Gatekeeper Path Randomization for Developer signed DMG? - macos-sierra

We are packaging our app for drag and drop installation DMG as following:
Application Name/Application.app
Application Name/Readme
Application Name/Examples/...
Application Name/Documentation/...
And user is supposed to d&d Application Name Folder to /Applications/.
Everything is code signed including DMG.
From most information I read this should be enough to prevent app translocation happening, but for some reason it isn't for some of our Sierra users?
The solution for them would be beside d&d folder to /Applications is to do another drag & drop (move) Application.app somewhere and back to /Applications/Application Name/ or move only Application Name/Application.app overwriting /Applications/Application Name/Application.app.
Now the question is why do only some users have this issue, and shouldn't code signing dmg prevent app translocation from happening?
I verified they have selected Allow apps downloaded from Mac App Store and identified developers.

I had this same problem on my side and had to go get some help via DTS, so I thought I'd repay the favor by replying here:
To avoid translocation, it turns out that not only is the disk image DMG supposed to be signed, but the file format for the image needs to be very specific: UDRO.
You can see more information about UDRO when you look at the man page for the hdiutil command line tool.

Related

Can my app be distributed through the MacOS App Store (struggling with Sandbox)?

I'm new to MacOS app development, and just getting around to hopefully releasing an app. I have two options - the Mac App store or do it through my website.
I would have preferred to do via the App Store but realized it has a "sandbox" requirement, and I'm flummoxed on what I should do.
My app requires heavy file/folder access. Some of the basic requirements are
ability to open and save files
ability to create folders (without prompting, as part of a process run)
ability for a backend process to access those files and run on it (e.g., if I added a markdown file to the app, and then run pandoc on it)
I can live with a user giving access to a base folder (and its subfolders) as kind of the app folder and I can work inside it. But being able to invoke a command-line tool installed on the mac, to run on those files, is paramount.
Can I do this at all? Or do I need to go outside the app store? I do not need access to system files etc and my app does absolutely nothing with any file except the ones within a project folder chosen by the user.
Any pointers to more recent documentation greatly appreciated. Kind of lost.

Windows 7 iTunes does not accept the adhoc ipa file

I am in beta testing stage for an application.
Some of my beta testers use Windows 7 and run iTunes within.
Some of them are just fine but a few observe some rather strange behavior.
That is: Neither the *.ipa nor the *.mobileprivision file can be dragged and dropped into the Apps section of the Mediathek within iTunes. (Doing so the icon indicates that the object cannot be dropped within iTunes)
We tried File/Add to Mediathek ... and that does not work either. No error message but the app does not show up and when adding the mobileprovision file for a second and third time no message comes up that asks whether to overwite the existing mobileprovision file.
I tried google and the search within stackoverflow but did not find anything that matches my problem.
Any suggestion is highly appreciated!
Probably not a direct answer to your question - but a workaround:
Have you tried http://testflightapp.com? Lets you send beta builds to your testers over the air without them having to go through iTunes. And it's free.
No affiliation - just a satisfied user.
Agree with Abizem. Testflight is a good, painless way of sending out builds. If you absolutely have to use the mobileprovision and .app route, just copy the mobileprovision file and do a sync. Check if that is getting added to the device (the UDID in the mobileprovision might be incorrect)
Note: the .app file will appear as a folder on a Windows system. The entire folder needs to be dragged in this case.
If all of your testers use iOS 4 you can drop the two files on your file server and let them open the website from there iOS device. It is really simple and they don't even need a PC for testing:
http://buzzworks.de/blog/announcing-developer-framework-hockey

Downloading files for UIWebView to specific folder on IPhone

I have made an app that displays my website from a UIWebView and it takes you to a store that you can download files. My question is that I need to download a '.zip'file from my website using the app to the IPhone. Heres is my problem. I don't want the file to goto the App's Document folder, I want it to goto a folder that is outside of my applications folder. Here is an example path I might want my file to goto EX:'var/mobile/Library/Downloads'. If there is not a way to download the files to a path outside of the app's folder, is there a way to transfer the specific file that I have downloaded from my website using the my app to another folder that is not located in my app's folders? I know this can be done because I have used apps that have done this, of course they were apps only available on Cydia. This is also an app that will be used for Jail-broken users just for your information!
Thanks for any help!
Any "regular" iphone app runs in a sandbox that prevents access to system wide directories. Practically, you only have access to the app Home Directory.
Unless you go for a jailbroken app, you have no other options than storing to the App docs folder.
Read "The Application Sandbox" and "The File System" [here] for more details1.
EDIT:
I am not an expert on cydia, but the general idea is gaining access as root and then write to where you need to. This can be done by replacing your app with a suid shell script that will in turn exec your app (which will have root privileges now and then be able to go out of the sandbox).
For more info look at this.

How to codesign automatically generated iOS apps?

Greetings,
I'm in the progress of writing a web server script that lets you create custom iOS apps (basically exchanging logos and a few other things). The web server customizes a previously uploaded "shell" .ipa and re-zips the whole container to send it to the user's browser. That is: we customize a previously uploaded .ipa on the web server and let the user download it for submission to the App Store.
The next step would be to re-codesign the whole .ipa - because we changed the .IPA contents and the user must use his own signing identity - so that he can actually upload it to the App Store.
From what I understand, there is a "CodeResources" file which contains some kind of hash for each resource file in the bundle, and the executable contains some kind of embedded signature as well. To generate these, you'd have to use the "codesign" utility on the user's computer, then use Application Loader to submit it to the App Store. Correct so far?
What I'm trying to find out is:
Is there a way to codesign the .ipa on the server (with having the user upload his certificate beforehand), so that he does not have any extra work to do?
If 1) is not possible, is there some kind of tool that allows to re-codesign the .ipa without much hassle? Xcode seems to require some project setup work to do just a bit of code signing - if possible at all.
Are there any alternative ways to codesign the .ipa files for the user - possibly without having to manually do it by hand?
Thanks in advance!
Xcode uses the codesign command line utility to create the CodeResources folder and the digital signature, you can invoke it yourself to sign an app bundle outside of Xcode. You could probably automate this on a server if the server was running Mac OS X; if you're really clever you might be able to figure out how to create the signature yourself using openssl (the signing certificates, etc. are all standard stuff). Or, if you can count on the user having the dev tools installed, provide them with an app that automates the signing for them.
Here's a blog entry describing some of the process (though the use case is a little different).
I don't like to answer my own question, but I want to close this after so long.
We ended up using Xcode's targets and schemes to ease up the generation of many different apps. Since we have a reasonable number of app variants, this seems to be OK for now.
Code signing is a mess and Apple constantly changes the technical process behind it - so it's a moving target and requires a lot of hacking and trial-and-error work.

creating a free version of an app, but having the app separate on debug device

I was just making a free version of one of my apps. I copied the folder, renamed the project, and changed the icon file, loading screen, interface, and code. BUT YET it still replaces a build on my phone.
1)how do I stop this from happening (i want both the free and paid version on my phone)
2) if you can fix this, will a customer who has the paid, and downloads the free, will that replace it on their phone?
I really need to know these, as I have the app ready to go, and would like to get it before the end of the week.
cheers
Sam
You need to have a different app bundle identifier. I think that's your problem.
Long answer:
Go into your projectname-info.plist file and change the CFBundleIdentifier.
I'd recommend something like:
com.mycompany.mycoolapp for the app store
com.mycompany.mycoolapp-beta for the beta version
You should actually be able to set up the "Debug" build configuration to use a different info.plist file configured with a different CFBundleIdentifier and a different icon filename. That way you'll automaticlly get the beta ID and icon, etc for the Debug build and the real id/icon for the full one.
This should allow users to install and use both the production and test versions of the apps at the same time without confusion.
You might also find this IPA target template helpful if you're doing ad-hoc distribution to Windows users for testing:
http://devblog.appmagination.com/2010/01/target-template-for-building-iphone-ipa.html