21

I have a dmg file in my portal.After downloading it,when i try to open it is showing a message indicating that opening package is insecure. i am able to add codesign through command line using codesign command and also able to check whether it is added or not. but still when i click to open my dmg file insecure message is coming

MacDeveloper
  • 1,244
  • 1
  • 14
  • 46

3 Answers3

22

As of macOS 10.11.5 you can now sign disk images, .dmg, files using the codesign tool:

codesign -s <identity> --keychain <full-path-to-keychain> <path-to-disk-image>
Graham Miln
  • 2,614
  • 3
  • 31
  • 31
  • What is meant by ? Could you give an example? Thanks. – Jordan McQueen Dec 29 '16 at 21:20
  • 1
    The `full path` is an absolute file path beginning with a `/`. – Graham Miln Jan 12 '17 at 06:40
  • 2
    Usually it is your login keychain: `"/Users/username/Library/Keychains/login.keychain"` – Daniel Sep 08 '17 at 08:10
  • 1
    Note: this won't sign the contents of the dmg, so if you had an installer .app inside the dmg and signed the dmg, after mounting the image, Gatekeeper would still reject the .app inside it. – Asu Apr 29 '18 at 13:59
  • One thing that hasn't been mentioned , if you attempt to sign a disk image with codesign, it will fail because the .dmg file contains extended attributes (even a blank .dmg file contains at least Finder information). You will get an error message "resource fork, Finder information, or similar detritus not allowed". You need to use the command xattr -cr before signing. – Jim Merkel Jun 02 '18 at 03:19
  • @JimMerkel Thank you, that is interesting and useful. I have not experienced this problem. Do you think this a behaviour specific to a particular version of macOS? – Graham Miln Jun 02 '18 at 09:05
  • I'm using macOS 10.13.4. I think this problem started at 10.12. – Jim Merkel Jun 02 '18 at 16:06
  • One more thing to add -- if you make the `.dmg` read-only, you can then sign it without first doing: `xattr -cr `. Interesting. – Jim Merkel Jun 03 '18 at 18:44
16

There's 3 ways to do this. In the terminal on OS X 10.11.5 or newer. Note: you can code sign DMGs on earlier OS versions, however Sierra only likes them from 10.11.5 or newer.

codesign --force --sign "Developer ID Application: <identityIdentifier>" <pathToDMG>

Verification is done via (requires macOS Sierra).

spctl -a -t open --context context:primary-signature -v <pathToDMG>

Araelium have updated DMG Canvas (v2.3), so it will code sign DMGs when it builds.

DropDMG has been updated to code sign DMG image files too (v3.4).

There's also (a tool I developed) called App Wrapper (3.6), which can code sign DMG files.

Graham Miln
  • 2,614
  • 3
  • 31
  • 31
Sam Rowlands
  • 161
  • 1
  • 4
  • 2
    When doing this, `codesign` seems to succeed but `spctl` always shows me “rejected”. However, I’m using a self-signed key: When trying to use the Apple Developer ID Application certificate, I always get the `codesign` error “no identity found”. I’m confident that the identity is correct, and the certificate is imported into my login keychain (however, it’s not expandable: this looks as if no key is associated with it; might this be related?). – Konrad Rudolph Dec 12 '18 at 18:21
6

Earlier I struggle to code sign dmg on 10.11.5 even this command codesign -s <identity> <path-to-disk-image> is known to me.

What I am doing earlier is

  1. Create the Read/Write DMG (created using Disk utility)
  2. Copy App and other external resources
  3. Code signed DMG using codesign command
  4. Convert it to Read only DMG using Disk Utility
  5. Verify it using spctl -a -t open --context context:primary-signature <path-to-disk-image>, which results in rejection.

Then few permutation and combination, I found it pretty easy straight forward solution:

  1. Create the Read/Write DMG (created using Disk utility).
  2. Copy App and other external resources
  3. Convert it to Read only DMG using Disk Utility
  4. Code signed DMG using codesign command (This time I did it on Sierra, most probably should work with 10.11.5)
  5. Verify it using spctl -a -t open --context context:primary-signature <path-to-disk-image>, that results in success.

I hope this works for you. :)

Khushneet
  • 706
  • 8
  • 10
  • It is already mentioned in the answer. It is codesign -s "Developer ID Application: NAME" . You can use deep and force options as per your need. Please go through manual page of codesign https://developer.apple.com/legacy/library/documentation/Darwin/Reference/ManPages/man1/codesign.1.html – Khushneet Oct 10 '17 at 15:57