We have been re-signing an app developed and signed with a sub-contractor’s Apple Enterprise Developer Distribution certificate, with our Apple Enterprise Developer Distribution certificate for MDM distribution through Intune. The sub-contractor says due to a change in Apple policy, they now need to sign the app with an Apple Developer Distribution certificate. During a test, we could re-sign the .ipa file with our Apple Enterprise Developer Distribution certificate. However, when we attempt to install the app on a managed device, we get an error that says, “Unable to install [app name] This app cannot be installed because its integrity could not be verified.”
When the sub-contractor was signing with an Apple Enterprise Developer Distribution certificate, our bundle ID could match theirs. In the test of the new process, were unable to use a bundle ID that matches the one the sub-contractor is using. If we try to use the same bundle ID, we get an error saying “An App ID with identifier [bundle ID] is not available. Please use another string.” Would not using the same bundle ID be causing the integrity verification issue?
Related
I'm trying to figure out what I need from my client to codesign and notarize an Electron app on MacOS on behalf of my client.
As far as electron-builder goes I already have that configured to codesign and notarize the app and publish it to github releases.
For the past year I have been doing that on his Mac so I know as far as the code of the app goes everything is correct.
But now I have to codesign, notarize and publish the app to github releases from my own Mac.
Now I know that on his machine electron-builder uses the "Developer ID Application" certificate that is in his keychain and XCode.
From what I understand I need to export that certificate as a .p12 file from his keychain.
Then copy it to my machine and then I should import it into keychain access on my machine?
I tried that but keychain access just says that it cannot import the item.
He is enrolled in the Apple developer program as a business and he added my appleId to their team and assigned the developer role to me.
I am not enrolled in the developer program, I just have a free account. Do I need to be enrolled?
Is this even what I should be doing (importing the .p12 certificate)? If so am I missing a step?
I have a Mac app which can't be sandboxed due to using Apple Events and therefore it can't be released through the Mac App Store.
I've made a website, added a payment gateway and everything seems to be ok but I keep getting feedback from testers who can't open the app even with the right mouse button method.
First it was the raw app from Xcode without any kind of signing, after that I tried exporting after archiving using my developer certificate, the I even notarized the app with Apple but still there are people who can't open the app (even though they was able to use it before signing).
Currently I'm using the Mac App Distribution certificate (no provisioning profile). Is this correct? Should I use "Mac Installer", "Mac developer", "Apple developer", "Apple distribution"… why is this so confusing?
You should use the Developer ID Application certificate to distribute a Mac app outside the Mac App Store that does not use an installer. Most Mac apps do not use an installer.
Apple provides a decent explanation of the different certificates when you create a new certificate from Apple's Certificates, Identifiers, and Profiles page. To keep people reading this from having to go there, I'll explain them now.
The Developer ID Installer certificate is for distributing Mac apps outside the App Store that use an installer to install the app.
The Mac Development certificate is for signing development versions of a Mac app.
The Mac App Distribution certificate is for distributing a Mac app on the App Store that does not use an installer. The Mac Installer Distribution certificate is for distributing a Mac app on the App Store that uses an installer.
In Xcode 11, Apple added the Apple Development and Apple Distribution certificates so people could sign their apps for all Apple platforms with one certificate. These certificates are for apps that will end up on the App Store.
Our enterprise app was distributed through Fabric Crashlytics Beta but after a year the app won't open from the device. When you tap the icon it will just close. It can't be download also.
The distribution certificate was not expired nor revoked.
And releasing a build with a new generated certificate fixed the issue but the cause is still unknown.
The certificate is valid for 3 years, but the provisioning profile you used to build the app with is valid for 1 year at most. You can push a new provisioning profile to the devices without having to re-build the app, but without a non-expired provisioning profile that is valid for the app's bundle ID and the certificate used to sign it, the app will refuse to run.
Long story short, if you are doing enterprise distributions, you will need to push out a provisioning profile (either through mobile device management [MDM] or by building the app again with a new provisioning profile [the profile is bundled with the ipa when you package the app]) at least once a year. Then once every 3 years, you will need to get a new certificate, generate a new profile for that certificate, and build and deploy a new binary that has been signed with the new cert.
I have created an electron app. Now I want to sign code for both windows and mac platform. But I have only go daday pfx certificate.I successfully signed code using pfx certificate from go daday in windows platform. So,Can I sign an electron app on macos platform using go daday certificate?
You can sign a macOS app with a GoDaddy code-signing certificate, but it probably won't do what you want. Here's what Apple's developer documentation says (with my emphasis added):
Note: Apple uses the industry-standard form and format of code signing
certificates. Therefore, if your company already has a third-party
signing identity that you use to sign code on other systems, you can
use it with the macOS codesign command. Similarly, if your company is
a certificate issuing authority, contact your IT department to find
out how to get a signing certificate issued by your company. However,
while these valid certificates allow you to sign your code, you can
only distribute through the App Store or through the Developer ID
program when you sign with a certificate issued by Apple.
So, the question is: how is your application going to be distributed to users' computers?
If it's sold through Apple's App Store, you need to become an Apple Developer, get a Mac App Distribution certificate from Apple, and sign the app with that before submitting it to Apple.
If it's distributed outside Apple's App Store (e.g. via web download), then you also need to become an Apple developer, get a Developer ID certificate, and use that to sign it. If you don't sign it with the right kind of certificate, Gatekeeper will prevent users from opening the app unless they go through a special procedure to trust the app.
Either way, you need to join the Apple Developer program, and use an Apple-issued code signing certificate to sign the macOS version of your app.
How can I put my incomplete application on my iPod before I publish it on the appstore? So I want to test it on my iPod.
This requires a provisioning profile and developer identity. These things are available via the provisioning portal and requires a paid developer program membership.
You must generate an identity (by means of a certificate, and signing request) with keychain, and use the provisioning portal to upload the CSR and get a signed certificate matched to the identity. With this identity downloaded and installed, you'll use it to sign your binaries.
Applications have a unique bundle identifier. Using the provisioning portal, you must create a development provisioning profile associated with your device ID(s). Download and install the provisioning portal, and you should be set to build and run on your device.
The provisioning portal has concise steps to walk you through this process..
developer.apple.com/ios/manage/overview/index.action
You have to have a provisioning profile and if you do you have to do some things in the account which you then put in xcode and transport it to the iPhone