How to make a modified dmg distributable?
Adding files to a dmg and redistribute it
Purpose :
Adding some settings files to firefox.dmg (mozilla.cfg and policies.json) in the objective of redistributing the modified dmg
How the dmg is modified :
- Decompressing the dmg with tools like (hdiutils/ultraiso/transmac/dropdmg/disk-utilities)
- Mounting and adding files to the decompressed dmg
- Optional (recompress the dmg with same utils used to decompress)
Issue :
Opening the new dmg in a different machine give the result "firefox" is damaged and can't be opened, you should move it to trash
What was tested :
- Removing
com.apple.quarantineattribute with the commandxattr -cworks but its not a reliable solution - Tried to remove
_CodeSignaturedirectories from the dmg without success - Creating a new dmg containing files of the previous one without success
- Tried to edit Info.plist without success
Question :
How to make the new dmg package usable in other machines ? (How to avoid the error from gatekeeper without using xattr -c)
Solution 1:
Apple DMG Code Signing :
Signing apple application require paying apple's developer program (99$), it can be done freely but for a limited purpose.
Signing dmg can be done in two ways :
Signing the dmg file itself
Signing the
Application.appdirectory inside the dmg image
Editing signed DMG files :
Here is 3 possibles ways to edit signed applications :
Resign the application after edition
Remove the signature completely and edit the application (the application will still be installable the user will be warned)
Removing
com.apple.quarantineattribute with the commandxattr -cafter editing the application
Signature verification :
Depending on the situation one or both commands are required
codesign -v Application.app
codesign -v Application.dmg
Removing application signature
After extracting the dmg etc. Depending on the situation one or both commands are required
codesign --remove-signature Application.app
codesign --remove-signature Application.dmg
Explaining the failure :
The Application is damaged and can't be opened, you should move it to trash is the result of a partial signature removal, because removing _CodeSignature directories is not enough to get rid of the signature; codesign --remove-signature needs to also be run against the package/application/binary
Related lecture :
Create dmg - Create dmg from directory - Add signature to dmg - Remove signature - Damaged application - How to code sign - Free developer - Free signature
Solution 2:
You cannot modify the DMG and have it still pass trough GateKeeper without re-signing it. This is basically the entire reason for having the code signature!
Basically you have three options:
1) Remove the old code signature and re-sign the DMG with your own signature. This requires you to be enrolled in Apple's Developer Program.
2) Distribute the original, unmodified DMG - and accompany it with your own modifications. This could be done as instructions for the user on what to copy over, or it could be in the form of an automatic script.
3) Remove the signatures completely (both from the DMG and the app). The user then needs to have GateKeeper set to allow opening unsigned applications (i.e. the user will be prompted on the first open).