Application always asks for permission to access keychain - macos

I have an application that stores username and password in the keychain. Everything was working fine when working on Xcode 3, I recently moved to Xcode 4 and now when I run the application, I get a prompt:
Application wants to use your confidential information stored in keychain" in your keychain.
After hitting always allow I see the application added to access control list of the keychain item, but I get every time I run the app.
Also after hitting Always allow again, I see that the access control has two instances of the same app. Seems like OS thinks this is a new application.
Any ideas appreciated.

I believe the problem is that your signature's designated requirement causes it to not accept itself as "the same app" as itself (for Keychain purposes).
One common cause for this—and I think it's yours—is using a Developer ID Application cert, with no designated requirement, and without the intermediate cert installed.
A standard Developer ID requirement looks like this:
designated => anchor apple generic and
identifier \"com.example.appName\" and
((cert leaf[field.1.2.840.113635.100.6.1.9] exists) or
(certificate 1[field.1.2.840.113635.100.6.2.6] exists and
certificate leaf[field.1.2.840.113635.100.6.1.13] exists and
certificate leaf[subject.OU] = \"1AZBYCXDW9V\" ))
If you want to construct this yourself, you have to replace the identifier with your bundle identifier and the subject.OU with the value from your cert. (If you double-click it in Keychain Access, it should be listed as the Organizational Unit.) Then you can add to "Other Code Signing Flags":
--requirements "=designated ..." (the whole mess from above)
However, a much better way to do this is to use Xcode 4.3.2 or later. If it recognizes that you're using a Developer ID Application cert, and can see the intermediate cert in the keychain, it will generate this by default.
Also, if you use the Archive Organizer in Xcode to "Export Developer ID-signed Application", instead of just using the build from your target directory, it will make sure to sign your app and any other enclosed signables, and it will test that everything is setup properly. (The failures are pretty cryptic—e.g., your "Choose a Developer ID to sign with" step may just have no choices, with a message in the syslog that has no useful information—but at least the fact that it failed or succeeded narrows down where your problem is.)
Either way, you need to download and install (on your build machine) the intermediate cert, called "Developer ID Certification Authority", from the "Developer ID Intermediate Certificate" link at the Developer Certificate Utility site.
One last thing: Even if this solves your problem running on your build machine, you really want to test on the oldest OS version you support. For example, the requirements compiled by Lion's codesign sometimes can't be parsed on Leopard, or sometimes even on Snow Leopard. If that happens… see Gatekeeper vs. Leopard: an ongoing tale.

Related

Exit Code 1 When Archiving XCode Project for upload to Apple Store

I have an Xcode project (Xcode 11.5). It runs in the simulator and on my own device fine and without any errors. But when I archive it, this happens:
CopySwiftLibs /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app (in target 'BeatBat3' from project 'BeatBat3')
cd /Users/mabelapps/Library/Mobile\ Documents/com~apple~CloudDocs/XCode\ Projects/BeatBat3
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
export DEVELOPER_DIR=/Applications/Xcode.app/Contents/Developer
export SDKROOT=/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS13.5.sdk
builtin-swiftStdLibTool --copy --verbose --sign 5BA046D7A018CFC33DE7C29728E7C59DB93C6959 --scan-executable /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/BeatBat3 --scan-folder /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks --scan-folder /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/PlugIns --scan-folder /Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/SDKs/iPhoneOS13.5.sdk/System/Library/Frameworks/StoreKit.framework --platform iphoneos --toolchain /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain --destination /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks --unsigned-destination /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/BuildProductsPath/SwiftSupport --emit-dependency-info /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/IntermediateBuildFilesPath/BeatBat3.build/Release-iphoneos/BeatBat3.build/SwiftStdLibToolInputDependencies.dep
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftCore.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftCore.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftFoundation.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftFoundation.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftCoreFoundation.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftCoreFoundation.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftCoreGraphics.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftCoreGraphics.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftObjectiveC.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftObjectiveC.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftDarwin.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftDarwin.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftDispatch.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftDispatch.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftCore.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/BuildProductsPath/SwiftSupport/iphoneos/libswiftCore.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftFoundation.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/BuildProductsPath/SwiftSupport/iphoneos/libswiftFoundation.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftCoreFoundation.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/BuildProductsPath/SwiftSupport/iphoneos/libswiftCoreFoundation.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftCoreGraphics.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/BuildProductsPath/SwiftSupport/iphoneos/libswiftCoreGraphics.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftObjectiveC.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/BuildProductsPath/SwiftSupport/iphoneos/libswiftObjectiveC.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftDarwin.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/BuildProductsPath/SwiftSupport/iphoneos/libswiftDarwin.dylib
Copying /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/swift-5.0/iphoneos/libswiftDispatch.dylib to /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/BuildProductsPath/SwiftSupport/iphoneos/libswiftDispatch.dylib
Probing signature of /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftCore.dylib
/usr/bin/codesign -r- --display /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftCore.dylib
Codesigning /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftCore.dylib
/usr/bin/codesign --force --sign 5BA046D7A018CFC33DE7C29728E7C59DB93C6959 --verbose /Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftCore.dylib
/Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftCore.dylib: replacing existing signature
/Users/mabelapps/Library/Developer/Xcode/DerivedData/BeatBat3-ecrdlwcmtqtujieezcmongelfrfw/Build/Intermediates.noindex/ArchiveIntermediates/BeatBat3/InstallationBuildProductsLocation/Applications/BeatBat3.app/Frameworks/libswiftCore.dylib: errSecInternalComponent
error: Failed with exit code 1 (in target 'BeatBat3' from project 'BeatBat3')
Can anyone point me in the right direction, please?
Thanks
LeonW53
I am a little the wiser now.
In order to submit to the Apple App Store, you need a Distribution Certificate and an IOS Distribution Certificate. Both must have the Public and Private key.
The Private Key refers to the computer from which the app will be submitted. The Private Key is password to the Mac that will archive the app and submit.
To start, you need to go onto your distribution Mac and open the Keychain Access app (Applications/Utilities/Keychain Access). Once in, at the top of the screen, go to Keychain Access/Certificate Assistant/Request a Certificate from a Certificate Authority.
Note 1The Request requires a user email address. Use the email address that you use to log into the Apple Developer Site. You do not need a common name. Select Request is Saved to Disk and Continue. You will be allowed to pick the name and Save Folder for the Certificate. Click Save.
You can create All of your Certificates from this one Certificate Signing Request.
Go into the Apple Developer Website and sign in (you need to be paid up to do this). Use the Apple ID that you used to save the Certificate.
Go to Certificates, Identifiers and Profiles.
Click Certificates in the left column. Click the + next to Certificates to add a new Certificate.
You will be asked to what kind of Certificate to Create.
You need to select Apple Development to develop an app on your mac. You may need an iOS App Development to develop iOS apps, but I haven't found this necessary
To Upload and Distribute your app, you need Apple Distribution and iOS Distribution.
Whichever one you pick, click Continue and you will be asked to Upload a Signing Certificate Request. Here you browse to the Certificate Signing Request that you saved (Note 1 above). Click Generate and the Certificate will be created. Click Download and the Certificate will be downloaded to the Downloads folder on your Mac.
You can create several different kind of certificates and you do NOT need to re-create the CSR -- use the same one over and over.
On your Mac, you can just double click the Certificates downloaded and they will be added to your Keychain.
In XCode, select the App root of the App Folder Tree and open "Signing and Capabilities". Select the Team that you have in the Apple Developer Site from the drop down list. Also select Automatically manage signings.
Also in XCode, you go to XCode/Preferences/Accounts. You should selected the Apple ID on the left which is the same as you log into the Apple Developer Account. On the right, you can select the Team which will do the Uploading and click Manage Certificates. You need valid iOS Development, Apple Development and Apple Distribution Certificates.
Note 2 If there are any Certificates that are missing the Private Key, this is because either the CSR was generated on a different PC to your current PC or that you were not logged in as the same developer on the Apple Developer Site. This happened to me, and it was because I wasn't logged into the Developer Site the same as I have logged on my PC in System Preferences.
If you Archive, and you have missing Private Keys, the Archive will ask you to log into Keychain using the password which unlocks the PC for EACH and every missing key. Once done, the archive will be created.
Note 3Make any mistake on this, and you will generate a failed archive with a non-zero exit code. Apple provide no clue as to how to solve this.
My current situation is that I have valid Apple Development, iOS Development and Apple Distribution Certificates and I can archive. In addition to the valid Apple Distribution Certificate, I have two Apple Distribution Certificates which are missing private keys. But, I can archive the app.
Be kind and be safe all.

OSX - signing identity missing private key

After I accidently deleted my local keychain... it seems I have encountered some problems. (This is my first Mac.)
In Xcode - Preferences - Accounts it has an error. If I click "View details" for my developer account, it list one signing identity called "iOS Development". However, its status is missing private key. (If I try to add one for distribution, it also pops up saying I already have one.)
As I already redownloaded both my distribution and development certificate from my developer profile and put them into my local keychain... I guess this means they somehow were not enough? Is there any other place on my Mac where I can (be lucky and) find my private key? certificate? ...
Or will I need to revoke my certificates in my developer profile? Download new certificate and create new provision profiles?
The private key is used for signing the code and the certificate is used for verifying the code. Since the private key is only stored in your keychain and you deleted it.
The only way to recover from it is to create a new developer certificate and generate a new Developer Provisioning Profile for your app.

What is the fastest/easiest way - step by step, from the beginning - to "code sign" my Qt app on OS X so that it can be distributed?

I am writing a cross-platform app in Qt (using Qt Creator). One of the target platforms is OS X.
The application is being packaged for installation on OS X by using the BitRock Installer system to create an .app file.
The application is intended for download and use by students and researchers in political science at various different colleges and universities. (A download either from the App Store, or from a product website, is fine.)
I do not need iCloud or any other features associated with the App Store. I just need to be able to distribute this application so that the warning (below) does not appear.
Currently the application is in an alpha-testing state - it is being tested by the product managers only. I would nonetheless prefer to offer the product managers an installation package for OS X that does not present them with the following warning:
The [installer application] can't be opened because it is from an
unidentified developer
(And, more importantly, when the application is released, I also don't want this warning to appear for end users.)
I understand that I need to prepare my application for distribution by using an Apple Developer account and properly signing the application.
I have created a developer account, and I am attempting to follow the steps in the link to sign my application and prepare it for distribution.
However, because the application is built in Qt, not Xcode, I do not know how to follow the steps through to completion, because some of the key steps assume that Xcode is being used.
I have searched for any questions that might describe how to prepare Qt applications on OS X for distribution, but come up empty.
(Further, I would also prefer to have a set of steps provided that is as simple as possible - preferably simpler than the steps provided in the above link - in any case.)
What is the simplest possible set of steps that will allow me to code sign my application, developed with Qt, on OS X, so that it can be distributed?
Prepare .app file
This is a step by step guide to create a signed package which can be uploaded to the Mac App Store, or distributed independently as a standalone application + installer:
Check app icon - it should have all sizes (16x16, 32x32, 64x64, 128x128, 256x256, 512x512, 1024x1024). (See https://stackoverflow.com/a/21028483/368896)
Add compile options for proper generation of debugging symbols:
QMAKE_CFLAGS += -gdwarf-2 QMAKE_CXXFLAGS += -gdwarf-2
(noting that QMAKE_CFLAGS may not be highlighted by Qt Creator as valid, but still may need to be included - see here)
Settings should be saved in a directory with same name as bundle identifier.
Check the application's Info.plist file. It should contain the correct bundle identifier and minimum MacOS X version of 10.6.6.
(Note: though Qt Creator automatically generates a default info.plist file that is placed inside the .app bundle, it is also possible to create your own file and have this automatically used instead. See this link for a sample info.plist file that works with Qt and the App Store, and note that QMAKE_INFO_PLIST does work to use a custom file (see comments in that link).)
(Also, see notes below about how to obtain a bundle identifier.)
(The minimum OS X version - which should be set to 10.6.6 or later - can be set with the following line in the .pro file: QMAKE_MACOSX_DEPLOYMENT_TARGET = 10.6 - but if you use a custom info.plist file, this setting won't take effect, so you must include the proper setting in your custom info.plist anyways; see previous link for the entry that should be used in the file.)
You also need certificates to sign your application and installer: open “Keychain Access” (use Mac OS X search) -> double click on each certificate (look in the kind column for these) and enter password -> check added certificates in Keychain Access.
Register application in iTunesConnect
Log in to your developer account at http://itunesconnect.apple.com (which will reroute you to https://, but you may need to first enter http://)
(Note: If you do not already have one, you must first create a Mac Developer Account, $99/year, in order to proceed.)
Click on “Manage your apps” -> “Add new app”
If application has no Bundle ID - create it.
Creating a new Bundle ID is not intuitive.
To create a new Bundle ID:
-> Log in to the Developer Center website: This is a different site
(perhaps open it in a new tab): http://developer.apple.com.
-> Click Member Center near the very top right (next to the search bar)
-> Click on Manage your certificates, App IDs, devices, and provisioning profiles
(underneath Certificates, Identifiers & Profiles)
-> Click on App IDs in the left navigation bar (in the Identifiers section)
(This might already be selected.)
-> Click on + button
-> The screen you now see (Register Mac App ID / Registering an App ID)
is the screen you use to create a new bundle identifier
-> Enter the necessary information. Write anything for the
App ID Description (it can contain only a short line of text)
The Explicit App ID field is actually the new Bundle ID.
Type a reverse URL here, such as com.mydomain.myapp.
A website or server does not actually need to exist at this URL.
You just make one up here, but of course you can use one that
already exists if you wish.
-> Click Continue, then Submit if you're satisfied, then Done
Now be sure to go back to the previous section, and add the Bundle ID you have just created to the custom info.plist file.
Also save the Team ID in case you need it later - this is the string that precedes the Bundle > > ID (called the prefix) that you see when you look at the details of the Bundle ID you've just > > > created in the Developer Center.
Now, go back to the iTunesConnect website. (Perhaps in another tab - this is not the Developer Center website.)
In the App Information section, select language. Then, enter app name. Make up a random string of characters for the SKU field (I use something of the format 2436-7623-7782-8327). Finally, select the Bundle ID. Click Continue.
Select availability date (simply as far as possible, for now - currently, it's only possible to make it available for at most 2 years). Select price tier (can be any - customer can change later). Click Continue.
Enter detailed application information on the following screen, and click Save.
Click “View Details” in app page -> Click “Ready to upload binary” -> On summary page click on link “latest version of Application Loader” and download it -> Click “Continue”.
Creating and Uploading installer
Check application Info.plist - enter right bundle id, app name, category.
Build application in release mode.
Extract debug symbols. At the command line:
dsymutil MyApp.app/Contents/MacOS/MyApp -o MyApp.app.dSYM
Execute the helper program macdeployqt (included with Qt). At the command line:
/path/to/macdeployqt /path/to/myapp.app
(macdeployqt can be found in QTDIR/bin. See this link for a handful of official details.)
Running macdeployqt modifies your existing application by incorporating the necessary Qt frameworks internal to the .app bundle and changing various other internal settings in the application.
Codesign application:
Codesigning is a tricky step.
(1) Obtaining a DISTRIBUTION CERTIFICATE
You must first create a Distribution certificate, if you don't already have one. (Not a
Developer certificate.)
(The following steps are taken from this link, with a correction regarding the certificate
type)
-> Open Xcode (version 5 as of this writing)
-> Navigate to Xcode > Preferences
-> Click the Accounts tab
-> If you have not already done so, add the Apple ID that is registered in the Mac Developer
Program
-> Select the Apple ID that you want to use, and click View Details
-> In the window that opens, click Add (+) and then select Mac App Distribution.
(2) Code signing the application with the Distribution Certificate
To properly codesign, every .framework and .dylib inside the .app bundle must FIRST
be signed; and then the .app itself must be signed. See critical steps in bottom paragraph of
this grey block before you codesign the internal Qt frameworks - and be sure to do this first.
The command to sign the internal libraries/frameworks, and the command to sign the main .app,
is the same:
codesign -s "3rd Party Mac Developer Application: Daniel Nissenbaum (S6V5TT9QRL)" –-entitlements
MyEntitlements.plist MyApp.app
The --entitlements MyEntitlements.plist option is only necessary if you actually have
entitlements beyond the basic
defaults. I (Dan Nissenbaum) did not select additional privileges for my app when I created the
Bundle ID in Developer Center (such as ability to access iCloud, push notifications, etc.). So, I
left off the --entitlements option, and I have not looked into how to obtain a
MyEntitlements.plist file.
Note regarding the -s argument: See paragraph below for information about finding the correct
name to use (this is the Distribution Certificate "Common Name").
This codesign command is for the main .app. To codesign the internal (Qt)
libraries/frameworks,
which must be done first, use the proper path; i.e., in the command above, use
MyApp.app/Contents/Frameworks/QtCore.framework rather than MyApp.app - and note that
the path to the libraries/frameworks must be just to the root of the internal library/framework
bundle, not to inside the internal library/framework bundle.
Various other internal .dylibs or .frameworks may also need to be signed, in addition to the
Qt .frameworks - if you try to sign your main application but have not
signed all of the internal .dylibs/.frameworks, you will receive an error indicating another
internal
.dylib/.framework that needs signing. Just proceed through them all. In my case, there were
about
10 additional .dylibs that needed to be signed after I completed signing the Qt .frameworks.
Once you have the developer certificate, you need to find the name of the certificate for use with
the codesign process. Open "Keychain Access" (to find this, simply type "Keychain Access" into
the Search bar in the Finder, and locate the application from among the results returned). In the
main list that you see when Keychain Access runs, you will see your Developer certificate among
various other things. There will also be some other certificates - ignore those. It should be
obvious which certificate is the correct one. In my case (which is standard, I assume), the
certificate name is "3rd Party Mac Developer Application: Daniel Nissenbaum (S6V5TT9QRL)".
This is the official name of the certificate, to be
used as the -s argument to codesign, but to really confirm this, double-click on the
certificate and in the info window that appears, have a look at the "Common Name". The value of
Common Name is the official text to use as the -s argument of codesign.
Note regarding a complication with codesign'ing the internal Qt frameworks. As of today,
when macdeployqt is run, the Qt frameworks are not fully copied correctly into the .app bundle.
They are missing their Info.plist file. But these necessary Info.plist files DO exist inside
the Qt installation. You can simply use the Finder to copy them. (For example on my system, the
required Info.plist file for the QtWidgets.framework framework has this path (where "Qt"
corresponds to the root path of your Qt installation):
Qt/5.1.1/clang_64/lib/QtWidgets.framework/Contents/Info.plist. This is to be copied into
MyApp.app/Contents/Frameworks/QtWidgets.framework/Resources. Ditto for all of the other Qt
frameworks that were copied into the MyApp.app bundle by macdeployqt. See
https://stackoverflow.com/a/19639825/368896 for more details.exists and is enabled for code
Create installer (a different certificate is required; see comment):
productbuild –-component ./MyApp.app /Applications –-sign "3rd Party Mac Developer Installer: Daniel Nissenbaum (S6V5TT9QRL)" MyApp.pkg
Note that a different certificate is required to be used as the argument to the --sign parameter. The certificate has type "Mac Installer Certificate", rather than "Mac App Distribution" (the type of the certificate used with codesign, above). To create this certificate, follow the same steps above, but select Mac Installer Certificate as the type. Use its Common Name as the argument to the --sign parameter here.
The ./ preceeding the application name might be important. Also, use the same argument to the --sign parameter that you did when you ran codesign - the Common Name of your Developer certificate. See above.
Check the installer:
sudo installer -store -pkg MyApp.pkg -target /
If there are no errors, you now have a legitimate Mac application, packaged into a legitimate Mac installer, both of which can be distributed to anyone. You can distribute them by simply sending them the .pkg file (via website, Dropbox, etc.), or you can upload to the Mac App Store.
I have not confirmed these steps, which are for actually uploading the application to the Mac App Store: Open Application Loader and sign in with Apple Developer Account -> Select “Deliver Your App” -> Choose right AppID -> Click on “Choose…” button on “Application Information” page and select created pkg file -> Click “Send”.
Additional information
Information about entitlements
Information about Info.plist
Additional information about deploying app to Mac AppStore
First, see Sign Qt applications on Mac with Developer ID and Sign a Framework for OSX 10.9
Basically,
compile your application
run macdeployqt
check using otool -L ... the dependencies of all your frameworks, libraries and plugins
use install_name_tool -change ... to change any dependencies not properly deployed to inside the bundle
sign your frameworks and bundle (see the 2 links given above)
You will need to pay Apple for a developer ID to be able to sign your application otherwise your users will have to deal with Gatekeeper.
First of all, please, check the following link
As you wrote, you may distribute your application outside of the App Store. Such bundles or pkg installers should be signed with the Developer ID signing identity. This is the only signature that will pass checks by MacOS GateKeeper.
You must be a "Team Agent" to obtain this. If you are working alone this should be no problem for you. If you are not "Team Agent" you will need to create the certificate request and send it to your "Team Agent" who will generate the public key for you and send it back.
Once you will have a valid Developer ID signing identity (as people wrote in comments) you can just sign your app with similar command line command: codesign "Developer ID ...." myApplicationPath.app
P.S. Latest xCode provides a nice UI to obtain different types of signing identities. Just check the link at the top of answer.

Provisioning for Distribution

I can run the app fine through the development profile but I can't run it through the distribution profile. I have everything setup correctly as far as I can tell. The error that I get from xcode on compile is:
Code Sign error: No unexpired provisioning profiles found that contain any of the keychain's signing certificates
and in TARGETS > Release > Any iOS SDK I look under what should the correct line item and I see the following:
Profile doesn't match any valid certificate/private key pair in your keychains
So it sounds like my current cert doesn't allow me to run my app as distribution? I went into the member center and dirtied all related profiles and restarted xcode 4.6 after updating my profiles. Doesn't seem to work.
I also checked my Info.plist and the bundle name is correct there. It's also correct in TARGETS > Summary > Bundle Identifier.
A private key is missing
I noticed this morning that there is no private key underneath the iPhone Distribution cert in my Keychain Access and I suspect that's an issue? I'm an admin in the developer portal so I'm not sure why this wouldn't be working..
If you weren't on the distribution certificate when it was signed then you need to have someone who IS on the certificate to export their cert + private key for you. If in doubt, it's probably the dev portal agent who you need this from. The details are found in the answer for the question below:
Profile doesn't match any valid certificate/private-key pair in the default keychain

"A valid signing identity matching this profile..." and Xcode error

Our company is setting up another development station for the same app that will be sent away. I installed Xcode and tested the app in the simulator. I downloaded the Certificate and Provision that worked fine on my other computer. I selected the correct code signing identity and when I build it for a release to my iPad I get an error:
Code Sign error: The identity 'iPhone Developer: Person's Name (XXXXXXXX)' doesn't match any valid certificate/private key pair in the default keychain
In organizer, I click on Provision Profiles and the provision profile I downloaded. Underneath I get the warning:
A valid signing identity matching this profile could not be found in your keychain
I've looked up many, many other people that had this problem, but all seem to resolve it by deleting the cert and provision, which I never want to do! i.e., what if I want to use the same provision and cert on two different machines, or many?
I also went through deleting, recreating, deleting, rinse-repeat - but the answer was simple.
I had the same problem and solved it very simply in XCode Organizer - I'm using Version 4. All I did was go to the top Library section and select Provisioning Profiles, and import the downloaded profiles that I had received in my Safari downloads named "name.mobileprovision".
I think you just have to export the valid certs from the working computer, explained in this doc.
http://developer.apple.com/library/ios/#qa/qa2008/qa1618.html

Resources