs the helper tool with root privileges. |
| 3. | The authentication wrapper requests that the helper tool launch the LaunchAnywhere. |
| 4. | The helper tool launches the LaunchAnywhere, which inherits the elevated privileges from the helper tool. |
| 5. | The LaunchAnywhere launches the installer or uninstaller, which inherits the elevated privileges. |
At the end of the installation or uninstallation, the authentication wrapper shuts down the helper tool and uninstalls it. If any part of the process is not signed with a matching Developer ID Application certificate, the process fails.
Overview of the Process of Code Signing Installers and Including Authentication Support
Preparing Your Machines
The following steps outline the process of preparing your machines to build and code sign installers with authentication support.
| 1. | Determine whether you will be performing the code-signing step at build time on your InstallAnywhere build machine, or on a designated code-signing machine. To learn more, see Code-Signing Methods for OS or OS X–Based Installers. |
| 2. | Ensure that your build and code-signing machines meet the requirements for code-signing support. To learn more, see Requirements for Code-Signing Support for OS or OS X–Based Installers. |
| 3. | If you have not already done so, obtain your Developer ID Application certificate. To learn more, see Obtaining a Developer ID Application Certificate for Code Signing OS or OS X–Based Installers. |
| 4. | Prepare your code-signing machine. This involves importing your Developer ID Application certificate, ensuring that the latest Xcode IDE and its default SDKs are present, building and code signing the helper tool, verifying the code-signed helper tool, and copying the code-signed helper to all of your InstallAnywhere build machines. To learn more, see Adding the Code-Signing Capability to Your InstallAnywhere Build Machines or Code-Signing Machines. |
Configuring Your InstallAnywhere Projects
Once you have competed the aforementioned preparation steps, perform the following steps for generating code-signed installers with authentication support:
| 1. | Configure your projects for code signing and authentication. To learn more, see Code Signing Your OS or OS X–Based Installers and Including Authentication Support. |
| 2. | Verify that the resulting installers were successfully code signed. To learn more, see Verifying that Your Code-Signing Output Files Are Working as Expected on OS or OS X–Based Target Systems. |
See Also
Requirements for Code-Signing Support for OS or OS X–Based Installers