Changes to Authentication and Code Signing Support for OS X Based Installers in InstallAnywhere 2014 Hotfix A
SummaryThis article talks about the changes to Authentication and Code Signing Support for OS X Based Installers in InstallAnywhere 2014 Hotfix A
SynopsisInstallAnywhere 2014 Hotfix A brings updated authentication support for Mac OS X installers for OS X systems. This article talks about the new updated Mac OS X installer authentication support and its requirements. Please note that this article does not list the complete steps required to create the authenticated installer. For complete detailed information on the new updated authentication and code signing support, refer to this PDF file or the file linked at the end of this article. The PDF includes all the necessary information regarding the new authentication and code signing support with detailed steps to create a Mac OS X authenticated installer.
DiscussionIn InstallAnywhere 2014, authentication support for a Mac OS X installer can be enabled at the Project>Platforms>Mac OS X>Authentication setting in the project. Set the ?Requires an Administrator Name or Password to Install? setting to ?Yes? to enable authentication support for a Mac OS X installer.
Support for authenticated installers is included for OS X 10.8 and later systems. However, installers which do not have authentication enabled are supported on OS X 10.7 and later.
The authenticated installer must be code signed. An unsigned Mac OS X installer cannot be launched in authenticated mode. If the setting ?Requires an Administrator Name and Password to Install? is enabled in the project in the Project>Platforms>Mac OS X>Authentication section, the built installer won?t launch unless the installer is also code signed.
The authenticated Mac OS X installer can be code signed in two ways:
1. By providing the code signing information in the project, enabling IA to create a code signed installer at build time.
In order to code sign a Mac OS X installer at build time, the signing information should be provided in the project in the Project>Platforms>Mac OS X>Code Signing section. A valid ?Developer ID Application? certificate (exported in .p12 file format) is required with its correct keystore password. In order for an authenticated installer to be code signed at build time, follow the step below:
- Check the box for Code Signing in the Project>Platforms>Mac OS X>Code Signing section and specify the .p12 file and its correct password
2. By creating an unsigned installer at build time and code signing the IA created installer post build.
In order to code sign an authenticated Mac OS X installer after build-time, refer to the PDF linked in this article. Specifically, the installer developer is required to follow the steps from the section: ?To code sign the build output (install.zip file) on a separate code-signing machine?.
Note: Installanywhere generates the uninstaller and bundles it into the installer at build time. Therefore, a limitation of this method is that it is not possible to code sign the uninstaller. Therefore, such uninstaller installed by the authenticated installer will not function if the installer is code signed after build.
In addition to code signing the installer, other steps are required to be completed prior to build in order to create an authenticated installer. InstallAnywhere is shipped with the helper tool, which is the file that is used to launch the installer or uninstaller with elevated privileges. The helper tool must be code signed with the same ?Developer ID Application? certificate that will be used to sign the installer. The signing of the helper tool should be done before build time. Note that the same certificate should be used to sign both the helper tool and the authenticated installer. Also, the signing of the helper tool is only required if creating authenticated installers. When only creating code signed installers that do not have authentication enabled, the step to sign the helper tool can be skipped. For more detailed information on the complete steps to sign the helper tool in preparation of authenticated installer, please refer to the PDF.
Additional InformationNote: Any code signing must be performed on Mac OS X system 10.9 or later. The signing of the helper tool and the installer must be done on Mac OS X. This means that if the installer is configured to be code signed during build time, the InstallAnywhere IDE or SAB must be installed on a Mac OS X machine and the installer build must be performed on Mac OS X.
After the authenticated installer is built and launched on the target OS X system, the installer prompts for elevation and then installs the helper tool to the target system. The helper tool is installed with root privilege, which is capable of launching the installer launcher with the elevated privileges.
For the complete detailed information on the new updated authentication support, refer to this PDF document.