Code Signing FileMaker Runtimes
Signing the runtime got harder with new requirements in Mac OS X 10.9 and the upcoming Yosemite release. We not just need to sign the actual application, but also make sure we sign all the components. For the frameworks inside the runtime, we need to fix them to give them a few standard symlinks which are missing. Without those modifications, the bundle will not sign. Luckily all the PPC code and duplicate libraries got removed in FileMaker 13.0v3, so we don't need to do this yourself like in FileMaker 12. If you like to save a few bytes, you can delete the icon files: FM12Dict.icns, FM12Label.icns and FM12Plug.icns inside the runtime. Those are not referenced and never used.
In order to sign, you need to sign up for a Mac Developer Account with Apple. This costs $99 per year. In the Certificates, Identifiers & Profiles section, please go in Mac Apps section and there in Certificates. Create a new Developer ID, follow the instructions and download the certificate file. Double click it to add it to Keychain Manager and voila, it is installed and ready to use.
The complete script is here for download as zip archive: signscript.zip
When you edit the script in a text editor (like BBEdit or TextWranger), you can change the path to the runtime, the name of the app and the name of the certificate. Please note that this script will not work without correct values. If your file name or path contain special character, escaping may be needed. For example a space character needs to be escaped with putting a backslash character just before the space character. You can learn how to escape a path by dragging and dropping the file or folder into the window of the Terminal application. The path is inserted and you can copy & paste it.
Now when everything is setup for your runtime in the script, you can drop the script on a Terminal window and press return key to start it. You'll see a couple of messages. This may include some complains from rm command trying to delete files which are not there. Nothing to worry about, the script just makes sure everything is correct. Further you see a couple of sign message for various parts of the application. The final line should show "signed bundle with Mach-O thin" and report success for signing your runtime app.
To check if app is okay for Gate Keeper you can first verify code signature using a call to codesign with a couple of v for more details and -d to display certificate:
codesign -d -vvvv /Users/cs/Desktop/Test/test.app
Next with spctl utility you can show if app is accepted. So we run spctl utility with verbose messages and -a parameter:
spctl -a -vv /Users/cs/Desktop/Test/test.app
Please change path to your runtimes before running above commands. The output should say "accepted" and now you are lucky and can archive and upload your runtime. Good luck!
proudly sponsored by INtex Publishing
PS: Please check MBS Plugins for included scripts for newer FileMaker versions and read the following tech note from Apple:
Technical Note TN2206
macOS Code Signing In Depth
You may need to code sign your disk images when delivering software as well as the software inside.