As I previously wrote (Apple codesigning Certificates), Xcode 4.3 generates a reasonably complex designated requirement when code signing your application for Developer ID and Gatekeeper.

However, independent testing with the spctl --assess command demonstrates that kinder, simpler designated requirements (even code signed with Xcode 3.2.5) will be approved by Gatekeeper.

After reviewing the WWDC2012 DeveloperID and Gatekeeper video on iTunesU, it would appear that the function of these elaborate designated requirements are as follows:

That applications distributed through the Mac App Store and applications distributed via Developer ID which have the same bundle Identifier will be treated as the same application by the system, with respect to sandboxed files, keychain access and preferences etc.

If your application uses the Keychain, or stores critical information in Prefs, you will want to sign your code with the designated requirements generated by Xcode 4.3 (or higher).

It should be possible to generate the designated requirements with Xcode 4.3 and back-port them to Xcode 3.2.5 (in my case, my DeveloperID-distributed code is a Universal binary and includes PowerPC code which cannot be generated by LLVM 3.0).

Labels: designated requirements, developerid, gatekeeper, lion, mountain lion