Skip to content

Code signing

Omnis Studio has an intricate application bundle structure primarily due to the extensive range of features and their dependencies.

Furthermore, as new features are added or older features are improved, the bundle structure is likely to change. This fluidity poses a challenge to users that code sign their Omnis Studio applications themselves.

To rememdiate this problem, we think it's best to standardise the code signing process of an application built with Omnis Studio, and the best way to achieve that is to share the code signing script we use ourselves.

The benefits of using our script to code sign are:

  • Up-to-date Process

    • The script is continually maintained and updated by our development team. This ensures that it always aligns with the latest structure and requirements of Omnis Studio's application bundle.

  • Code signing consistency

    • By using the same script for both internal and external code signing processes, we ensure a consistent approach. This uniformity is crucial for maintaining the integrity and reliability of the application.

  • Ease of use

    • The script is designed to be straightforward and user-friendly. It abstracts the complexity of the code signing process, making it accessible even for those who may not be deeply familiar with the intricacies of macOS code signing.

  • Extensibility

    • You can simply call the sign function at the bottom of the script in order to code sign specific components you added.

You can download the code signing script here and its dependency script for generating application entitlements here.

How to use the code signing script

Xcode 13.2 is the minimum required for notary tool, used during code signing.

Once you have the codesign_omnis.sh and its generate_entitlements.sh dependency, place them both in the same folder.

In order to start the code signing process, launch the Terminal and execute:

/path/to/codesign_omnis.sh --bundle path/to/your/app.bundle --identity "Developer ID Application: XXXX (BXXXXHXXXXY)"

Replace the identity with the name of your code signing certificate as it is in Keychain and the path to your application bundle.

You can also run /path/to/codesign_omnis.sh --help for further details.

Adding further components to code sign

If you have further components to code sign, you can call the sign function in the codesign_omnis.sh script.

We advise you do this at the end of the script, before the last call to sign which is meant to re-seal everything:

sign "/Contents/MacOS/xcomp/obrowser.u_xcomp" $ENTITLEMENTS
wait

# Sign your components here

sign "" $ENTITLEMENTS
wait

exit 0

We believe that for most applications, you may not need to add any extra components to sign.

The safest approach would be to attempt notarization once your application has been code signed and if any components fail to pass, only then you should consider adding them to the signing script, and only if code signing was the issue they failed.

A notarization failure due to bad code signature might contain errors such as The signature does not include a secure timestamp or The binary is not signed with a valid Developer ID certificate.