How to code sign & verify DMG image files

Signing & Verifying with App Wrapper 3.6 (or newer)

If you're distributing your applications on the web (not via the Mac App Store), you'll want to use the new code signed DMG image files for the updated Gate Keeper built into macOS Sierra.

Please note: Sierra only accepts DMG image files that are code signed on OS X 10.11.5 or newer.

It can be done from the terminal, but rather than mess around with command line functions, we've built a DMG Signing tool into App Wrapper 3.6 or newer. Using it is really easy and it works with almost all DMG creation applications (we like Araelium's DMG Canvas).

dmgsigner@2x

DMG Signer window in App Wrapper 3.6

  1. Open App Wrapper (you can download a FREE trial), select "DMG signer" from the "App Wrapper" menu. Or drag a DMG to the App Wrapper dock icon, open window or select a DMG file from the "Open" dialog.
  2. Select the signing identity from the menu in the top left hand corner of the window. If you don't see any identities, there's a help topic in App Wrapper about using Xcode to install them.
  3. DMG files listed in blue are unsigned, click on the "Sign DMG" or "Sign All" button to sign them. Once DMGs have been signed, the symbol to the left is green and the signing identity is displayed on the right hand side.

Automatically with an App Wrapper created Xojo build script.

When working with App Wrapper and Xojo, you can create a Xojo build script that will fire once the application is built in Xojo. This is great because, you can simply select "Build" in Xojo and automatically have App Wrapper do it's business, which with version 3.6, now includes integration with DMG Canvas and automatic DMG Image signing.

  1. Select "None" in the "Packing" options for your application (within App Wrapper).
  2. Build the application.
  3. In DMG Canvas, create the DMG Template and add the "Wrapped" version of the application from App Wrapper.
  4. Back in App Wrapper, select "DMG Canvas" from the "Packing" options, then use the file selector under the "Packing" selector to choose the DMG template.
  5. Now "Wrap" the application again, and this time there should be a signed DMG waiting.

For help on integrating App Wrapper into your Xojo workflow, please see the App Wrapper help.


Using DMG Canvas to code sign DMG Image files

DMG Canvas version 2.3 included support for code signing DMG Image File (http://www.araelium.com/dmgcanvas)


Drop DMG code signing and verification

Drop DMG version 3.4 now supports code signing of DMG files.

Download the update from http://c-command.com/dropdmg/


Signing & Verifying manually

For those of you who prefer to sign and verify via the command line, here's the equivalent commands.

Signing DMG Image files

codesign --force --sign "Developer ID Application: <identityIdentifier>"
<pathToDMG>

To code sign in a way that Sierra accepts, code signing must be done on 10.11.5 or newer

Verifying DMG image file signing

spctl -a -t open --context context:primary-signature -v <pathToDMG>

Verification only works on macOS Sierra 10.12 or newer, in App Wrapper we do our own verification.