Signing the OSX version of your NWJS (node-webkit) app for GateKeeper (for Mac noobs like me!)

The problem: I am new to Mac. I want my nwjs (node-webkit) app to be able to be downloaded from my website as a DMG file so users can install it. I am not intending to put this app in the Apple Store. I am using Yosemite.

Rant paragraph: The first thing you need to know is that Apple run a kind of racket in this case. In order to do this simple task you need to pay them AU $149 (per annum) just to get a Developer ID so you can sign your app so users can install it without seeing the “unidentified developer” message! The purported reason is that it increases security on the end user’s mac. Well, all the user needs to do is to Control+click the app then click Open. So much for the security! To charge $149 for that is a racket IMJ. Anyway, rant aside…

Gatekeeper info is here if you dont know about it.

The overall steps are:

  1. Get a Developer ID (and certificate and install it on your development Mac).
  2. Use that certificate to sign your app
  3. Package the signed app into a DMG file for distribution

This post also has some useful background info, as does this post. – especially the comment about making sure you have downloaded XCode (from Apple Developer area)

However, this post  had the most helpful checklist for doing steps 1 and 2 above. Thanks Jean-Baptiste Escoyez!
Since it was written a couple of things have changed which is what prompted me to write this blog post.

  • Part A:
  • Keychain is an app in Applications/Utilities
  • If you are taking responsibility for the whole process, ignore the step “Send the newly created file to your agent”
  • Part B:
  • “Upload the CSR file sent by admin (or dev)” means navigate to where you saved the certificate you created in Part A
  • Ignore the “Send it to the requetser” step. You are the requester.
  • Part C:
  • The “User ID” mentioned is the Developer ID which is a long hash. I couldnt find where the ID was mentioned within the Keychain item (probably missed the obvious) but you can get the ID by opening a Terminal window on your Mac and entering security find-identity in a Terminal session. If all is well you should see the Developer ID displayed.
  • Part D:
  • The Terminal commands neeed to change slightly because node-webkit is now called nwjs (since v0.12). If you are using that version or later, change the …./Frameworks/node-webkit references to …./Frameworks/nwjs
  • Of course you can put all that in a “command” script file so you dont need to keep typing it.
  • Part E:
  • I added those commands to my script file

Gotchas found:

  • You need to have internet access in order to run the codesign command. It seems it accesses a Timestamp server when it runs. My internet access had gone down and I got a codesign message about not finding a Timestamp.
  • Dont leave random files in the package or the code signing might fail with a “code object is not siged at all” message. I had made a copy of the info.plist file as info.plistCopy while I was trying to work all this out and codesign didnt like it!

To package the app in a DMG file I am using DropDMG. It seems you can make DMGs manually, and there might be other solutions, but I found this worked really well. At $24 I found the time saving worth it.

There are a few issues around changing the nwjs icon to your custom icon and getting DropDMG to use it in the installer which I will write about in another post soon. Ask if you need it.

Creating a command script for OSX (for Mac noobs like me)

In Windows you have batch files.

In OSX you can create “command” files. Open a text editor eg Sublime Text. (I noticed that TextEdit wouldnt allow me to save the file with a .command extention)

Enter your terminal (command line) commands into your file and save it with a .command extention.

To allow OSX to run that file via a double click you need to change the permissions. Open a Terminal window and enter

sudo chmod 755 your_command_file_path_and_name

You will be asked for your OSX password. Note that as you type it does NOT give any feedback about the key presses so just enter the password anyway.

You should be able to then navigate to your command file in the Finder and double click it to execute the script.