Log In    |    Knowledge Base    |    4D Home
Tech Tip: Distributing Applications via Signed DMG on MacOS
Published On: December 19, 2018
Your current browser may not allow you to download the asset. We recommend Mozilla Firefox or Google Chrome.
Log In

Applications that are distributed on on unsigned disk images or .zip archives are subject to App Translocation (Gatekeeper Path Randomization), which can prevent the application from working because it is effectively running from a read-only location. This mechanism is enforced even when the application itself is signed, depending on the distribution mechanism.

In order to bypass App Translocation, you must distribute your application on a Signed DMG.

Signing a DMG requires a Developer ID signing certificate from the Apple Developer Program ($99/year). Once the signing certiciate is obtained, the process is very simple.

  1. Create a DMG containing the application
  2. Use codesign from a terminal to sign the DMG:
    codesign --force --sign "Developer ID Application: YourCertificateID" /path/to/my.dmg
  3. Verify the signature from the Terminal using spctl:
    spctl -a -t open --context context:primary-signature -v /path/to/my.dmg
  4. Distribute the Signed DMG

Commented by Gerald Balzer on December 20, 2018 at 8:10 AM
Tools like DropDMG or DMG Canvas assist you with creating the DMGs and sign them.