When developing a macOS application we usually sign the final product in the company's release process. However, as Xcode is pressing to code sign in every upgrade, I want to enable code sign also in the normal development process. However, the developers in my team have no access to the code sign certificate used to sign the app during release.
So I enabled automatic code signing using a personal team with my Apple ID, which works fine. However, how do I share that with my team mates, of which one doesn't even have an Apple ID? They cannot use my private account for that.
By accident I found that specifying "-" for the CODE_SIGN_IDENTITY setting in .pbxproj file uses AdHoc signing. However, that is not available in the Signing Certificate drop down in Xcode and must be added manually by editing that file. Seems a bit like a hack to me therefore. Any better alternative?
Are you all part of a company development team? If not, then find out who the team agent or administrators are and ask one of them to add you. You or one of the admins should be able to create a development certificate that you can use to sign development versions of the app. Only the released version needs to be signed with the release certificate.
Related
Apple wants apps to be signed. With newer MacOS versions, unsigned apps look less and less welcome.
As a cross-platform developer with almost no knowledge of Apple specifics, I have to learn how to sign Apple apps. A step-by-step recipe would be helpful.
So far I understood all the following is necessary:
Register for an Apple ID [1].
Agree with endless pages of legalese.
Apply for an Apple developer account [2].
Choose among several categories (individual, nonprofit, government, ...).
Accept further pages of legalese.
Agree with unspecified membership fees that are waived for open-source projects.
Wait for unspecified time until you will or will not be admitted by Apple.
Create a certificate from Xcode.
Open or create an arbitrary project to get to the main menu.
In the main menu (Xcode) > Preferences > Accounts > Manage Certificates > "+" (bottom left) to create certificate.
In the main menu (Xcode) > Preferences > Accounts > Download Manual Profiles. Seems to create a file with extension .developerprofile.
From here, an unknown number of steps is missing....
Maybe the last step involves the command codesign [3],
codesign -s <identity> --keychain <full-path-to-keychain> <path-to-disk-image>
What is <identity>?
What is the keychain file?
Who can confirm or correct the above, and supply the missing steps?
Note that the build process shall ultimately be run from CMake. Therefore command-line tools are preferred over GUI actions.
[1] https://appleid.apple.com/account
[2] https://developer.apple.com/
[3] https://stackoverflow.com/a/37923530/1017348
You can build and sign to completion using Xcode, or you can build and then sign and notarise the binaries using codesign, altool, and stapler tools.
Xcode attempts to handle the complexity for you, at the cost of your not needing to understand or know about the individual steps involved. .developerprofile files are part of Xcode and Xcode is not essential to preparing a binary for distribution.
See Apple's Xcode Guide - Distribute your app and Distribute outside the Mac App Store (macOS).
Apple have also published the following guides on code signing and notarizing:
Code Signing Guide
Notarizing macOS Software Before Distribution
Identity
What is <identity>?
identity is common name field of the digital certificate being used to sign the binary. The digital certificate is an X.509 certificate issued by Apple. You can obtain certificates for submission to the Apple app stores, and distribution outside of their stores, through the Apple developer web site.
See Apple Developer - Certificates
Apple Developer Program membership is required to request, download, and use signing certificates issued by Apple. For developers part of a team enrolled as an organization, you must also be the account holder or an admin to request distribution certificates used for submitting apps to the App Store.
Keychain
What is the keychain file?
Keychain files are managed through the Keychain Access application on macOS, see Applications/Utilities/Keychain Access. By default, the user's keychain files are stored in ~/Library/Keychains.
The keychain file is where macOS stores secure user information, such as credentials and certificate keys. The keychain file needs to be specified for the codesign tool to locate the private key associated with the signing certificate.
See Apple Developer - Keychain Services:
Securely store small chunks of data on behalf of the user.
Computer users often have small secrets that they need to store securely. For example, most people manage numerous online accounts. Remembering a complex, unique password for each is impossible, but writing them down is both insecure and tedious. Users typically respond to this situation by recycling simple passwords across many accounts, which is also insecure.
The keychain services API helps you solve this problem by giving your app a mechanism to store small bits of user data in an encrypted database called a keychain. When you securely remember the password for them, you free the user to choose a complicated one.
Support from Apple
If the documentation linked above does not help, please contact Apple. The process you are facing is demanded by Apple, and Apple should burden the support it creates.
As a registered Apple Developer, you have access to Technical Support Incidents:
Requesting Technical Support
A Technical Support Incident (TSI) is a request for code-level support for Apple frameworks, APIs, and tools, and is available to members of the Apple Developer Program and Apple Developer Enterprise Program.
I have what appears to be a valid signed Electron Windows application. I am using Electron Builder to sign the app for Windows with the same Apple .p12 certificate that we use to sign the app for macOS. The Electron Builder website mentions the following:
Code Signing Certificate shows a warning during installation that goes
away once enough users installed your application and you’ve built up
trust.
https://www.electron.build/code-signing#where-to-buy-code-signing-certificate
How long does it take for this trust to build up?
Here is a screenshot showing the certificate details in Windows:
Windows SmartScreen lists the publisher for the app as "Unknown publisher". Is there something I am missing here?
Even though this sounds irresponsible, answer is you never know when your application will earn enough reputation to pass smartscreen filtering. it's not static / fixed time period.
https://www.ssl.com/faqs/which-code-signing-certificate-do-i-need-ev-ov/#smartscreen
Unfortunately, Microsoft does not publish guidelines on what constitutes enough downloads to eliminate SmartScreen warnings. Microsoft has also indicated in the past that signing code is a “best practice” that you “can follow to help establish and maintain reputation for your applications.”
Unless you use EV cert, the only way to accelerate this is to publish your application and meaningful numbers of user download & installs without malicious behavior.
Forward: There are many similar SO questions with regard to this error. I've visited dozens of them over the past days, but none seem to have a solution to my problem. They mostly are from developers with full admin rights, unlike myself. Most solutions are also hacks or unclear.
I am a member of a developer team at Apple's developer.apple.com site. I've been charged with uploaded an iOS application I've developed to iTunesConnect, in order to be able to deploy it with TestFlight.
In order to successfully accomplish this. I asked for the following to be done.
That I be added as a member developer. See certificates here.
A matching App with the same bundle-ID be created for me on iTunesConnect.
A Distribution provisioning profile be added at developer.apple.com for my specific App.
Despite all of this. When I try to validate the app, I'm met with the following message.
It would appear from a manual signing attempt that because the provisioning profile was created by a team administrator, that I cannot sign it without their private key. Assuming this is correct, then how can any developer ever distribute apps if:
A distribution provisioning profile requires you be the creator in order to be validated.
Only a team admin can create a distribution provisioning profile.
This appears to be a paradox.
What can be done to resolve this conflict? I am only a member of this development team temporarily, and would like to formulate a clear solution to this problem so that I do not test their patience with repeated troubleshooting questions. To make it easier to answer this question, I've attached some extra images that might be useful.
My app's general panel in Xcode when using automatic signing. It shows I am signing on behalf of the team.
Solving this problem required two steps.
A certificate signing request (CSR) was created and sent to the developer who had created the distribution provisioning profile. You can create a CSR by going to: Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority. Once I received this CSR back from the developer, I double clicked it to install it in my keychain. It then appeared as so:
Next, the developer had to add the certificate they sent me to the provisioning profile for the app on developer.apple.com. I then downloaded this provisioning profile again and selected it in within Xcode as seen below.
Once this is completed, you should be able to validate the application.
I got this error when my ExportOptions.plist file had the wrong value for the method. I had "enterprise" rather than "ad-hoc". (This is the file passed to xcodebuild via the -exportOptionsPlist option.)
I have a client who forgot to pay for their enterprise account and therefore their apps stopped working, as expected.
However, one would think that it should be sufficient to just start paying again to be able to use the apps as before. But as it seems, all certificates in the apple developer portal are now deleted?!
Is this expected behaviour or will they show up after some time again?
As it is now, we will have to rebuild all apps again with new distribution certificates. Is this the solution?
Short answer to your question:
I wouldn't expect the certs to automatically reappear. I recommend opening a support incident with Apple. Since the account was recently renewed, you should have two incidents available.
There's this section of the App Distribution Guide which talks about re-creating deleted certificates but I'm guessing it's more geared toward iTunes distributed apps and circumstances where certificates (private keys) are deleted but not revoked at Apple's CA.
Instead of recompiling your apps, you might be able to instead push out updated Provisioning Profiles and Certs. See below for more details.
Additional info:
It makes sense that Apple would revoke Enterprise certs upon membership expiration since that's the only way they could force apps to stop working. Since Enterprise apps stop working when either the Provisioning Profile or the Certificate expire, Appple can't push out an expired Provisioning Profile, and there's no in-app check for a Profile either (which is why if you delete your Profile in the developer portal, it won't affect any already downloaded/installed apps), which leaves the only other option: revoke the certs. The affected apps stop working once they sync with Apple's CA. Devices without connectivity will continue working until the Profile expires.
It may be possible to remove your certs from the Certificate Revocation List (CRL) but Apple support would be your only likely resource to help with this.
If you're out of options for re-enabling your old certs, you can update the Provisioning Profiles (and I think Certs) and push that out without recompiling all your apps. Also, if you use wildcard App IDs, an update to one app Provisioning Profile will apply to all installed apps that share that App ID.
If your users' devices are managed via MDM, it's possible to push updated provisioning profiles via MDM, and according to this post, via Device Enrollment Program (DEP). I thought I read a while back that you could also update provisioning profiles from a desktop/laptop to a connected device using iTunes - not sure where that is now. I don't know if it's possible to direct users to a link to update the Profile OTA like they would install an app.
I hope this helps in some way. Please let us know what happens - I fear the same could happen to me, whether a cert is deleted by Apple or a haphazard developer.
I've done codesigning and submitting for iOS apps countless times. This time it struck me with the Mac App Store. I'm repeatedly getting the same error message:
"My Name" is a valid identity. However,
you do not have the associated package identity.
I've recognized this 2 topics here on stack overflow:
mas-code-signing-identity-private-key and mac-app-package-identity-not-installed
Nothing inside there solved the problem for me.
Thats how I (most reliably) reproduce this message:
I clean up all my certificates and private keys starting with "Mac Developer" or "3rd Party Mac Developer". Of course also the expired ones.
Revoking all the stuff inside the Mac certification portal.
Create App-ID (did it only once)
Create new certificate for Mac Development. I can only assume that this is comparable to the debugging certificates for iOS development.
Create new certificate for Mac App. Once again I can only assume that this could be something similar to a distribution certificate in iOS-development.
For completion reasons create a new certificate/profile for my system.
Create a production provisioning profile. I can only assume that this might be equivalent to an iOS distribution profile.
I then download all the certificate mess and install it properly. Some go into the Keychain, others got into the Preferences and XCode.
For making sure I restart XCode or even the whole Mac (doesn't change the frustrating outcome anyway).
I go to the project build settings and select the production provisioning profile, because I assume "production" is equivalent to "distribution". Changing the codesigning identity in the target build settings doesn't work either. While Apple claims in it's documentation that for App Store submission the signing identity has to be changed in the project build settings.
I run an archive build.
I select the archive in the organizer and click validate.
This error message appears:
"My Name" is a valid identity. However,
you do not have the associated package identity.
I can't find any pointer to what the term "package identity" actually means. What is most frustrating to me is that this terminology mess in Apples documentation concerning the code signing and submission process appears not very clear and precise to me. At least not as clear and precise as the documentation for the same process concerning iOS App submission (which is using completely different terminology).
Probably I understood something wrong? Thanx for any help or pointer in advance.
OK, I have some important pointers (additional to Apples documentation) for people stumbling over similar issues.
The error message is totally misleading.
Don't take every word in Apples documentation too seriously.
For solving the issue, 2 points have been most significant:
Additional to all the other profile-mess you need 2 certificates for submission to the Mac App Store (contrary to the same process for iOS App Store submission). Both have to be installed together with their corresponding public and private key pairs.
Mac App
Mac Installer
The codesigning needs to be set on the build target, not the project. I don't remember where but this was described wrong side around in one of Apples documentations.
Eventually my submission worked by keeping to those 2 points.
There is an additional issue with Keychain & XCode.
When Xcode uses a certificate, they want one and only one certificate in your keychain. If you have an expired one, as well as a valid one, Xcode often fails the operation.
So you look at your keychain using Keychain Access, and do not see an expired certificate. It is still there! The default setting for Keychain Access hides expired certificates. Goto the View menu and select Show Expired Certificates. Delete all the expired ones, they are not good for anything.
Quit Keychain Acces and Relaunch Xcode. Xcode often requires a relaunch when adding/deleting certificates.
At that point, the Archive Validate process worked for me.
This is what it was for me as well.
Just want to clarify, you absolutely need both Mac App Distribution and Mac Installer Distribution certificates. Thanks Jacque for your explanation above. It should look like this:
Yes the problem is Mac Installer Distribution certificate.
The easiest way to have everything fixed and loose all the troubles just go to Xcode->Window->Organizer->Devices and then on the lower right corner press on Refresh and log in with your account... xcode will generate and download all the certificates and provisioning profiles needed.