CandyBar & Code Signing

---

CandyBar, the fun app icon replacement tool, unfortunately also breaks code signing. This results in the annoying “feature” of Firewall where it will never “Always Allow” for apps with a broken signatures (like a CandyBar-ed iTunes). The only other options available are:

• Use the “Quick Drop” feature instead, which doesn’t replace the ICNS file.
• Re-sign the app with a different signature.
• Avoid using Firewall/Code Signing/CandyBar altogether.

Which isn’t ideal, especially for CandyBar fans who would like to code sign their apps.

---

An option for developers!

As it turns out, codesign has an option called --resource-rules (check the man page), which accepts a plist file containing custom resource rules. This can be used to exclude App.icns, App.icns.candybarbackup, and CandyBar.plist from the code signing seal.

For example, the following keys will exclude changes made by CandyBar (and only these changes):

		<key>^Resources/App\.icns(\.candybarbackup)?$</key>
		<dict>
			<key>omit</key>
			<true/>
			<key>weight</key>
			<integer>20</integer>
		</dict>
		<key>^Resources/CandyBar.plist$</key>
		<dict>
			<key>omit</key>
			<true/>
			<key>weight</key>
			<integer>20</integer>
		</dict>

Or as a one-liner:

		<key>^Resources/(App\.icns(\.candybarbackup)?|CandyBar.plist)$</key>
		<dict>
			<key>omit</key>
			<true/>
			<key>weight</key>
			<integer>20</integer>
		</dict>

If the icon isn’t App.icns then correct the regex for that.

So when code signing, for example:

codesign --resource-rules="ResourceRules.plist" --sign "My Certificate" "MyApp.app"

Any apps signed this way will still validate after CandyBar modifies the icon! The best of both worlds! :)

---

Sample Plist

Here’s a full plist file with that key added:
ResourceRules.plist

I plucked those other 4 keys from an app signed without custom resource rules, so I assume they must be important defaults? If anyone can point me to the documentation for this I’d much appreciate it.

The Mac App Store

I haven’t compiled for it myself, but the CODE_SIGN_RESOURCE_RULES_PATH setting looks straightforward enough.

Again, I’d appreciate documentation links if you can find them. If you’re a Mac App Store developer and this guide works for you, let me know!

---

Comments?

Suggestions for fixes/improvements for this guide are welcome: timgvdh@gmail.com

This guide is licensed under the WTFPL