Code-signing, Notarization, Gatekeeper, and Authenticode
Need help with distributing your screensaver?Please see Distributing Screensaver Installers
Screensavers, identity, and software security in the modern era
These instructions have been updated to support Windows 10, Windows 11, and macOS versions through 14.0 (Ventura) with hardened runtime and notarization.
Last Update: Thursday, 04-Jan-2024 14:08:11 PST
Modern operating systems (beginning with Windows 10 and Mac OS X 10.10 Yosemite) are very careful to only run software that is ''trusted.'' This trust is established by the author of the software signing the code with a digital signature, based on a certificate that was issued to the author's company after a thorough background check to establish a valid identity. Our editing software, iScreensaver Designer, is signed with such a certificate (issued to our parent company Xochi Media Inc).
iScreensaver lets you, the author, create a fully customized screensaver and screensaver installer program, complete with your own icons, text descriptions, images, and copyright information.
These custom modifications change data within the software application executables, so that every screensaver you build is unique. This is a generally a good thing, as the end user of the screensaver software will see your name, your icons - your information.
Unfortunately, these modifications also prevent the screensaver installer software from being digitally signed with our corporate certificate. (If we were to sign it with our identity beforehand, when you built your screensaver, then the signature would be broken and the software application would not run at all).
So, when you build a screensaver installer using iScreensaver Designer, the final built software will be created without a digital signature.
This leaves you, the author, with two choices:
Option 1: No signature. | Option 2: Create your own digital signature.
Option 1: Deliver the software as-is, without a digital signature.
When a customer or end-user tries to install a screensaver that is not signed, they will usually be presented with one or more warnings like these:
Mac OS X unsigned warning:
Windows' unsigned warning:
Windows' security warning:
Important: when you bypass the warnings, you are allowing un-signed code to run on your computer, which in general is a bad idea. Users should only do this when they know and trust the software's source.
To bypass unsigned warnings on Mac OS X:
To bypass GateKeeper checks, one can simply right-click on the installer icon and choose "open", or hold down the control key while clicking the icon and choose "open".
There will then be a new window with the "open" button enabled:
To bypass unsigned warnings on Windows:
To bypass Authenticode checks, one can choose the "Actions" options and then click on 'More Options' and choose "Run anyway" from the second dialog.
With these two simple techniques, most of the problems of code-signing can be avoided. However, there are certainly situations where it's not feasible to take this approach. A better solution (but one that is much more expensive and technically demanding) is Option 2.
Mac OS X unsigned warning:
Windows' unsigned warning:
Windows' security warning:
Solution: Bypass these warnings.
It is relatively easy to bypass these warnings - let your end users know ahead of time to expect the warning, and instruct them on the way to bypass the warning. These warnings are common to many software packages, and most customers already are familiar with the steps.Important: when you bypass the warnings, you are allowing un-signed code to run on your computer, which in general is a bad idea. Users should only do this when they know and trust the software's source.
To bypass unsigned warnings on Mac OS X:
To bypass GateKeeper checks, one can simply right-click on the installer icon and choose "open", or hold down the control key while clicking the icon and choose "open".
There will then be a new window with the "open" button enabled:
To bypass unsigned warnings on Windows:
To bypass Authenticode checks, one can choose the "Actions" options and then click on 'More Options' and choose "Run anyway" from the second dialog.
With these two simple techniques, most of the problems of code-signing can be avoided. However, there are certainly situations where it's not feasible to take this approach. A better solution (but one that is much more expensive and technically demanding) is Option 2.
Option 2: Sign the screensaver installers with your own Digital Signature
For the best end-user experience, you want to have your screensaver installers digitally signed with your company's code-signing-certificate. Although this could not be done for technical reasons using iScreensaver Designer 4.5, we offer full compatibility with modern digital signatures with iScreensaver Designer 5 and 6.
Please note that this process is technical, time-consuming, and costs money. Furthermore, it uses third party companies, services, products and tools for which we can not provide technical support. We will provide an outline of the steps and some suggested vendors, but many of the details will be up to you.
Please note that this process is technical, time-consuming, and costs money. Furthermore, it uses third party companies, services, products and tools for which we can not provide technical support. We will provide an outline of the steps and some suggested vendors, but many of the details will be up to you.
Code-signing 101: Step-by-Step Instructions
Code-Signing and Notarization on macOS
- Get a Mac running OS X 10.14 or later. You can not code-sign Mac software on a Windows PC.
- Get an Apple Developer Account.
This currently costs $99 per year.
Enroll in the Apple Developer Program. - Verify your identity with the Certificate issuer.
Typically this will require you to have a legal organization (such as LLC, Corporation, Non-Profit, or sole proprietorship).
This step can take several days to have your identify confirmed. You may need to make sure your company is listed properly in DNB (Dunn & Bradstreet) and that you know your DUNS number. You may also need copies of corporate documents such as the Articles of Incorporation. - Create and download your code-signing certificate from Apple, which is called a Developer ID Application Certificate
See https://help.apple.com/xcode/mac/current/#/dev154b28f09 - Create an app-specific password for your AppleID at appleid.apple.com
See https://support.apple.com/en-us/HT204397 - Download a copy of our code-signing and notarization script:
(Right click and choose 'Download' file): sign_and_notarize_iscreensaver.sh - After downloading, move the file to the folder you are working in, for example:
mv ~/Downloads/sign_and_notarize_iscreensaver.sh "/Documents/iScreensaver Projects/SpaceDemo/"
- Then, Make the Script Executable using these commands:
cd ~/Documents/iScreensaver\ Projects/SpaceDemo # use the actual folder path where you placed the script file chmod 755 sign_and_notarize_iscreensaver.sh
- Edit the script file as per the instructions included within. You will need to provide your AppleID, TeamID, app-specific password, and the file path and name of your screensaver, and a unique ID for the file
- Once you have your Developer ID Certificate, you can sign and notarize your finished screensaver installers with a single command line script
cd "~/Documents/iScreensaver Projects/SpaceDemo" # use the actual folder path where you placed the script file ./sign_and_notarize_iscreensaver.sh
Code-Signing on Windows OS
- Get a Windows PC running Windows 10 or later. You can not code-sign Windows software on a Mac.
- Get a code-signing certificate. Numerous companies offer them, and current discount prices run about $100/year. We can recommend using certificates from these organizations:
- Verify your identity with the Certificate issuer. Typically this will require you to have a legal organization (such as LLC, Corporation, Non-Profit, etc.). This step can take several days to have your identify confirmed. You will want to make sure your company is listed properly in DNB (Dunn & Bradstreet) and that you know your DUNS number. You may also need copies of corporate documents such as the Articles of Incorporation.
- Retrieve your code-signing certificate from your vendor once it is ready. Important: use IE11 for this step and download your certificate on the same computer you will use for code-signing.
- Save the certificate and private key as a PFX format by following these steps in IE11:
- Open IE11 on the same computer where you downloaded your certificate.
- From the Tools menu, choose Internet Options.
- On the Content tab, click the Certificates button.
- Select the code-signing certificate you just purchased and downloaded (note: there may be several certificates in the list, be sure to choose the correct one).
- Click the Export button.
- Choose "Yes, export the private key".
- Choose "PKCS#12.PFX" as the kind.
- Check the box for "Include all certificates in the certification path if possible".
- Create a certificate password (and remember it for later).
- Export the file to your hard drive.
- Get the windows SDK which includes the 'signtool' command-line tool. The easiest way is to download the Windows 8.1 SDK, which can be used on Windows 10, directly from Microsoft: Download Windows 8.1 SDK.
Those are the hard steps. The next step is fairly easy:
- Once you have your Certificate and SignTool app installed, you can sign your finished screensaver installers with a single command line:
"C:\Program Files\Microsoft SDKs\Windows\v8.1\Bin\signtool.exe" sign /v /f MyCertificateAndPrivateKey.pfx /tr hhttp://timestamp.comodoca.com/ /p myPassword /fd sha256 /d "My Screensaver Description" /du "http://mywebsite.com" MyScreensaverInstaller.exe
...replacing 'MyCertificateAndPrivateKey' with the name of your certificate file, changing 'myPassword' to the password you created above, setting the description and URL to your company, and supplying the actual path and filename for your built screensaver installer for MyScreensaverSingleFileInstaller.exe. Using the older iScreensaver 5 version? Click for additional details...
Important note: if you are using the older version (iScreensaver Designer 5), it only supports code-signing the Single-File-Installer format. This provides a digitally-signed installer; however the actual screensaver installed will not be digitally signed. Generally this does not cause problems and the installation will be straightforward. However, if the user chooses the option to install the screensaver "For All Users" on their computer, they will see one additional UAC prompt: which they must click "Yes" on.
Please note, this applies only to iScreensaver 5. The current versions (iScreensaver 6 or later) do not have this issue.