Xojo Conferences

« MBS Xojo Developer Co… | Home | New Timer for Windows… »

Code Signing FileMaker Runtimes

Everyone producing runtimes with FileMaker 13 for Mac OS X has a problem. You need to sign the app for Gate Keeper. If your runtime is not signed, the Finder will ask the user when launching the application after download to delete the app! To avoid users get confused or not use the runtime, we sign the runtime.


Signing the runtime got harder with new requirements in Mac OS X 10.9 and the upcoming Yosemite release. We not just need to sign the actual application, but also make sure we sign all the components. For the frameworks inside the runtime, we need to fix them to give them a few standard symlinks which are missing. Without those modifications, the bundle will not sign. Luckily all the PPC code and duplicate libraries got removed in FileMaker 13.0v3, so we don't need to do this yourself like in FileMaker 12. If you like to save a few bytes, you can delete the icon files: FM12Dict.icns, FM12Label.icns and FM12Plug.icns inside the runtime. Those are not referenced and never used.

Developer Account

In order to sign, you need to sign up for a Mac Developer Account with Apple. This costs $99 per year. In the Certificates, Identifiers & Profiles section, please go in Mac Apps section and there in Certificates. Create a new Developer ID, follow the instructions and download the certificate file. Double click it to add it to Keychain Manager and voila, it is installed and ready to use.

Sign Script

The complete script is here for download as zip archive: signscript.zip

When you edit the script in a text editor (like BBEdit or TextWranger), you can change the path to the runtime, the name of the app and the name of the certificate. Please note that this script will not work without correct values. If your file name or path contain special character, escaping may be needed. For example a space character needs to be escaped with putting a backslash character just before the space character. You can learn how to escape a path by dragging and dropping the file or folder into the window of the Terminal application. The path is inserted and you can copy & paste it.

Now when everything is setup for your runtime in the script, you can drop the script on a Terminal window and press return key to start it. You'll see a couple of messages. This may include some complains from rm command trying to delete files which are not there. Nothing to worry about, the script just makes sure everything is correct. Further you see a couple of sign message for various parts of the application. The final line should show "signed bundle with Mach-O thin" and report success for signing your runtime app.


To check if app is okay for Gate Keeper you can first verify code signature using a call to codesign with a couple of v for more details and -d to display certificate:

codesign -d -vvvv /Users/cs/Desktop/Test/test.app

Next with spctl utility you can show if app is accepted. So we run spctl utility with verbose messages and -a parameter:

spctl -a -vv /Users/cs/Desktop/Test/test.app

Please change path to your runtimes before running above commands. The output should say "accepted" and now you are lucky and can archive and upload your runtime. Good luck!

proudly sponsored by INtex Publishing

PS: Please check MBS Plugins for included scripts for newer FileMaker versions and read the following tech note from Apple:

Technical Note TN2206
macOS Code Signing In Depth


You may need to code sign your disk images when delivering software as well as the software inside.
22 08 14 - 10:26
ten comments

Just an extra note. You need to do the code signing in Mac OS 10.9 (or higher) to meet the new requirements.
Code signing your projects in Mountain Lion will not work.
Koen Van Hulle (URL) - 22 08 14 - 16:51

Since FileMaker is owned by Apple and FileMaker sells Advanced as creating Runtimes to be freely distributed, shouldn’t this problem be resolved by FileMaker rather than the user? Or are you doing something out of the ordinary that a typical developer might not do?
Jack Rodgers (URL) - 22 08 14 - 19:35

Of course FileMaker could make it an option in building runtimes to select a certificate and automatically sign it. They could also make their bundles signable. And while FileMaker 12 didn’t run on PPC Macs, they still included in FM12 and early FM13 releases a lot of PPC code. See my older runtime shrinker app.
I bet they simply don’t care much for runtimes any more.
Christian Schmitz (URL) - 22 08 14 - 19:52

Its very nice of you guys to make a script like this but unfortunately i docent work, at least not in the configuration Mac OS X 10.10.3 and FMP13.9.
Issues that everything is ok until the two last lines which says:
Venturi – Journalen 12.0.app/Contents/MacOS/Runtime: unsealed contents present in the bundle root
Venturi – Journalen 12.0.app: unsealed contents present in the bundle root
Carsten Dyhr (URL) - 08 06 15 - 10:29

This script works well with FMP16, but I cannot get it to codesign in FMP17. The app is rejected. Is there some modification that needs to be done to it to work with FMP17?
Aaton Cohen-Sitt - 31 07 18 - 06:29

For FileMaker 17, please use the new script coming with the MBS Plugin download.
Christian Schmitz (URL) - 31 07 18 - 09:33

Christian – thank you!

For those looking for the script:

The script is to be found in the folder /Guides/Goodies/Code Signing FileMaker Runtimes.pdf

Russell Watson - 24 10 18 - 10:19

Actually the script is now found in Extras (or Utilities) folder included with plugins.

Be sure you use the right script. We have one for FM 17 specifically.
Christian Schmitz (URL) - 24 10 18 - 10:35

Dear Christian, I’m getting the dreaded “Primary File Not Found..” Error when opening a signed (and tested/verified) runtime. I’ve tried both older versions of your script and the 17 version. It may be that MY Computer is outdated, or XCode is not up-to-date?

I tried a lot of different things to get it to work. The Runtime opens smoothly on MY Machine, but as soon as it is Zipped & uploaded/downloaded, then I get that error message. It is the SAME Error Message I got even before i Code-signed the runtime app. I also tried Zipping and Uncompressing locally and that does not cause the Error (the runtime opens fine).

If I click OK on the Error it gives me chance to “Find” the missing File (it shows the name of file without an extension) and if i point to the .fmpur File it opens and works. If I point to the main .app file it does not work. But I shouldn’t have to point at anything!? I’m pretty much tapped out my patience over the last 3 days battling this bc I’ve never had this trouble before.

One thing I tried was “removing” the —options —runtime from your v17 script bc that was throwing errors – and that works, tested and verified. but same error after downloading/uploading.

I’m on Mac OS 10.12.6 and My XCode says it needs to Update but when I tried updating the XCode app it took forever and never really updated?

Here is a link to screenshot showing successful tests in Terminal and Dialogs when opening the compressed/downloaded/uncompressed runtime copy: https://drive.google.com/file/d/1PobZtmY-0eelvRFssYnHInG3RHLKAghu/view?usp=sharing


Cheers, -David
David Sparrow - 31 07 19 - 21:45

No try needed and guess.
You need to properly sign the runtime.
spctl in Terminal must day the app is accepted. Otherwise not worth uploading it.
And for newer versions of MacOS even notarize it.

Don’t waste your time with old Xcode. You need the latest one for notarization!
Christian Schmitz - 31 07 19 - 21:49

Remember personal info?

Emoticons / Textile

Hide email:

Small print: All html tags except <b> and <i> will be removed from your comment. You can make links by just typing the url or mail-address.