I am developing JavaFX with Spring applications that are shipped with native installers for Windows, Linux and macOS. I am hosting the macOS DMG and pkg installers outside Mac App Store on my web site.
When I download and attempt to install a DMG on my macOS Mojave, the latter forbids to install because the app is not from a trusted Apple developer. Downloading the same installer from FTP is allowed by Mac to be installed.
My question is – Can I have my package installer signed (by registering as an Apple developer) if the application is purely Java and has nothing to do with Apple specific SDKs?
Best Answer
Basically if I understand your question - yes, it’s allowed, but might not be required.
When you pay to be a developer, Apple generates a secure certificate you can use for many functions - one of which is to code sign a folder of files. Applications on macOS are just bundles of files with some conventions which files make something a package or an app. You can sign a script, package, interpreted code bundle or a compiled app.
Apple is offering additional items like notarizing an app but you should be able to sign your example app with a self-generated certificate before you pay for Apple to sign / provide your identity that all of their devices and OS will trust as valid.
To recap, you pay for an identity that Apple validates. Of course if you abuse this, your certificate can and should be revoked but as long as you are signing legitimate apps you should expect to only have to pay annually for a renewal of your certificate. This is pretty much analogous to getting an SSL cert. You pay for those periodically, and then the signer generally doesn’t care why / where you install that cert - as long as you don’t break their rules and get caught, they don’t revoke your certificate.
Now - if the java executable gets notarized and signed by someone else, you might not need this at all and you’re not embedding executable bits and just resources and text or source code. For example, it doesn’t make sense to pay if you write swift scripts or python scripts or bash (or other shell) scripts. That would be like code signing a word doc and not word the program itself.