Resigning OS X / Mac OS application

devinhalladay / spotio

A proof-of-concept Rdio-inspired skin for Spotify.app

http://spotio.devinhalladay.com/

MIT License

365 stars 25 forks source link

Resigning OS X / Mac OS application #23

Open sandervankasteel opened 8 years ago

sandervankasteel commented 8 years ago

On OS X / Mac OS we need a way to resign the Spotify.app, so we don't have to keep telling users to disable their GateKeeper (which is just generally a bad idea).

This issue relies on the outcome of issue #5 . Because if we choice to create our patcher application, we need to add to that patching process, that we resign the application with "our" keys or the user's local keys (which are accepted by default and won't cost any money!).

Mozilla has a nice "tutorial" on how they do it during their build process: https://developer.mozilla.org/nl/docs/Mozilla/Signing_Mozilla_apps_for_Mac_OS_X

PS. This issue is mainly used for brainstorming.

devinhalladay commented 8 years ago

Yep this is definitely a necessity. I'll read through the article when I get a chance but I'm thinking in the installer/patcher app we can probably just call an external applescript to sign this with the user's keys. The only issue is that I'll need to register for a dev certificate for the patcher itself, but I guess that's just the cost of doing this right

sandervankasteel commented 8 years ago

Before: screen shot 2016-08-30 at 20 01 13

After: screen shot 2016-08-30 at 20 01 17

I managed to resign my own local Spotify.app with my own locally created certificates! :D

I just need to think about how to do this programmatically

abarisain commented 8 years ago

Nice! I assume a 'codesign "-"' didn't do the trick, right?

We could build a autopatcher. I have lots of ObjC/Swift experience, so writing OSX apps is definitely in my reach. We could let spotify update itself, and an app could resign it.

Or we could script it for @devinhalladay, who would then publish updated builds signed by himself, whenever he made sure nothing broke and we'd be good. Then a simple client app would keep spotify updated, with something like sparkle

sandervankasteel commented 8 years ago

It was f*cking easy..

This how I fixed it; sandervankasteel is my locally installed and created codesigning certificate and then the option -f forces to replace it's current signing.

  % codesign -s sandervankasteel -fv Spotify.app                                                                                                                            
Spotify.app: replacing existing signature
Spotify.app: signed app bundle with Mach-O thin (x86_64) [com.spotify.client]