Developer ID certificates


Jeremy Hughes
 

I’ve been trying to code-sign an application for distribution outside the app store, and running into problems with Gatekeeper - which would display an alert saying: “<APPLICATION> can’t be opened. You should move it to the Trash.”

spctl would report that the certificate had been revoked:

spctl --assess --type execute —verbose <APPLICATION PATH>
<APPLICATION PATH>: CSSMERR_TP_CERT_REVOKED

I had turned on “Automatically manage signing” in the General section of Targets settings, and this set the certificate type to be “Mac Developer”.

I find the whole area of application certificates quite confusing, but I think that this is the wrong certificate type for applications that are distributed outside the app store. I *think* there are three types of certificates for Mac applications: Mac Developer (for submission to the app store), Mac Distribution (for distribution in the app store), and Developer ID (for distribution outside the app store).

So the next thing I tried doing was to set the Code Signing Identity (in Build Settings) to be “Developer ID: *”. This produced the following build error:

<APPLICATION> has conflicting provisioning settings. <APPLICATION> is automatically signed, but code signing identity Developer ID Application: Softpress Systems Ltd has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor.

Assuming that “project editor” means General target settings, I’ve turned off “Automatically manage signing”, and the application now builds and is verified by Gatekeeper.

My questions are:

1. Have I understood application certificates correctly?

2. Does the “Automatically manage signing” option only apply to app-store applications?

3. Is CSSMERR_TP_CERT_REVOKED the expected error message for an application that is signed with the wrong certificate?

Jeremy


Jeremy Hughes
 

I’ve been trying to code-sign an application for distribution outside the app store, and running into problems with Gatekeeper - which would display an alert saying: “<APPLICATION> can’t be opened. You should move it to the Trash.”

spctl would report that the certificate had been revoked:

spctl --assess --type execute —verbose <APPLICATION PATH>
<APPLICATION PATH>: CSSMERR_TP_CERT_REVOKED

I had turned on “Automatically manage signing” in the General section of Targets settings, and this set the certificate type to be “Mac Developer”.

I find the whole area of application certificates quite confusing, but I think that this is the wrong certificate type for applications that are distributed outside the app store. I *think* there are three types of certificates for Mac applications: Mac Developer (for submission to the app store), Mac Distribution (for distribution in the app store), and Developer ID (for distribution outside the app store).

So the next thing I tried doing was to set the Code Signing Identity (in Build Settings) to be “Developer ID: *”. This produced the following build error:

<APPLICATION> has conflicting provisioning settings. <APPLICATION> is automatically signed, but code signing identity Developer ID Application: Softpress Systems Ltd has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor.

Assuming that “project editor” means General target settings, I’ve turned off “Automatically manage signing”, and the application now builds and is verified by Gatekeeper.

My questions are:

1. Have I understood application certificates correctly?

2. Does the “Automatically manage signing” option only apply to app-store applications?

3. Is CSSMERR_TP_CERT_REVOKED the expected error message for an application that is signed with the wrong certificate?

Jeremy


Jeremy Hughes
 

I’ve been trying to code-sign an application for distribution outside the app store, and running into problems with Gatekeeper - which would display an alert saying:  “<APPLICATION> can’t be opened. You should move it to the Trash.”

spctl would report that the certificate had been revoked:

spctl --assess --type execute —verbose <APPLICATION PATH>
<APPLICATION PATH>: CSSMERR_TP_CERT_REVOKED

I had turned on “Automatically manage signing” in the General section of Targets settings, and this set the certificate type to be “Mac Developer”.

I find the whole area of application certificates quite confusing, but I think that this is the wrong certificate type for applications that are distributed outside the app store. I *think* there are three types of certificates for Mac applications: Mac Developer (for submission to the app store), Mac Distribution (for distribution in the app store), and Developer ID (for distribution outside the app store).

So the next thing I tried doing was to set the Code Signing Identity (in Build Settings) to be “Developer ID: *”. This produced the following build error:

<APPLICATION> has conflicting provisioning settings. <APPLICATION> is automatically signed, but code signing identity Developer ID Application: Softpress Systems Ltd has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor.

Assuming that “project editor” means General target settings, I’ve turned off “Automatically manage signing”, and the application now builds and is verified by Gatekeeper.

My questions are:

1. Have I understood application certificates correctly?

2. Does the “Automatically manage signing” option only apply to app-store applications?

3. Is CSSMERR_TP_CERT_REVOKED the expected error message for an application that is signed with the wrong certificate?

Jeremy


Jeremy Hughes
 

I’ve been trying to code-sign an application for distribution outside the app store, and running into problems with Gatekeeper - which would display an alert saying: “<APPLICATION> can’t be opened. You should move it to the Trash.”

spctl would report that the certificate had been revoked:

spctl --assess --type execute —verbose <APPLICATION PATH>
<APPLICATION PATH>: CSSMERR_TP_CERT_REVOKED

I had turned on “Automatically manage signing” in the General section of Targets settings, and this set the certificate type to be “Mac Developer”.

I find the whole area of application certificates quite confusing, but I think that this is the wrong certificate type for applications that are distributed outside the app store. I *think* there are three types of certificates for Mac applications: Mac Developer (for submission to the app store), Mac Distribution (for distribution in the app store), and Developer ID (for distribution outside the app store).

So the next thing I tried doing was to set the Code Signing Identity (in Build Settings) to be “Developer ID: *”. This produced the following build error:

<APPLICATION> has conflicting provisioning settings. <APPLICATION> is automatically signed, but code signing identity Developer ID Application: Softpress Systems Ltd has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor.

Assuming that “project editor” means General target settings, I’ve turned off “Automatically manage signing”, and the application now builds and is verified by Gatekeeper.

My questions are:

1. Have I understood application certificates correctly?

2. Does the “Automatically manage signing” option only apply to app-store applications?

3. Is CSSMERR_TP_CERT_REVOKED the expected error message for an application that is signed with the wrong certificate?

Jeremy


Jeremy Hughes
 

Sorry for the duplicate messages - they seem to have happened when my computer froze!

Jeremy


Quincey Morris
 

On Aug 8, 2017, at 16:09 , Jeremy Hughes <moon.rabbit@...> wrote:

I *think* there are three types of certificates for Mac applications: Mac Developer (for submission to the app store), Mac Distribution (for distribution in the app store), and Developer ID (for distribution outside the app store).

No, this is not quite correct. The “Mac Developer” certificate is an *insecure* certificate that is tied to you personally as a developer. It’s used to code sign things that need code signing but are run “insecurely” via Xcode, or for creating code signed apps that can be distributed “insecurely” (e.g. to other people in your own organization).

The Mac App Distribution is the *secure* certificate for all app store submissions. It’s validated by Apple.

The Developer ID certificate is also a *secure* certificate validated by Apple, use for distribution outside the app store.

GateKeeper accepts the last two without complaint. It won’t run the first kind of app unless you force it to.

So the next thing I tried doing was to set the Code Signing Identity (in Build Settings) to be “Developer ID: *”. This produced the following build error:

<APPLICATION> has conflicting provisioning settings. <APPLICATION> is automatically signed, but code signing identity Developer ID Application: Softpress Systems Ltd has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor.

This error message is confusing. What it’s trying to tell you do is set *all* of your code signing build settings to “Mac Developer” (the insecure setting, because it doesn’t matter here). Then you choose the actual signing method in the General tab of the target info (Automatic signing/Team).

The reason it doesn’t matter is that your app will be *re-signed* when you export an archive, depending on which of the 3 distribution methods you choose at that time.

This is what automatic signing does for you. It takes away the need to care how signing happens during building and (development-) running, and ensures correct signing when you get to an archive. The only problem is that if your build settings are crufty and have inconsistent values, Xcode now prompts you to “fix” them by setting them all to the same thing (Mac Developer, but I suspect it works fine if all target just have the same setting. The problem is inconsistent settings, suggesting you think you’re doing signing manually.)

My questions are:

1. Have I understood application certificates correctly?

See above. There used to be a parallel set of “installer” certificates that you used for PackageMaker (or whatever it was) but that’s all gone away, at least in the automatic-signing scenario.

FWIW, I think calling the personal certificate “Mac Developer” is a mistake, because it sounds like one of the other things.

2. Does the “Automatically manage signing” option only apply to app-store applications?

Nope. It applies to any app where you don’t choose the final code signing technique at build time, but rather at archive export time.

3. Is CSSMERR_TP_CERT_REVOKED the expected error message for an application that is signed with the wrong certificate?

No comment. ;)


Jeremy Hughes
 

That’s really helpful - thanks!

Using Archive/Export to create a signed application was the main thing I'd missed.

Jeremy