Why "macOS folder archive" doesn't get signed with install4j

Question

I can't figure out why archive/macOS folder archive doesn't get signed by install4j even when it's instructed to "Sign macOS media files" in general settings. Looking into the logs during the build I do see that DMG gets signed. The signing certificate is good because I've got another app signed without problems, the only difference is that media is installer/macOS folder. So it signs the DMG and doesn't sign the app folder inside? What's the point? I must be missing something.

I am trying to achieve a very simple flow for the user - click on dmg, drag the app archive to the Applications and click to run. No installers needed. It works great until the dmg gets downloaded from the internet, Mac decides that it's dangerous because there is no developer signature and fun begins... How do I make this signature with install4j?

Any help is greatly appreciated. (install4j version is 6.1.6)

Answer 1

I am trying to achieve a very simple flow for the user - click on dmg, drag the >app archive to the Applications and click to run.

Then use the macOS single bundle archive and not the macOS folder installer.

So it signs the DMG and doesn't sign the app folder inside?

No, both the DMG and all generated launchers are signed by install4j for the macOS folder installer.

Note: For macOS 10.14, you will need install4j 7.0.6+ otherwise the signature is reported as invalid.

---

Update after discussion in the comments:

In your case, the executable is a shell script. For mach-o binaries, the codesign tool on macOS saves the signature directly inside the binary, for non-mach-o binaries, it saves extended HFS+ attributes of the file Info.plist. These extended attributes would not be picked up by install4j even if you build on macOS, they will be lost at runtime and the signature will be invalid.

I'm afraid that the only way forward is to use a generated launcher.