How can I test app sandboxing without a Mac Developer Program account - macos

I can develop for iOS using the Simulator without an iOS Developer Program account (I just can't run on a device.) Is there an equivalent way of working for Mac Developer Program stuff? I want to test some of my utility apps for sandboxing compatibility (and therefore App Store distribution) prior to signing up for a paid account. If my apps don't work or aren't at least easily fixable, it's not worth the $99.
Are there project settings I can enable which enforce sandboxing? I expect that code signing will not work.

Take a look at the App Sandbox Design Guide, which has sections about creating code signing certificates for testing your apps. You can do it entirely in Keychain Access without requiring a paid Apple ID.

You can create a self-signed certificate for code signing:
Open Keychain Access.
Choose Keychain Access > Certificate Assistant > Create Certificate ...
Enter a name
Set 'Certificate Type' to 'Code Signing'
Then, in Xcode > Target > Build Settings > Code Signing, you should see your new certificate show up in the drop down next to Code Signing Identity.

Related

How to properly sign a Mac application for self-distribution?

I created a Mac file upload client application that implements a high-performance reliable data transfer over UDP protocol, based on the UDT library.
My setup:
MacOS Mojave
Xcode 10.3
Deployment Target: 10.10 (minimum for storyboard-based forms)
Now I'm trying to figure out how to sign it properly so end users can run it without doing a Gatekeeper override.
Here's where I'm at:
I have a paid Apple Developer account, delegated to me from an organization paid Developer account
I have roles assigned to me allowing me to manage apps, certificates, provisioning, etc.
I am signed into this account under Xcode accounts under Preferences.
I have created a bundle registration under the account, copied exactly from Xcode
I have created a Mac Distribution certificate, starting with a CSR from my development machine.
I have downloaded and imported the certificate into my machine's keychain (listed as "3rd Party Mac Developer Application:...")
I have created a provisioning profile for this app, with above certificate assigned, the profile type is App Store, but I will be distributing the app myself (is there a more correct provisioning type?)
Under Entitlements I chose "Custom Network Protocol", which sounds like an accurate description of my application.
I have imported the provisioning profile into Xcode and chose it under Signing (Debug) and Signing (Release) of my project's target, it automatically populated Team (the parent organization) and the above certificate.
I changed the scheme in the project to "Release" and built it for "Running", I get a keychain access prompt during build, and signing step completes successfully
codesign -vvv -d xyz.app returns the registered bundle, certificate, team, etc, all matching the above choices.
I placed the produced .app into a .dmg image and emailed it to myself
I downloaded the .dmg on another Mac and mounted it
I tried running the .app but got the following Gatekeeper message:
"XYZ" can't be opened because it is from an unindentified developer.
Your security preferences allow installation of only apps from the App Store and identified developers.
How do I get around this so a downloaded application will have an "Open" button in the Gatekeeper prompt by default. Some applications, GIMP for example, are correctly identified, even though they did not originate from the App Store.
What do I need to to resolve this?
I kept digging at it and I found my answer:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution?language=objc
The type if certificate I needed was Developer ID and the type of provision Developer ID Application, which is what is intended for self-distribution of a signed Mac application.
After that it needs to be submitted to Apple for notarization to satisfy the requirement for 10.14.5+. After notarization had completed I was able to send the exported app to myself and it offered me an "Open" option for the app downloaded from Internet. This is the desired behavior.
It required me to request the account holder to issue me the Developer ID certificate by sending them a CSR, as Developer ID certificate option is greyed out for delegated users that are not the original developer account holder (admin role may satisfy, but I am not one so can't say).
Yay.

macOS App manually signing with provisioning profile for App Store got error Code signature invalid

I try to use manual signing in macOS using provisioning profile. But everytime I try to run it will crash with error
EXC_CRASH (Code Signature Invalid)
If I try to use automatically manage signing or manually manage signing but without provisioning profile it works fine. What is wrong with my provisioning profile? I need to use manual manage signing because my app actually is Xamarin.mac which is not possible in VS for Mac to sign automatically or sign manually without provisioning profile. I am not using weird entitlement. I only need app sandbox to release app store so in my provisioning profile I don't add any capabilities
If your signature is invalid it is likely that you haven't created the correct type of certificate. There are several certificate types that can be instanced and your app will not build correctly if you have created the wrong certificate type.
Common certificate types include:
iOS development
iOS distribution
Mac app development
Mac app distribution
Mac installer distribution
Developer ID application
Developer ID installer
For more information about manually creating your certificate, see my answer to this question: macOS installer certificate evaluation error in Keychain: Invalid Extended Key Usage
Also note that during development you would use an iOS development certificate, but for uploading to the App Store via iTunes connect, you will need an iOS distribution certificate and it needs to be enabled on an Apple ID that has paid for iOS distribution. For more information on enrollment to the Apple developer program, which will enable you with privileges to get a valid distribution certificate see here: https://developer.apple.com/support/enrollment/
If you are sure that it is not a problem with the certificate itself, do note that there other parameters involved when creating a provisioning profile manually - it's not just a certificate + private key. This is a profile that needs to be created in the Apple developer portal, but as long as you have a valid Apple ID to use for creating the provisioning profile it shouldn't be difficult. There are detailed instructions here: https://learn.microsoft.com/en-us/xamarin/ios/get-started/installation/device-provisioning/manual-provisioning but allow me to paraphrase:
1) Go to the Apple Developers Member Center (https://developer.apple.com/membercenter/index.action), and under the section Certificates, Identifiers & Profiles select "Provisioning Profiles".
2) Click the + button, in the top right corner to create a new profile.
3) From the Development section, select the radio button next to iOS App Development, and press Continue:
4) From the dropdown menu, select the App ID that to use
5) Select the Certificate(s) to include in the provisioning profile, and press Continue
6) Select all the devices that the app will be installed on, this will be all the devices and computers that belong to your Apple ID that will get a distribution certificate installed on it.
7) Provide the Provisioning Profile with an identifiable a name, and press Continue to create the profile
8) Press "Download" to download the provisioning profile onto a Mac
9) Double-click on the file to install the provisioning profile in Xcode. Note that Xcode might not show any visual clues that it has installed the profile except for opening. This can be verified by browsing to Xcode > Preferences > Accounts. Select your Apple ID and click "View Details..." Your new provisioning profile should be listed, as illustrated below:
After the provisioning profile has been successfully created it may be necessary to restart Xcode so that all the development certificates are correctly loaded and available for use.
Checklist:
Is my code signing certificate the correct type
Was my provisioning profile properly registered in the Apple Developer portal (https://developer.apple.com) for the Apple ID that is used on the machine building the app
Is my Apple ID correctly enrolled in the Apple Developer program with no outstanding fees to be paid, or licenses like EULA to accept.
Have I downloaded my provisioning profile from my Apple Developer portal and correctly installed it on my machine that is trying to build / release the app.
NOTE:
In order to distribute apps to the app store there is no choice but to create and pay for the provisioning profile within the developer portal, and install it on your machine by downloading it from Apple.
Best of luck!

macOS installer certificate evaluation error in Keychain: Invalid Extended Key Usage

I generated a mac installer certificate for use with code signing and am getting an error that is preventing me from using certificate to sign installer
When evaluating certificate in keychain access, I got an error: Invalid Extended Key Usage.
Here is the sequence of errors when trying to evaluate an installer certificate for code signing.
I find this process works better when generating code signing keys with Xcode rather than through the Keychain access app directly. This will help you create your code signing certificate with the correct provisioning and signing parameters for the type of app you are developing. If you don't yet have a paid developer account with Apple, you can still create a self signed certificate for code signing to generate signed apps without uploading them to app store.
First you have to add your Apple ID to Accounts preferences in Xcode.
Start Xcode
Select Xcode > Preferences from the navigation bar.
At the top of the window select Accounts.
Click on the + on the lower left corner and select Add Apple ID...
A dialog will appear. Add your Apple ID and your password, then select Sign in. If you don't have an account you can create your Apple ID by selecting Create Apple ID.
Select your Apple ID and your team from the right side bar, then click on View Details....
A dialog will appear where you will see your code signing identities and the provisioning profiles.
For iOS development, under the signing identities locate the iOS Development and iOS Distribution profiles.
If you have not created them you will see a Create button next to
them.
Simply select it and Xcode will issue and download your code signing
identities for you with the correct developer certificate params for
iOS app development.
Note: If you already have Code Signing Identities issued to your developer account: you will see a Reset button next to them. You can issue new certificates with it, that Xcode will generate and download, however note that this will invalidate your previous certificate, so only do this if you've lost those files or if you know what you are doing!
In future, once you have it all working I also suggest clicking the option in Xcode to allow it to automatically manage code signing. This will automatically renew your certification whenever it expires, so there won't be extra steps to renew. This option should be available in the general project settings of your app, it can also be reached by selecting project > Targets > General > Signing
Hope that helps you, best of luck!
There are some possible reasons for certificate evaluation failure:
The certificate may be not for code signing (similar to this). In this case, you should obtain a new certificate that supports code signing.
The certificate may be for code signing but damaged (similar to this). In this case, you should delete this certificate and install it again.
Note that you can create a self-signed code signing certificate in keychain app for test purpose, following this and this tutorials. Make sure to enable it in "Get Info" > "Trust" set as "Always Trust".

Why is Code Signing Identity not listing my certificate?

I'm using Xcode 4 and am trying to sign my first Mac OS X application. When I go to Project -> Build Settings -> Code Signing Identity, it will list "Don't Sign", "Automatic Profile Selector", and "Other". Under "Automatic Profile Selector" it lists "3rd Party Mac Developer Application". When I build it fails and says `Code Sign error:
The identity '3rd Party Mac Developer Application' doesn't match any
valid certificate/private key pair in the default keychain
Earlier, in Organizer -> Provisiong Profiles, I did a refresh. It setup two certificates in Device -> Developer Profile. Nothing appears in Provisioning Profiles. The two certificates it shows in Developer Profile exist in my keychain as valid. I see no expired certificates even when I "show expired".
The certificates it has in Developer Profile match what's in the keychain:
3rd Party Mac Developer Installer: MyCompany, LLC
Mac Developer: My Name (SOMECODE)
I don't see these in the Code Signing Identity list, though. I even tried entering in the first one in Other, but it said it could not find it.
I have no need for entitlements, so I don't have a profile setup. And I am the company admin.
What am I doing wrong?
Ok, this turned out to be a lot simpler than I had imagined.
After I refresh and download the certs:
1) Click on My Mac under devices. And click "Add to Portal". This will download the Mac Team Provisioning Wildcard Profile
2) Create an App ID for my app (necessary for sandboxing/entitlements), through the website
3) Add a new Developer Provisioning Profile for this App ID, through the website
4) Go to Organizer and refresh.
Everything appears now.
But, I realize that for a Mac App w/ no sandboxing/entitlements, I really didn't need to do this. I could have got away with just creating the Production Provisioning Profile, since it does not require a registered device.

Self-signed certificate for code signing not showing up in Xcode 4

I'm developing a small app on Xcode 4.2 in Lion to learn the basics of Mac development.
I've got a directory picker controller class as an NSOpenSavePanelDelegate, implementing the - panel:validateURL:error: method, where I'm attempting to make sure that the directory that the user chooses contains files of a certain type that the app supports.
I stumbled across this question here on SO, discovering that the delegate methods don't have access to the file system in sandboxed applications. This would be a problem for the aforementioned case.
Eager to learn more about this, I decided to try sandboxing the app to see what happens. I enabled entitlements and sandboxing for the build target in Xcode and then created a self-signed certificate for code signing in Keychain Access, following this tutorial. The certificate lives inside my login keychain.
The problem is, the freshly created certificate doesn't appear under the Build Settings -> Code Signing -> Code Signing Identity dropdown. The only thing that is there is "3rd Party Mac Developer Application", but the build fails with a code signing issue if that is selected.
Any ideas how I can get it to show up?
I just ran into the same issue. After Quitting and restarting Xcode, my own certificate showed up.

Resources