Code Signing Your OS or OS X–Based Installers and Including Authentication Support

InstallAnywhere 2021

The process of code signing your authentication wrappers, your installers, and (if applicable) your uninstallers varies, depending on whether you are performing the code-signing step at build time on the InstallAnywhere build machine or on a separate designated code-signing machine.

Caution:Before you can code sign your installer, you must ensure that your helper tool is code signed and available on your InstallAnywhere build machine. In addition, your Developer ID Application certificate must be in Keychain Access on your code-signing machine. For more information, see Adding the Code-Signing Capability to Your InstallAnywhere Build Machines or Code-Signing Machines.

Option 1: Code Signing the Authentication Wrapper, Installer, and Uninstaller as Part of the Build Process on the InstallAnywhere Build Machine

Once you have added the code-signing capability to one of your InstallAnywhere build machines, you can use that machine to build authenticated installers for OS or OS X–based target systems.

To configure your InstallAnywhere project to code sign your build output and include authentication support:

1. In the Advanced Designer, on the Project page, click Platforms. The Platforms view opens.
2. In the OS X area, in the Code Signing setting, select the Code Sign the Generated Installer check box.
3. Specify the location and password of the certificate. The use of build-time variables for the certificate location and password is highly recommended for security purposes.
a. For the PKCS #12 File setting, specify the fully qualified path for your PKCS #12 file (.p12).
b. In the Keystore Password setting, specify the certificate’s password.

Note:The certificate that you specify must be the same Developer ID Application certificate that was used to add the code-signing capability to your machines, as described in Adding the Code-Signing Capability to Your InstallAnywhere Build Machines or Code-Signing Machines.

4. Under the Authentication category, in the Requires an Administrator Name and Password to Install setting, select Yes.
5. Optionally change the value of the Always Show GUI setting.

When you build OS or OS X–based installers, they are code signed and include authentication support. Monitor the stderr and stdout streams for any code-signing errors that occur at build time. The code-sign command should not exit with a non-zero exit code.

Before you release these installers, test them and verify that they are properly built. To learn how, see Verifying that Your Code-Signing Output Files Are Working as Expected on OS or OS X–Based Target Systems.

Option 2: Building an Installer with Authentication Support on the InstallAnywhere Build Machine and then Code Signing the Authentication Wrapper and Installer on a Designated Code-Signing Machine

Once you have added your verified, signed helper tool to an InstallAnywhere build machine and prepared your separate designated code-signing machine, you can build and code sign authenticated installers for OS or OS X–based target systems.

To configure your InstallAnywhere project to include authentication support in your OS or OS X–based installers:

1. In the Advanced Designer, on the Project page, click Platforms. The Platforms view opens.
2. In the OS X area, under the Authentication category, in the Requires an Administrator Name and Password to Install setting, select Yes.
3. Optionally change the value of the Always Show GUI setting.
4. In the Code Signing setting, ensure that the Code Sign the Generated Installer check box is cleared.

When you build OS or OS X–based installers, they include authentication support and are ready to be code signed on your designated code-signing machine.

To code sign the authentication wrapper and the installer on a separate code-signing machine:

1. Customize the two information property list files (one for the installer and one for the authentication wrapper) in the build output so that they include the user ID from your Developer ID Application certificate:
a. Extract the install.zip file to a folder on your code-signing machine.
b. Grant write-execute permission to the extracted application so that you can edit values in its Info.plist files. The following command demonstrates this:

chmod -R 755 <absolute path of install.app>

c. Find the installer’s Info.plist file in the install.app\Contents\Resources\install.app\Contents folder, and open it in an editor.
d. Under the SMAuthorizedClients key, replace the XXXXXXXXXX string with the user ID from your Developer ID Application certificate. This ID is displayed in the User ID field when you select your certificate in the Keychain Access utility.
e. Find the authentication wrapper’s Info.plist file in the install.app/Contents folder, and open it in an editor.
f. Under the SMPrivilegedExecutables key, replace the XXXXXXXXXX string with the user ID from your Developer ID Application certificate. This ID is displayed in the User ID field when you select your certificate in the Keychain Access utility.
2. Code sign and check the installer (which is in a subfolder of the authentication wrapper; that is, the install.app\Contents\Resources\install.app folder):
a. Use the following command line to code sign the installer:

codesign --force --deep --timestamp=none --sign <CERTIFICATE_ID> <install.app absolute path>/Contents/Resources/install.app

where <CERTIFICATE_ID> is the value without the Developer ID Application: string that is displayed in the Common Name field when you select your certificate in the Keychain Access utility. That is, if the Common Name field displays Developer ID Application: ABC Software Inc, use a certificate ID of ABC Software Inc in your command line.

b. Verify that your signed installer has been properly built and signed. To learn how, see Verifying that Your Code-Signing Output Files Are Working as Expected on OS or OS X–Based Target Systems.
3. Code sign and check the authentication wrapper (that is, the top-level install.app folder):
a. Use the following command line to code sign the authentication wrapper:

codesign --force --deep --timestamp=none --sign <CERTIFICATE_ID> <install.app absolute path>

where <CERTIFICATE_ID> is the value without the Developer ID Application: string that is displayed in the Common Name field when you select your certificate in the Keychain Access utility. That is, if the Common Name field displays Developer ID Application: ABC Software Inc, use a certificate ID of ABC Software Inc in your command line.

b. Verify that your signed authentication wrapper has been properly built and signed. To learn how, see Verifying that Your Code-Signing Output Files Are Working as Expected on OS or OS X–Based Target Systems.
4. Compress the top-level install.app folder back into an install.zip file.

The resulting install.app file includes authentication support for the installer. Note that the only way to remove a product whose installer was code signed using this method is to drag it to the Trash.

See Also

Requirements for Code-Signing Support for OS or OS X–Based Installers

Troubleshooting Tips for Code-Signing and Authentication Support for OS or OS X–Based Target Systems