1, I already download the "Apple Worldwide Developer Relations Certification Authority",and add it into my keychain.
2, My team leader already had created two Cers for Mac App store developing, I download and add it into my keychain.
3, I used two methods to sign my add, but failed all.
First, add code sign section in my .xcodeproj(3.2.5).
Second, I used script:
productbuild --component ./bin/MAS_Release/MyApp.app /Applications --sign "3rd Party Mac Developer Application: My Company Co., Ltd." --product ./src/MyApp/MyApp-Info.plist MyApp.pkg
But it failed with information:
Code Signing Identity '3rd Party Mac Developer Application: My Company Co., Ltd.' does not match any valid, non-expired, code-signing certificate in your keychain.
I observed that my certifications in keychain don't have small trangle.
how make the small trangle absence?(when I'am importing the Cers from my Agent, it don't have the trangle absence)
If you were trying to code sign app on the machine that is not the one generated CSR request. You need export and import the private key also from original mac's keychain to the current mac.
Related
I'm trying to figure out what I need from my client to codesign and notarize an Electron app on MacOS on behalf of my client.
As far as electron-builder goes I already have that configured to codesign and notarize the app and publish it to github releases.
For the past year I have been doing that on his Mac so I know as far as the code of the app goes everything is correct.
But now I have to codesign, notarize and publish the app to github releases from my own Mac.
Now I know that on his machine electron-builder uses the "Developer ID Application" certificate that is in his keychain and XCode.
From what I understand I need to export that certificate as a .p12 file from his keychain.
Then copy it to my machine and then I should import it into keychain access on my machine?
I tried that but keychain access just says that it cannot import the item.
He is enrolled in the Apple developer program as a business and he added my appleId to their team and assigned the developer role to me.
I am not enrolled in the developer program, I just have a free account. Do I need to be enrolled?
Is this even what I should be doing (importing the .p12 certificate)? If so am I missing a step?
I have created an electron app. Now I want to sign code for both windows and mac platform. But I have only go daday pfx certificate.I successfully signed code using pfx certificate from go daday in windows platform. So,Can I sign an electron app on macos platform using go daday certificate?
You can sign a macOS app with a GoDaddy code-signing certificate, but it probably won't do what you want. Here's what Apple's developer documentation says (with my emphasis added):
Note: Apple uses the industry-standard form and format of code signing
certificates. Therefore, if your company already has a third-party
signing identity that you use to sign code on other systems, you can
use it with the macOS codesign command. Similarly, if your company is
a certificate issuing authority, contact your IT department to find
out how to get a signing certificate issued by your company. However,
while these valid certificates allow you to sign your code, you can
only distribute through the App Store or through the Developer ID
program when you sign with a certificate issued by Apple.
So, the question is: how is your application going to be distributed to users' computers?
If it's sold through Apple's App Store, you need to become an Apple Developer, get a Mac App Distribution certificate from Apple, and sign the app with that before submitting it to Apple.
If it's distributed outside Apple's App Store (e.g. via web download), then you also need to become an Apple developer, get a Developer ID certificate, and use that to sign it. If you don't sign it with the right kind of certificate, Gatekeeper will prevent users from opening the app unless they go through a special procedure to trust the app.
Either way, you need to join the Apple Developer program, and use an Apple-issued code signing certificate to sign the macOS version of your app.
This is the first time I have ever tried to sign a kernel extension, so I am open to the possibility that I'm doing it wrong.
I requested a kernel signing certificate from Apple. I was required to fill out a form that demonstrated that I really needed to create an in-kernel driver, rather than a user space driver that talked to an IOUserClient.
$ sudo kextutil FL2000.kext/
Password:
Notice: /Library/Extensions/FL2000.kext has debug properties set.
Diagnostics for /Library/Extensions/FL2000.kext:
Code Signing Failure: code signature is invalid
Untrusted kexts are not allowed
ERROR: invalid signature for com.frescologic.FL2000, will not load
It doesn't load at boot - it needs to because it is a graphics driver.
$ codesign --verify -vvvv FL2000.kext/
FL2000.kext/: valid on disk
FL2000.kext/: satisfies its Designated Requirement
$ codesign --display -vvvv FL2000.kext/
Executable=/Library/Extensions/FL2000.kext/Contents/MacOS/FL2000
Identifier=com.frescologic.FL2000
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=1590 flags=0x0(none) hashes=44+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=83a0328f9af971484b7e30c8d04e68a96dee72c1
CandidateCDHash sha256=cd6c72d17f00d2eed36078eece6a5b536c482772
Hash choices=sha1,sha256
Page size=4096
CDHash=cd6c72d17f00d2eed36078eece6a5b536c482772
Signature size=4693
Authority=Mac Developer: Michael Crawford (YU8CSARZFD)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Nov 10, 2017, 1:10:07 PM
Info.plist entries=20
TeamIdentifier=444JK52Q93
Sealed Resources version=2 rules=13 files=2
Internal requirements count=1 size=184
Help me O Stackoverflow-Wan. You're my only hope!
I should have spotted this in your codesign output, but your comments make it clear: the problem is with the certificate you are using. Apple issues 4 kinds of Mac codesigning certificates:
"Mac Developer" certificates are for signing apps destined for the Mac App Store during the development phase. This is the type of certificate you appeared to be trying to use for signing a kext. This won't work. It will sign it OK, but kextd etc. won't accept the signature.
"Developer ID Application" certificates are for signing apps which will be distributed outside the App Store. A special variant of this type of certificate includes the certificate extension "( 1.2.840.113635.100.6.1.18 )" - only with this extension, it becomes possible to sign kexts such that they are accepted by macOS.
"Developer ID Installer" certificates are for signing Installer .pkg files/bundles. If you are distributing an app via a DMG or ZIP file, you shouldn't need this, but if you need an installer, possibly because what you're distributing isn't an app, but a kext or system service, then you should create an installer package and sign that with such a certificate.
"Mac Distribution" certificates are what you use to sign the build of an app before submitting it to the Mac App Store. These are also irrelevant to kext signing.
Presumably for security reasons, certificate types 2-4 are only issued to Team Agents in an Apple Developer account. Lowly developers are only given "Mac Developer" certificates, which are intended to be purely temporary, so they're not very security-relevant.
So to summarise, your problem is that you're using a "Mac Developer" certificate to sign a kext. You need to use a "Developer ID Application" certificate instead, specifically one that was issued after the development team was granted kext signing privileges by Apple. If you haven't applied for kext signing privileges, you can do so using this form. (It sounds like you have done so previously, but I'm pointing it out for the benefit of people in the same situation who might stumble across this in the future.)
I am trying to produce a code-signed installer package for distribution outside the Mac Store. My keychain contains the 5 certificates you get when joining the Apple Developer program yesterday. I have to use the command line "codesign" tool to do this. This requires great craft because codesign's default mechanism for hooking up with the correct certificate does not discriminate between certificates with similar "common names"--that they all begin with "3rd Party Mac Developer" creates confusion for codesign's default setting. There are ways to deal with this, however, if you study the documentation (codesign's man page and Apple's technical document, "Code Signing"). When I follow the various instructions carefully my attempt still fails. Here's my terminal command line input (note that my certificate id is X-ed out):
codesign -s "3rd Party Mac Developer Installer: Antony Nispel (XXXXXXXXXX)" -v /Users/antonywallacenispel/Desktop/SpellAware
_1.0/SpellAwareDistributionPackageStuff/SpellAware
Here is the result:
3rd Party Mac Developer Installer: Antony Nispel (XXXXXXXXXX): this identity cannot be used for signing code
And when I try the more restrictive request:
codesign -s -i "3rd Party Mac Developer Installer: Antony Nispel (XXXXXXXXXX)" -v /Users/antonywallacenispel/Desktop/SpellAware_1.0/SpellAwareDistributionPackageStuff/SpellAware
I get the following response:
-i: no identity found
I assure you that my "identity" (the comon name of my installer certificate) is correct.
I would appreciate any help.
The "Developer ID Installer" certificate is what you would use if not submitting to the AppStore.
Certificates Matter
These are the certificates you will need to use together for codesigning:
Developer ID Installer
Developer ID Application
3rd Party Mac Developer Installer (usually only used for the AppStore apps).
Apple Developer Codesigning Workflow Guide
In short, you have codesign your installer in a specific order with the correct codesigning certificate. I answered a similar question previously here.
I use 2 machines for developing a Mac application. I just submitted my app to the app store from my desktop (generating and using the appropriate certificates from Apple for code signing).
I exported and installed the certificates on my laptop so that they show up in the keychain but, yet, I'm unable to build my app on my laptop because of the following error:
Check dependencies
[BEROR]Code Sign error: The identity '3rd Party Mac Developer Application' doesn't match any valid certificate/private key pair in the default keychain
Is there any way to use the same certificates for code signing on more than 1 machine?
Yes, I use multiple computers and the same certificates all the time.
You need to also make sure you have the private keys imported into your keychains.