Signed Disk Image for iOS

Since PSPDFKit 5.4.0 for iOS, we’ve been using a Developer ID-signed disk image to distribute our framework. Signing disk images has only been possible since macOS 10.11.5. Doing so allows an entire disk image to be validated by Gatekeeper the first time it’s mounted. For more information, see TN2206 Signing Disk Images.

You can verify that a PSPDFKit disk image was indeed created by us by displaying information about it with codesign:

$ codesign -dvvv PSPDFKit.dmg

The output should look like the following:

Executable=/Users/pspdfkit/PSPDFKit.dmg
Identifier=PSPDFKit
Format=disk image
CodeDirectory v=20200 size=296 flags=0x0(none) hashes=1+6 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=46765a2ed05a004cbf4b885d0920162c66595134
Hash choices=sha256
CDHash=46765a2ed05a004cbf4b885d0920162c66595134
Signature size=8863
Authority=Developer ID Application: PSPDFKit GmbH (4YCRL5LW7Q)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=01 Jul 2016 15:26:16
Info.plist=not bound
TeamIdentifier=4YCRL5LW7Q
Sealed Resources=none
Internal requirements count=1 size=168

In particular, look out for this:

Authority=Developer ID Application: PSPDFKit GmbH (4YCRL5LW7Q)

Also look out for this:

TeamIdentifier=4YCRL5LW7Q

The above lines in the output demonstrate that PSPDFKit has signed the DMG.