Re: Developer ID certificates

Quincey Morris

On Aug 8, 2017, at 16:09 , Jeremy Hughes <moon.rabbit@...> wrote:

I *think* there are three types of certificates for Mac applications: Mac Developer (for submission to the app store), Mac Distribution (for distribution in the app store), and Developer ID (for distribution outside the app store).

No, this is not quite correct. The “Mac Developer” certificate is an *insecure* certificate that is tied to you personally as a developer. It’s used to code sign things that need code signing but are run “insecurely” via Xcode, or for creating code signed apps that can be distributed “insecurely” (e.g. to other people in your own organization).

The Mac App Distribution is the *secure* certificate for all app store submissions. It’s validated by Apple.

The Developer ID certificate is also a *secure* certificate validated by Apple, use for distribution outside the app store.

GateKeeper accepts the last two without complaint. It won’t run the first kind of app unless you force it to.

So the next thing I tried doing was to set the Code Signing Identity (in Build Settings) to be “Developer ID: *”. This produced the following build error:

<APPLICATION> has conflicting provisioning settings. <APPLICATION> is automatically signed, but code signing identity Developer ID Application: Softpress Systems Ltd has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor.

This error message is confusing. What it’s trying to tell you do is set *all* of your code signing build settings to “Mac Developer” (the insecure setting, because it doesn’t matter here). Then you choose the actual signing method in the General tab of the target info (Automatic signing/Team).

The reason it doesn’t matter is that your app will be *re-signed* when you export an archive, depending on which of the 3 distribution methods you choose at that time.

This is what automatic signing does for you. It takes away the need to care how signing happens during building and (development-) running, and ensures correct signing when you get to an archive. The only problem is that if your build settings are crufty and have inconsistent values, Xcode now prompts you to “fix” them by setting them all to the same thing (Mac Developer, but I suspect it works fine if all target just have the same setting. The problem is inconsistent settings, suggesting you think you’re doing signing manually.)

My questions are:

1. Have I understood application certificates correctly?

See above. There used to be a parallel set of “installer” certificates that you used for PackageMaker (or whatever it was) but that’s all gone away, at least in the automatic-signing scenario.

FWIW, I think calling the personal certificate “Mac Developer” is a mistake, because it sounds like one of the other things.

2. Does the “Automatically manage signing” option only apply to app-store applications?

Nope. It applies to any app where you don’t choose the final code signing technique at build time, but rather at archive export time.

3. Is CSSMERR_TP_CERT_REVOKED the expected error message for an application that is signed with the wrong certificate?

No comment. ;)

Join to automatically receive all group messages.