Adding Mac App Distribution Certificates - macos

I'm trying to add Distribution Certificates for my Mac App (for distribution outside the Mac App Store).
However I stumbled upon this:
I am unable to select the Developer ID option. It is disabled. I have revoked all my Certificates in the Production Panel as well as in the Development Panel but still with no luck.
Any help would be very much appreciated.

It might be because you need to set in Xcode that you intend to distribute your application outside of the Mac App Store and then request Developer ID certificates.
Go to the Xcode project settings and under Signing, select Developer ID as the signing identity. After that Xcode will help you to create a Developer ID Certificate for you.
Refer the doc for more details :
App Distribution Guide - Apple

Related

How do I resolve problems with my Signing Certificates in Xcode

System Preferences / Manage Certificates
The above is a picture of the System Preferences/Manage Certificates area of Xcode (rev 11).
I know this is quite messy, but I'd like to ask the community for help in cleaning up my signing certificates for Xcode.
I am to the point where I cannot Archive any app in Xcode, even a "Hello World" app, due to the state of my signing certificates. I am a paid up developer on Apple Developer.
Below is a picture of the Key Chain Access of my system.
Thanks in advance.
LeonW53
[Key Chain Access Image][1]
I am a little the wiser now.
In order to submit to the Apple App Store, you need a Distribution Certificate and an IOS Distribution Certificate. Both must have the Public and Private key.
The Private Key refers to the computer from which the app will be submitted. The Private Key is password to the Mac that will archive the app and submit.
To start, you need to go onto your distribution Mac and open the Keychain Access app (Applications/Utilities/Keychain Access). Once in, at the top of the screen, go to Keychain Access/Certificate Assistant/Request a Certificate from a Certificate Authority.
Note 1The Request requires a user email address. Use the email address that you use to log into the Apple Developer Site. You do not need a common name. Select Request is Saved to Disk and Continue. You will be allowed to pick the name and Save Folder for the Certificate. Click Save.
You can create All of your Certificates from this one Certificate Signing Request.
Go into the Apple Developer Website and sign in (you need to be paid up to do this). Use the Apple ID that you used to save the Certificate.
Go to Certificates, Identifiers and Profiles.
Click Certificates in the left column. Click the + next to Certificates to add a new Certificate.
You will be asked to what kind of Certificate to Create.
You need to select Apple Development to develop an app on your mac. You may need an iOS App Development to develop iOS apps, but I haven't found this necessary
To Upload and Distribute your app, you need Apple Distribution and iOS Distribution.
Whichever one you pick, click Continue and you will be asked to Upload a Signing Certificate Request. Here you browse to the Certificate Signing Request that you saved (Note 1 above). Click Generate and the Certificate will be created. Click Download and the Certificate will be downloaded to the Downloads folder on your Mac.
You can create several different kind of certificates and you do NOT need to re-create the CSR -- use the same one over and over.
On your Mac, you can just double click the Certificates downloaded and they will be added to your Keychain.
In XCode, select the App root of the App Folder Tree and open "Signing and Capabilities". Select the Team that you have in the Apple Developer Site from the drop down list. Also select Automatically manage signings.
Also in XCode, you go to XCode/Preferences/Accounts. You should selected the Apple ID on the left which is the same as you log into the Apple Developer Account. On the right, you can select the Team which will do the Uploading and click Manage Certificates. You need valid iOS Development, Apple Development and Apple Distribution Certificates.
Note 2 If there are any Certificates that are missing the Private Key, this is because either the CSR was generated on a different PC to your current PC or that you were not logged in as the same developer on the Apple Developer Site. This happened to me, and it was because I wasn't logged into the Developer Site the same as I have logged on my PC in System Preferences.
If you Archive, and you have missing Private Keys, the Archive will ask you to log into Keychain using the password which unlocks the PC for EACH and every missing key. Once done, the archive will be created.
Note 3Make any mistake on this, and you will generate a failed archive with a non-zero exit code. Apple provide no clue as to how to solve this.
My current situation is that I have valid Apple Development, iOS Development and Apple Distribution Certificates and I can archive. In addition to the valid Apple Distribution Certificate, I have two Apple Distribution Certificates which are missing private keys. But, I can archive the app.
Be kind and be safe all.

How to properly sign a Mac application for self-distribution?

I created a Mac file upload client application that implements a high-performance reliable data transfer over UDP protocol, based on the UDT library.
My setup:
MacOS Mojave
Xcode 10.3
Deployment Target: 10.10 (minimum for storyboard-based forms)
Now I'm trying to figure out how to sign it properly so end users can run it without doing a Gatekeeper override.
Here's where I'm at:
I have a paid Apple Developer account, delegated to me from an organization paid Developer account
I have roles assigned to me allowing me to manage apps, certificates, provisioning, etc.
I am signed into this account under Xcode accounts under Preferences.
I have created a bundle registration under the account, copied exactly from Xcode
I have created a Mac Distribution certificate, starting with a CSR from my development machine.
I have downloaded and imported the certificate into my machine's keychain (listed as "3rd Party Mac Developer Application:...")
I have created a provisioning profile for this app, with above certificate assigned, the profile type is App Store, but I will be distributing the app myself (is there a more correct provisioning type?)
Under Entitlements I chose "Custom Network Protocol", which sounds like an accurate description of my application.
I have imported the provisioning profile into Xcode and chose it under Signing (Debug) and Signing (Release) of my project's target, it automatically populated Team (the parent organization) and the above certificate.
I changed the scheme in the project to "Release" and built it for "Running", I get a keychain access prompt during build, and signing step completes successfully
codesign -vvv -d xyz.app returns the registered bundle, certificate, team, etc, all matching the above choices.
I placed the produced .app into a .dmg image and emailed it to myself
I downloaded the .dmg on another Mac and mounted it
I tried running the .app but got the following Gatekeeper message:
"XYZ" can't be opened because it is from an unindentified developer.
Your security preferences allow installation of only apps from the App Store and identified developers.
How do I get around this so a downloaded application will have an "Open" button in the Gatekeeper prompt by default. Some applications, GIMP for example, are correctly identified, even though they did not originate from the App Store.
What do I need to to resolve this?
I kept digging at it and I found my answer:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution?language=objc
The type if certificate I needed was Developer ID and the type of provision Developer ID Application, which is what is intended for self-distribution of a signed Mac application.
After that it needs to be submitted to Apple for notarization to satisfy the requirement for 10.14.5+. After notarization had completed I was able to send the exported app to myself and it offered me an "Open" option for the app downloaded from Internet. This is the desired behavior.
It required me to request the account holder to issue me the Developer ID certificate by sending them a CSR, as Developer ID certificate option is greyed out for delegated users that are not the original developer account holder (admin role may satisfy, but I am not one so can't say).
Yay.

macOS App manually signing with provisioning profile for App Store got error Code signature invalid

I try to use manual signing in macOS using provisioning profile. But everytime I try to run it will crash with error
EXC_CRASH (Code Signature Invalid)
If I try to use automatically manage signing or manually manage signing but without provisioning profile it works fine. What is wrong with my provisioning profile? I need to use manual manage signing because my app actually is Xamarin.mac which is not possible in VS for Mac to sign automatically or sign manually without provisioning profile. I am not using weird entitlement. I only need app sandbox to release app store so in my provisioning profile I don't add any capabilities
If your signature is invalid it is likely that you haven't created the correct type of certificate. There are several certificate types that can be instanced and your app will not build correctly if you have created the wrong certificate type.
Common certificate types include:
iOS development
iOS distribution
Mac app development
Mac app distribution
Mac installer distribution
Developer ID application
Developer ID installer
For more information about manually creating your certificate, see my answer to this question: macOS installer certificate evaluation error in Keychain: Invalid Extended Key Usage
Also note that during development you would use an iOS development certificate, but for uploading to the App Store via iTunes connect, you will need an iOS distribution certificate and it needs to be enabled on an Apple ID that has paid for iOS distribution. For more information on enrollment to the Apple developer program, which will enable you with privileges to get a valid distribution certificate see here: https://developer.apple.com/support/enrollment/
If you are sure that it is not a problem with the certificate itself, do note that there other parameters involved when creating a provisioning profile manually - it's not just a certificate + private key. This is a profile that needs to be created in the Apple developer portal, but as long as you have a valid Apple ID to use for creating the provisioning profile it shouldn't be difficult. There are detailed instructions here: https://learn.microsoft.com/en-us/xamarin/ios/get-started/installation/device-provisioning/manual-provisioning but allow me to paraphrase:
1) Go to the Apple Developers Member Center (https://developer.apple.com/membercenter/index.action), and under the section Certificates, Identifiers & Profiles select "Provisioning Profiles".
2) Click the + button, in the top right corner to create a new profile.
3) From the Development section, select the radio button next to iOS App Development, and press Continue:
4) From the dropdown menu, select the App ID that to use
5) Select the Certificate(s) to include in the provisioning profile, and press Continue
6) Select all the devices that the app will be installed on, this will be all the devices and computers that belong to your Apple ID that will get a distribution certificate installed on it.
7) Provide the Provisioning Profile with an identifiable a name, and press Continue to create the profile
8) Press "Download" to download the provisioning profile onto a Mac
9) Double-click on the file to install the provisioning profile in Xcode. Note that Xcode might not show any visual clues that it has installed the profile except for opening. This can be verified by browsing to Xcode > Preferences > Accounts. Select your Apple ID and click "View Details..." Your new provisioning profile should be listed, as illustrated below:
After the provisioning profile has been successfully created it may be necessary to restart Xcode so that all the development certificates are correctly loaded and available for use.
Checklist:
Is my code signing certificate the correct type
Was my provisioning profile properly registered in the Apple Developer portal (https://developer.apple.com) for the Apple ID that is used on the machine building the app
Is my Apple ID correctly enrolled in the Apple Developer program with no outstanding fees to be paid, or licenses like EULA to accept.
Have I downloaded my provisioning profile from my Apple Developer portal and correctly installed it on my machine that is trying to build / release the app.
NOTE:
In order to distribute apps to the app store there is no choice but to create and pay for the provisioning profile within the developer portal, and install it on your machine by downloading it from Apple.
Best of luck!

Missing Developer ID Application signing identity for (null)

While trying to export a Developer ID Signed Mac application with Xcode I run into this error: "Missing Developer ID Application signing identity for (null)" How do I resolve this?
I struggled with this issue for a while so wanted to post what I found in case others run into a similar issue. I ran into the above issue after revoking my certificate while trying to export my build from a friend's machine. I found the best support by going step by step through this link:
https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/DistributingApplicationsOutside/DistributingApplicationsOutside.html
I would recommend following the steps in this link for anyone uploading a build to the Mac app store or exporting a Developer ID Signed Mac application.
There is a certificate called "Developer ID Certification Authority", this seems to be the one I was missing, and which caused the most trouble.
Another interesting thing to note is that the 10 digit letter/number ID for your Team/Distribution profile will be different than the ID for your developer profile. This should not throw you off, these two profiles work together.
Another good thing to know is that at the top of developer.apple.com there is a non-obvious drop down menu that lets you switch between iOS, tvOS, watchOS profiles and MacOS X profiles.
Another non-obvious UX issue when dealing with certificates is the system tab within Keychain Access. If you read that you should delete or change a property both within Login and within system, when they write system, they are referring to the system tab, which can be accessed within Key Chain access and can be seen at the bottom of this image:
This link is also helpful for certificate trouble shooting:
https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/Troubleshooting/Troubleshooting.html#//apple_ref/doc/uid/TP40012582-CH5-SW11
But mainly just go through the steps in the first link given for exporting a Mac App with Developer ID Signing.

IOS Submission No Certificate Found

I was working on my app and had all the profiles created. The build was working perfectly, but my mac had crashed. I just got a new one, so I lost what was in keychain access. I downloaded the profiles and certificates from developer.apple.com.
When I open the project in Xcode, I can select the correct profile but it cannot find the certificates (no signing certificate "ios distribution" found).
Anyway to fix this? I can't figure it out.
You need to create a new distribution certificate. It can be done in Xcode with:
Select Preferences… in the application menu
Select the Accounts tab
Select your AppleID
Select the team
Press the View Details… button
In the list of identities next to iOS Distribution, press the Create button
Alternatively it can be done by following a guide in the Apple developer member center.
The iOS distribution certificate is used for Ad Hoc distribition, Enterprise distribution and submitting the app to the App Store. It is not used when end users download the app from the App Store.

Resources