I'm using Xcode 4 and am trying to sign my first Mac OS X application. When I go to Project -> Build Settings -> Code Signing Identity, it will list "Don't Sign", "Automatic Profile Selector", and "Other". Under "Automatic Profile Selector" it lists "3rd Party Mac Developer Application". When I build it fails and says `Code Sign error:
The identity '3rd Party Mac Developer Application' doesn't match any
valid certificate/private key pair in the default keychain
Earlier, in Organizer -> Provisiong Profiles, I did a refresh. It setup two certificates in Device -> Developer Profile. Nothing appears in Provisioning Profiles. The two certificates it shows in Developer Profile exist in my keychain as valid. I see no expired certificates even when I "show expired".
The certificates it has in Developer Profile match what's in the keychain:
3rd Party Mac Developer Installer: MyCompany, LLC
Mac Developer: My Name (SOMECODE)
I don't see these in the Code Signing Identity list, though. I even tried entering in the first one in Other, but it said it could not find it.
I have no need for entitlements, so I don't have a profile setup. And I am the company admin.
What am I doing wrong?
Ok, this turned out to be a lot simpler than I had imagined.
After I refresh and download the certs:
1) Click on My Mac under devices. And click "Add to Portal". This will download the Mac Team Provisioning Wildcard Profile
2) Create an App ID for my app (necessary for sandboxing/entitlements), through the website
3) Add a new Developer Provisioning Profile for this App ID, through the website
4) Go to Organizer and refresh.
Everything appears now.
But, I realize that for a Mac App w/ no sandboxing/entitlements, I really didn't need to do this. I could have got away with just creating the Production Provisioning Profile, since it does not require a registered device.
Related
I'm trying to upload a mac app to the Mac App Store. I have done
this successfully with an iOS app, but this is the first time with
a mac app.
I have an Apple Distribution Certificate:
plus a Provisioning Profile for the Mac App Store which used the above cert:
The Cert is installed on my machine (downloaded it, double clicked). I can see it
in Keychain Access.
I now want to upload the Mac App to the AppStore.
Per this document, I need to set the developer ID and provisioning profile for the application and installer package.
So in Visual Studio 2019, I open preferences and head to "Apple Developer Accounts", select my dev account, my apple ID, and click "View Details". I see my certificates there, plus my Provisioning Profile "XXXX Mac App Store Provisioning Profile" (per the above diagram). Note that I have previously clicked "Download All Profiles" to get this profile installed locally.
I now open options for the Mac App project itself, select "Mac Signing".
Here's where things get weird:
a) The identities are correct. So I select the correct Developer ID.
b) the provisioning profiles are not correct. In fact it contains 2 old
entries, and 1 entry I have not heard of. It does not show any of the
provisioning profiles from the "VS | Preferences | Apple Developer Accounts".
c) It does show my "Developer ID Installer" cert for the installer.
Since I can't select any of my profiles, I select:
Identity: My Developer ID
Provisioning Profile: Automatic
Installer Package Identity: my "Developer ID Installer" cert.
I rebuild, "Archive For Publishing", and then attempt "Sign and Distribute".
I select "App Store" and get "No valid Provisioning Profile found"
What am I missing here? VS can see my profiles and certs.
But in the specific Mac project, those profiles do not show up, only some
old cruft.
I'd appreciate any advice. Thx.
Paul.
My comment above resolved the issue:
Apple Distribution certificate (which is SUPPOSED to be for MacOS,
tvOS and iOS) doesn't work in Xamarin for Mac apps. However if I used
Mac App Distribution certificate, and create a Mac App Store
Provisioning Profile using that Mac App Distribution certificate -
they both show up in the App Options | Signing. WTH?
Bottom line is that you need to use Mac App Distribution certs, not Apple Distribution certs.
I created a Mac file upload client application that implements a high-performance reliable data transfer over UDP protocol, based on the UDT library.
My setup:
MacOS Mojave
Xcode 10.3
Deployment Target: 10.10 (minimum for storyboard-based forms)
Now I'm trying to figure out how to sign it properly so end users can run it without doing a Gatekeeper override.
Here's where I'm at:
I have a paid Apple Developer account, delegated to me from an organization paid Developer account
I have roles assigned to me allowing me to manage apps, certificates, provisioning, etc.
I am signed into this account under Xcode accounts under Preferences.
I have created a bundle registration under the account, copied exactly from Xcode
I have created a Mac Distribution certificate, starting with a CSR from my development machine.
I have downloaded and imported the certificate into my machine's keychain (listed as "3rd Party Mac Developer Application:...")
I have created a provisioning profile for this app, with above certificate assigned, the profile type is App Store, but I will be distributing the app myself (is there a more correct provisioning type?)
Under Entitlements I chose "Custom Network Protocol", which sounds like an accurate description of my application.
I have imported the provisioning profile into Xcode and chose it under Signing (Debug) and Signing (Release) of my project's target, it automatically populated Team (the parent organization) and the above certificate.
I changed the scheme in the project to "Release" and built it for "Running", I get a keychain access prompt during build, and signing step completes successfully
codesign -vvv -d xyz.app returns the registered bundle, certificate, team, etc, all matching the above choices.
I placed the produced .app into a .dmg image and emailed it to myself
I downloaded the .dmg on another Mac and mounted it
I tried running the .app but got the following Gatekeeper message:
"XYZ" can't be opened because it is from an unindentified developer.
Your security preferences allow installation of only apps from the App Store and identified developers.
How do I get around this so a downloaded application will have an "Open" button in the Gatekeeper prompt by default. Some applications, GIMP for example, are correctly identified, even though they did not originate from the App Store.
What do I need to to resolve this?
I kept digging at it and I found my answer:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution?language=objc
The type if certificate I needed was Developer ID and the type of provision Developer ID Application, which is what is intended for self-distribution of a signed Mac application.
After that it needs to be submitted to Apple for notarization to satisfy the requirement for 10.14.5+. After notarization had completed I was able to send the exported app to myself and it offered me an "Open" option for the app downloaded from Internet. This is the desired behavior.
It required me to request the account holder to issue me the Developer ID certificate by sending them a CSR, as Developer ID certificate option is greyed out for delegated users that are not the original developer account holder (admin role may satisfy, but I am not one so can't say).
Yay.
I try to use manual signing in macOS using provisioning profile. But everytime I try to run it will crash with error
EXC_CRASH (Code Signature Invalid)
If I try to use automatically manage signing or manually manage signing but without provisioning profile it works fine. What is wrong with my provisioning profile? I need to use manual manage signing because my app actually is Xamarin.mac which is not possible in VS for Mac to sign automatically or sign manually without provisioning profile. I am not using weird entitlement. I only need app sandbox to release app store so in my provisioning profile I don't add any capabilities
If your signature is invalid it is likely that you haven't created the correct type of certificate. There are several certificate types that can be instanced and your app will not build correctly if you have created the wrong certificate type.
Common certificate types include:
iOS development
iOS distribution
Mac app development
Mac app distribution
Mac installer distribution
Developer ID application
Developer ID installer
For more information about manually creating your certificate, see my answer to this question: macOS installer certificate evaluation error in Keychain: Invalid Extended Key Usage
Also note that during development you would use an iOS development certificate, but for uploading to the App Store via iTunes connect, you will need an iOS distribution certificate and it needs to be enabled on an Apple ID that has paid for iOS distribution. For more information on enrollment to the Apple developer program, which will enable you with privileges to get a valid distribution certificate see here: https://developer.apple.com/support/enrollment/
If you are sure that it is not a problem with the certificate itself, do note that there other parameters involved when creating a provisioning profile manually - it's not just a certificate + private key. This is a profile that needs to be created in the Apple developer portal, but as long as you have a valid Apple ID to use for creating the provisioning profile it shouldn't be difficult. There are detailed instructions here: https://learn.microsoft.com/en-us/xamarin/ios/get-started/installation/device-provisioning/manual-provisioning but allow me to paraphrase:
1) Go to the Apple Developers Member Center (https://developer.apple.com/membercenter/index.action), and under the section Certificates, Identifiers & Profiles select "Provisioning Profiles".
2) Click the + button, in the top right corner to create a new profile.
3) From the Development section, select the radio button next to iOS App Development, and press Continue:
4) From the dropdown menu, select the App ID that to use
5) Select the Certificate(s) to include in the provisioning profile, and press Continue
6) Select all the devices that the app will be installed on, this will be all the devices and computers that belong to your Apple ID that will get a distribution certificate installed on it.
7) Provide the Provisioning Profile with an identifiable a name, and press Continue to create the profile
8) Press "Download" to download the provisioning profile onto a Mac
9) Double-click on the file to install the provisioning profile in Xcode. Note that Xcode might not show any visual clues that it has installed the profile except for opening. This can be verified by browsing to Xcode > Preferences > Accounts. Select your Apple ID and click "View Details..." Your new provisioning profile should be listed, as illustrated below:
After the provisioning profile has been successfully created it may be necessary to restart Xcode so that all the development certificates are correctly loaded and available for use.
Checklist:
Is my code signing certificate the correct type
Was my provisioning profile properly registered in the Apple Developer portal (https://developer.apple.com) for the Apple ID that is used on the machine building the app
Is my Apple ID correctly enrolled in the Apple Developer program with no outstanding fees to be paid, or licenses like EULA to accept.
Have I downloaded my provisioning profile from my Apple Developer portal and correctly installed it on my machine that is trying to build / release the app.
NOTE:
In order to distribute apps to the app store there is no choice but to create and pay for the provisioning profile within the developer portal, and install it on your machine by downloading it from Apple.
Best of luck!
I generated a mac installer certificate for use with code signing and am getting an error that is preventing me from using certificate to sign installer
When evaluating certificate in keychain access, I got an error: Invalid Extended Key Usage.
Here is the sequence of errors when trying to evaluate an installer certificate for code signing.
I find this process works better when generating code signing keys with Xcode rather than through the Keychain access app directly. This will help you create your code signing certificate with the correct provisioning and signing parameters for the type of app you are developing. If you don't yet have a paid developer account with Apple, you can still create a self signed certificate for code signing to generate signed apps without uploading them to app store.
First you have to add your Apple ID to Accounts preferences in Xcode.
Start Xcode
Select Xcode > Preferences from the navigation bar.
At the top of the window select Accounts.
Click on the + on the lower left corner and select Add Apple ID...
A dialog will appear. Add your Apple ID and your password, then select Sign in. If you don't have an account you can create your Apple ID by selecting Create Apple ID.
Select your Apple ID and your team from the right side bar, then click on View Details....
A dialog will appear where you will see your code signing identities and the provisioning profiles.
For iOS development, under the signing identities locate the iOS Development and iOS Distribution profiles.
If you have not created them you will see a Create button next to
them.
Simply select it and Xcode will issue and download your code signing
identities for you with the correct developer certificate params for
iOS app development.
Note: If you already have Code Signing Identities issued to your developer account: you will see a Reset button next to them. You can issue new certificates with it, that Xcode will generate and download, however note that this will invalidate your previous certificate, so only do this if you've lost those files or if you know what you are doing!
In future, once you have it all working I also suggest clicking the option in Xcode to allow it to automatically manage code signing. This will automatically renew your certification whenever it expires, so there won't be extra steps to renew. This option should be available in the general project settings of your app, it can also be reached by selecting project > Targets > General > Signing
Hope that helps you, best of luck!
There are some possible reasons for certificate evaluation failure:
The certificate may be not for code signing (similar to this). In this case, you should obtain a new certificate that supports code signing.
The certificate may be for code signing but damaged (similar to this). In this case, you should delete this certificate and install it again.
Note that you can create a self-signed code signing certificate in keychain app for test purpose, following this and this tutorials. Make sure to enable it in "Get Info" > "Trust" set as "Always Trust".
I have Xcode 8.3.2 on Sierra. I am trying to build an Enterprise .ipa (have Enterprise membership).
I am having issues signing my app. Specifically in Xcode I have the following under General\Signing:
Automatically manage signing is enabled
Team: "My Team (Enterprise)"
Provisioning Profile: Xcode Managed Profile
Signing Certificate: iOS Developer
Status
Failed to create provisioning profile "com.myapp" cannot be registered to your development team. Change your bundle identifier to a unique string to try again.
No profiles for 'com.myapp' were found. Xcode couldn't find a provisioning profile matching 'com.myapp'.
My steps were:
Logged into Enterprise account at https://developer.apple.com/account/
Under Certificates, Identifiers, and Profiles I selected the Add
Selected In-House and Ad Hoc
On my MAC in the Keychain Access I selected KeyChain Access\Certificate Assistant\Request a Certificate from a Certificate Authority
Saved to my desktop
In https://developer.apple.com/account/ I uploaded the certificate signing request
I see it as a certificate as type iOS Distribution with and expiration date
I download the .cer file and double click on it to install it
Within Xcode\Preferences I find the Team under the Apple ID and under Manage Certificates I see iOS Distribution Certificates and Enterprise with today's date
I select the Download All Profiles for that team
In Xcode I select General\Signing and "My Team (Enterprise)
At this point I get the two errors described above.
I am new to Xcode development so I am sure there is something wrong with my steps.
Any insight would be greatly appreciated.
Well the solution to my issue was to do the following:
In Xcode under the "General" tab to disable Automatically manage signing
At https://developer.apple.com/account in my enterprise account under provisioning profiles I created a new distribution profile
Downloaded the profile => .mobileprovision file
Double clicked on the .mobileprovision file
With Automatically manage signing disabled I then selected the Provisioning Profile I just created and downloaded in the drop downs for Signing (Debug) and Signing (Release)
At this point I was able to archive and export an enterprise .ipa
This is the solution to my issue that's similar to this one:
Change your bundle identifier to a unique string to try again.
Your bundle identifier is already in use by other developers I guess, so just change your bundle identifier in the Identify tab right above your Signing tab to another one:
For example:
Bundle Identifier: org.react.native.example.RamenForLifeIn2022
Hope this helps :)