Changes to code signing in OS X Mavericks and what developers need to know

It sounds like OS X Mavericks, which could launch any week now, introduces some changes to code-signing that developers will find frustrating if they're not up to speed on them. Craig Hockenberry on

Very simply put, you can no longer sign a bundle (like your .app) if any nested bundle in that package is unsigned. These nested bundles are things like helper executables, embedded frameworks, plug-ins and XPC services.

The result is that you'll need to update your Xcode projects as soon as you start building on 10.9. It's taken me several days to understand what these changes are, and with the help of Perry Kiehtreiber on the developer forums, I'd like to share what I've learned.

(Yes, I realize this essay is going to break the NDA, but since Apple is asking us to submit apps for Mavericks, I want as many developers as possible to avoid the utter confusion I faced earlier this week.)

If you're a developer working on an OS X 10.9 Mavericks post, you need to read this: