I created a Mac file upload client application that implements a high-performance reliable data transfer over UDP protocol, based on the UDT library.
My setup:
MacOS Mojave
Xcode 10.3
Deployment Target: 10.10 (minimum for storyboard-based forms)
Now I'm trying to figure out how to sign it properly so end users can run it without doing a Gatekeeper override.
Here's where I'm at:
I have a paid Apple Developer account, delegated to me from an organization paid Developer account
I have roles assigned to me allowing me to manage apps, certificates, provisioning, etc.
I am signed into this account under Xcode accounts under Preferences.
I have created a bundle registration under the account, copied exactly from Xcode
I have created a Mac Distribution certificate, starting with a CSR from my development machine.
I have downloaded and imported the certificate into my machine's keychain (listed as "3rd Party Mac Developer Application:...")
I have created a provisioning profile for this app, with above certificate assigned, the profile type is App Store, but I will be distributing the app myself (is there a more correct provisioning type?)
Under Entitlements I chose "Custom Network Protocol", which sounds like an accurate description of my application.
I have imported the provisioning profile into Xcode and chose it under Signing (Debug) and Signing (Release) of my project's target, it automatically populated Team (the parent organization) and the above certificate.
I changed the scheme in the project to "Release" and built it for "Running", I get a keychain access prompt during build, and signing step completes successfully
codesign -vvv -d xyz.app returns the registered bundle, certificate, team, etc, all matching the above choices.
I placed the produced .app into a .dmg image and emailed it to myself
I downloaded the .dmg on another Mac and mounted it
I tried running the .app but got the following Gatekeeper message:
"XYZ" can't be opened because it is from an unindentified developer.
Your security preferences allow installation of only apps from the App Store and identified developers.
How do I get around this so a downloaded application will have an "Open" button in the Gatekeeper prompt by default. Some applications, GIMP for example, are correctly identified, even though they did not originate from the App Store.
What do I need to to resolve this?
I kept digging at it and I found my answer:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution?language=objc
The type if certificate I needed was Developer ID and the type of provision Developer ID Application, which is what is intended for self-distribution of a signed Mac application.
After that it needs to be submitted to Apple for notarization to satisfy the requirement for 10.14.5+. After notarization had completed I was able to send the exported app to myself and it offered me an "Open" option for the app downloaded from Internet. This is the desired behavior.
It required me to request the account holder to issue me the Developer ID certificate by sending them a CSR, as Developer ID certificate option is greyed out for delegated users that are not the original developer account holder (admin role may satisfy, but I am not one so can't say).
Yay.
Related
System Preferences / Manage Certificates
The above is a picture of the System Preferences/Manage Certificates area of Xcode (rev 11).
I know this is quite messy, but I'd like to ask the community for help in cleaning up my signing certificates for Xcode.
I am to the point where I cannot Archive any app in Xcode, even a "Hello World" app, due to the state of my signing certificates. I am a paid up developer on Apple Developer.
Below is a picture of the Key Chain Access of my system.
Thanks in advance.
LeonW53
[Key Chain Access Image][1]
I am a little the wiser now.
In order to submit to the Apple App Store, you need a Distribution Certificate and an IOS Distribution Certificate. Both must have the Public and Private key.
The Private Key refers to the computer from which the app will be submitted. The Private Key is password to the Mac that will archive the app and submit.
To start, you need to go onto your distribution Mac and open the Keychain Access app (Applications/Utilities/Keychain Access). Once in, at the top of the screen, go to Keychain Access/Certificate Assistant/Request a Certificate from a Certificate Authority.
Note 1The Request requires a user email address. Use the email address that you use to log into the Apple Developer Site. You do not need a common name. Select Request is Saved to Disk and Continue. You will be allowed to pick the name and Save Folder for the Certificate. Click Save.
You can create All of your Certificates from this one Certificate Signing Request.
Go into the Apple Developer Website and sign in (you need to be paid up to do this). Use the Apple ID that you used to save the Certificate.
Go to Certificates, Identifiers and Profiles.
Click Certificates in the left column. Click the + next to Certificates to add a new Certificate.
You will be asked to what kind of Certificate to Create.
You need to select Apple Development to develop an app on your mac. You may need an iOS App Development to develop iOS apps, but I haven't found this necessary
To Upload and Distribute your app, you need Apple Distribution and iOS Distribution.
Whichever one you pick, click Continue and you will be asked to Upload a Signing Certificate Request. Here you browse to the Certificate Signing Request that you saved (Note 1 above). Click Generate and the Certificate will be created. Click Download and the Certificate will be downloaded to the Downloads folder on your Mac.
You can create several different kind of certificates and you do NOT need to re-create the CSR -- use the same one over and over.
On your Mac, you can just double click the Certificates downloaded and they will be added to your Keychain.
In XCode, select the App root of the App Folder Tree and open "Signing and Capabilities". Select the Team that you have in the Apple Developer Site from the drop down list. Also select Automatically manage signings.
Also in XCode, you go to XCode/Preferences/Accounts. You should selected the Apple ID on the left which is the same as you log into the Apple Developer Account. On the right, you can select the Team which will do the Uploading and click Manage Certificates. You need valid iOS Development, Apple Development and Apple Distribution Certificates.
Note 2 If there are any Certificates that are missing the Private Key, this is because either the CSR was generated on a different PC to your current PC or that you were not logged in as the same developer on the Apple Developer Site. This happened to me, and it was because I wasn't logged into the Developer Site the same as I have logged on my PC in System Preferences.
If you Archive, and you have missing Private Keys, the Archive will ask you to log into Keychain using the password which unlocks the PC for EACH and every missing key. Once done, the archive will be created.
Note 3Make any mistake on this, and you will generate a failed archive with a non-zero exit code. Apple provide no clue as to how to solve this.
My current situation is that I have valid Apple Development, iOS Development and Apple Distribution Certificates and I can archive. In addition to the valid Apple Distribution Certificate, I have two Apple Distribution Certificates which are missing private keys. But, I can archive the app.
Be kind and be safe all.
I try to use manual signing in macOS using provisioning profile. But everytime I try to run it will crash with error
EXC_CRASH (Code Signature Invalid)
If I try to use automatically manage signing or manually manage signing but without provisioning profile it works fine. What is wrong with my provisioning profile? I need to use manual manage signing because my app actually is Xamarin.mac which is not possible in VS for Mac to sign automatically or sign manually without provisioning profile. I am not using weird entitlement. I only need app sandbox to release app store so in my provisioning profile I don't add any capabilities
If your signature is invalid it is likely that you haven't created the correct type of certificate. There are several certificate types that can be instanced and your app will not build correctly if you have created the wrong certificate type.
Common certificate types include:
iOS development
iOS distribution
Mac app development
Mac app distribution
Mac installer distribution
Developer ID application
Developer ID installer
For more information about manually creating your certificate, see my answer to this question: macOS installer certificate evaluation error in Keychain: Invalid Extended Key Usage
Also note that during development you would use an iOS development certificate, but for uploading to the App Store via iTunes connect, you will need an iOS distribution certificate and it needs to be enabled on an Apple ID that has paid for iOS distribution. For more information on enrollment to the Apple developer program, which will enable you with privileges to get a valid distribution certificate see here: https://developer.apple.com/support/enrollment/
If you are sure that it is not a problem with the certificate itself, do note that there other parameters involved when creating a provisioning profile manually - it's not just a certificate + private key. This is a profile that needs to be created in the Apple developer portal, but as long as you have a valid Apple ID to use for creating the provisioning profile it shouldn't be difficult. There are detailed instructions here: https://learn.microsoft.com/en-us/xamarin/ios/get-started/installation/device-provisioning/manual-provisioning but allow me to paraphrase:
1) Go to the Apple Developers Member Center (https://developer.apple.com/membercenter/index.action), and under the section Certificates, Identifiers & Profiles select "Provisioning Profiles".
2) Click the + button, in the top right corner to create a new profile.
3) From the Development section, select the radio button next to iOS App Development, and press Continue:
4) From the dropdown menu, select the App ID that to use
5) Select the Certificate(s) to include in the provisioning profile, and press Continue
6) Select all the devices that the app will be installed on, this will be all the devices and computers that belong to your Apple ID that will get a distribution certificate installed on it.
7) Provide the Provisioning Profile with an identifiable a name, and press Continue to create the profile
8) Press "Download" to download the provisioning profile onto a Mac
9) Double-click on the file to install the provisioning profile in Xcode. Note that Xcode might not show any visual clues that it has installed the profile except for opening. This can be verified by browsing to Xcode > Preferences > Accounts. Select your Apple ID and click "View Details..." Your new provisioning profile should be listed, as illustrated below:
After the provisioning profile has been successfully created it may be necessary to restart Xcode so that all the development certificates are correctly loaded and available for use.
Checklist:
Is my code signing certificate the correct type
Was my provisioning profile properly registered in the Apple Developer portal (https://developer.apple.com) for the Apple ID that is used on the machine building the app
Is my Apple ID correctly enrolled in the Apple Developer program with no outstanding fees to be paid, or licenses like EULA to accept.
Have I downloaded my provisioning profile from my Apple Developer portal and correctly installed it on my machine that is trying to build / release the app.
NOTE:
In order to distribute apps to the app store there is no choice but to create and pay for the provisioning profile within the developer portal, and install it on your machine by downloading it from Apple.
Best of luck!
I want to distribute my mac application outside the App Store (as file downloadable from our servers), but every attempt to export archive from Xcode with option "Export a Developer ID-signed Application" ends with a "Permission failure":
Your account does not have permission to create Mac App Direct
Distribution certificates
I've downloaded and added all certificates to my keychain (system).
I'm using an Organization Apple Developer account, so is it possible to use this type of account to sign applications outside the App Store or must I have an Enterprise Program Account to do it? Or is there other problem?
I consulted this problem with Apple and their answer is:
You certainly don’t need an Enterprise account to distribute Developer
ID signed apps. One gotcha here is that you must be the Team Agent in
order to issue Developer ID certificates. Please double check that.
Problem was, that I have Admin role in our team, but only user with Team Agent role has permission to generate certificates for distribution of app outside the App Store (Developer-ID signed apps). So, I generated a Certificate Signing Request and sent it to our Team Agent, then he creeated and sent a certificate for me and now I can sign apps.
This seems to be a bug or poorly described feature in iTunes Connect & the Apple Developer portal.
I had a developer that joined my team, initially as a "member", but wasn't able to create certificates, even after giving him admin access. It turns out, that I believe we were only giving him admin access to Itunes connect, but not to the developer page.
The correct fix was to go to the developer portal, click the "People" tab (or go to this URL https://developer.apple.com/account/#/people/), remove his access, then use the Invite as Admins to add him to the account. He then had to go into Xcode and remove his developer account information, add it back in, and then he was finally able to upload builds to Testflight without this error.
In my case, I signed the app with another team. Change the team and re-achieve the app solves the issue.
I am trying to submit my mac app to mac app store. Bust I'm unable to code sign the build properly.
I have create a distribution certificate in Develop Certificate utility and also I have created a production profile.
I have imported the certificate in my keychain properly with the private key. Also The provision profile is imported successfully in Organizer -> Window.
But When I Archive the project, and validate the iPA to mac app store, I'm getting the error:
**** "Profile" is a valid identity. However, the private key for the associated package identity "Profile" is not installed on this Mac
Some more details about project:
I'm using an external framework and open source project in my project named XMLRPC.
I have set "Skip Install" property of the project to YES.
This is not code sign.
Can you please let me know what is going wrong?
You are missing the installer certificate. You need both the distribution certificate to sign your app and the installer certificate to sign the package installer on submitting to the Mac App Store. Xcode finds the key automatically based on the name of code signing identity, the name is the same but with "Installer" append.
To fix the issue log into the Certificate section of Apple developer. Request a new certificate via the plus button and choose the Mac App Store installer type. Follow the steps to submit a CSR request and then simply download the certificate and drag it over to your keychain.
I got the same warning even though I had the right profiles and code signing identities.
“Profile” is a valid identity. However, you do not have the associated package identity.
I refreshed my code signing identities in Xcode and relaunched Xcode. The warning disappeared afterwards.
I'm using Xcode 4 and am trying to sign my first Mac OS X application. When I go to Project -> Build Settings -> Code Signing Identity, it will list "Don't Sign", "Automatic Profile Selector", and "Other". Under "Automatic Profile Selector" it lists "3rd Party Mac Developer Application". When I build it fails and says `Code Sign error:
The identity '3rd Party Mac Developer Application' doesn't match any
valid certificate/private key pair in the default keychain
Earlier, in Organizer -> Provisiong Profiles, I did a refresh. It setup two certificates in Device -> Developer Profile. Nothing appears in Provisioning Profiles. The two certificates it shows in Developer Profile exist in my keychain as valid. I see no expired certificates even when I "show expired".
The certificates it has in Developer Profile match what's in the keychain:
3rd Party Mac Developer Installer: MyCompany, LLC
Mac Developer: My Name (SOMECODE)
I don't see these in the Code Signing Identity list, though. I even tried entering in the first one in Other, but it said it could not find it.
I have no need for entitlements, so I don't have a profile setup. And I am the company admin.
What am I doing wrong?
Ok, this turned out to be a lot simpler than I had imagined.
After I refresh and download the certs:
1) Click on My Mac under devices. And click "Add to Portal". This will download the Mac Team Provisioning Wildcard Profile
2) Create an App ID for my app (necessary for sandboxing/entitlements), through the website
3) Add a new Developer Provisioning Profile for this App ID, through the website
4) Go to Organizer and refresh.
Everything appears now.
But, I realize that for a Mac App w/ no sandboxing/entitlements, I really didn't need to do this. I could have got away with just creating the Production Provisioning Profile, since it does not require a registered device.