Re: Developer ID certificates
On Aug 8, 2017, at 16:09 , Jeremy Hughes <moon.rabbit@...> wrote:
No, this is not quite correct. The “Mac Developer” certificate is an *insecure* certificate that is tied to you personally as a developer. It’s used to code sign things that need code signing but are run “insecurely” via Xcode, or for creating code signed apps that can be distributed “insecurely” (e.g. to other people in your own organization).
The Mac App Distribution is the *secure* certificate for all app store submissions. It’s validated by Apple.
The Developer ID certificate is also a *secure* certificate validated by Apple, use for distribution outside the app store.
GateKeeper accepts the last two without complaint. It won’t run the first kind of app unless you force it to.
This error message is confusing. What it’s trying to tell you do is set *all* of your code signing build settings to “Mac Developer” (the insecure setting, because it doesn’t matter here). Then you choose the actual signing method in the General tab of the target info (Automatic signing/Team).
The reason it doesn’t matter is that your app will be *re-signed* when you export an archive, depending on which of the 3 distribution methods you choose at that time.
This is what automatic signing does for you. It takes away the need to care how signing happens during building and (development-) running, and ensures correct signing when you get to an archive. The only problem is that if your build settings are crufty and have inconsistent values, Xcode now prompts you to “fix” them by setting them all to the same thing (Mac Developer, but I suspect it works fine if all target just have the same setting. The problem is inconsistent settings, suggesting you think you’re doing signing manually.)
See above. There used to be a parallel set of “installer” certificates that you used for PackageMaker (or whatever it was) but that’s all gone away, at least in the automatic-signing scenario.
FWIW, I think calling the personal certificate “Mac Developer” is a mistake, because it sounds like one of the other things.
Nope. It applies to any app where you don’t choose the final code signing technique at build time, but rather at archive export time.
No comment. ;)