How to add codesigning to dmg file in mac

Question

I have a dmg file in my portal.After downloading it,when i try to open it is showing a message indicating that opening package is insecure. i am able to add codesign through

Answer 1

There's 3 ways to do this. In the terminal on OS X 10.11.5 or newer. Note: you can code sign DMGs on earlier OS versions, however Sierra only likes them from 10.11.5 or newer.

codesign --force --sign "Developer ID Application: <identityIdentifier>" <pathToDMG>

Verification is done via (requires macOS Sierra).

spctl -a -t open --context context:primary-signature -v <pathToDMG>

Araelium have updated DMG Canvas (v2.3), so it will code sign DMGs when it builds.

DropDMG has been updated to code sign DMG image files too (v3.4).

There's also (a tool I developed) called App Wrapper (3.6), which can code sign DMG files.

Answer 2

As of macOS 10.11.5 you can now sign disk images, .dmg, files using the codesign tool:

codesign -s <identity> --keychain <full-path-to-keychain> <path-to-disk-image>

Answer 3

Earlier I struggle to code sign dmg on 10.11.5 even this command codesign -s <identity> <path-to-disk-image> is known to me.

What I am doing earlier is

1. Create the Read/Write DMG (created using Disk utility)
2. Copy App and other external resources
3. Code signed DMG using codesign command
4. Convert it to Read only DMG using Disk Utility
5. Verify it using spctl -a -t open --context context:primary-signature <path-to-disk-image>, which results in rejection.

Then few permutation and combination, I found it pretty easy straight forward solution:

1. Create the Read/Write DMG (created using Disk utility).
2. Copy App and other external resources
3. Convert it to Read only DMG using Disk Utility
4. Code signed DMG using codesign command (This time I did it on Sierra, most probably should work with 10.11.5)
5. Verify it using spctl -a -t open --context context:primary-signature <path-to-disk-image>, that results in success.

I hope this works for you. :)