November's update to InstallBuilder adds built-in support for DMG signing and fixes a bug for non-Qt-based installers.
DMG signing is an important feature of macOS Sierra 10.12.0 and later, which ensures that unwanted code is not added to disk images that contain signed applications.
Before DMG signing, developers could add unsigned code like scripts or dynamic libraries to the disk image file that would run alongside the signed application using relative paths. Depending on how the app loads this extra content at runtime, other developers could potentially "repackage" the application in a different DMG file that adds unwanted code.
Apple has dealt with this problem by using Gatekeeper path randomization, which copies any application with an unsigned DMG file to a random file system location before executing it. This prevents any code in the image from using relative paths to access unwanted content outside the application bundle. Using a signed DMG file bypasses the Gatekeeper, since the image file itself is trusted in that case.
To read more about DMG signing from Apple, see their documentation on the topic. To learn more about signing installers in InstallBuilder, check our documentation or community pages.
In addition to built-in DMG signing, we also fixed some alignment issues in <choiceParametersGroup> for non-Qt based installers. To learn more about this parameter group, take a look at our documentation.
As always, make sure you are providing the best, most secure experience possible for your users by updating to the latest version of InstallBuilder or InstallBuilder for Qt today!