Date
1 - 7 of 7
Developer ID certificates
|
Jeremy Hughes
I’ve been trying to code-sign an application for distribution outside the app store, and running into problems with Gatekeeper - which would display an alert saying: “<APPLICATION> can’t be opened. You should move it to the Trash.”
spctl would report that the certificate had been revoked: spctl --assess --type execute —verbose <APPLICATION PATH> <APPLICATION PATH>: CSSMERR_TP_CERT_REVOKED I had turned on “Automatically manage signing” in the General section of Targets settings, and this set the certificate type to be “Mac Developer”. I find the whole area of application certificates quite confusing, but I think that this is the wrong certificate type for applications that are distributed outside the app store. I *think* there are three types of certificates for Mac applications: Mac Developer (for submission to the app store), Mac Distribution (for distribution in the app store), and Developer ID (for distribution outside the app store). So the next thing I tried doing was to set the Code Signing Identity (in Build Settings) to be “Developer ID: *”. This produced the following build error: <APPLICATION> has conflicting provisioning settings. <APPLICATION> is automatically signed, but code signing identity Developer ID Application: Softpress Systems Ltd has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor. Assuming that “project editor” means General target settings, I’ve turned off “Automatically manage signing”, and the application now builds and is verified by Gatekeeper. My questions are: 1. Have I understood application certificates correctly? 2. Does the “Automatically manage signing” option only apply to app-store applications? 3. Is CSSMERR_TP_CERT_REVOKED the expected error message for an application that is signed with the wrong certificate? Jeremy
|
|
|
|
Jeremy Hughes
I’ve been trying to code-sign an application for distribution outside the app store, and running into problems with Gatekeeper - which would display an alert saying: “<APPLICATION> can’t be opened. You should move it to the Trash.”
spctl would report that the certificate had been revoked: spctl --assess --type execute —verbose <APPLICATION PATH> <APPLICATION PATH>: CSSMERR_TP_CERT_REVOKED I had turned on “Automatically manage signing” in the General section of Targets settings, and this set the certificate type to be “Mac Developer”. I find the whole area of application certificates quite confusing, but I think that this is the wrong certificate type for applications that are distributed outside the app store. I *think* there are three types of certificates for Mac applications: Mac Developer (for submission to the app store), Mac Distribution (for distribution in the app store), and Developer ID (for distribution outside the app store). So the next thing I tried doing was to set the Code Signing Identity (in Build Settings) to be “Developer ID: *”. This produced the following build error: <APPLICATION> has conflicting provisioning settings. <APPLICATION> is automatically signed, but code signing identity Developer ID Application: Softpress Systems Ltd has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor. Assuming that “project editor” means General target settings, I’ve turned off “Automatically manage signing”, and the application now builds and is verified by Gatekeeper. My questions are: 1. Have I understood application certificates correctly? 2. Does the “Automatically manage signing” option only apply to app-store applications? 3. Is CSSMERR_TP_CERT_REVOKED the expected error message for an application that is signed with the wrong certificate? Jeremy
|
|
|
|
Jeremy Hughes
I’ve been trying to code-sign an application for distribution outside the app store, and running into problems with Gatekeeper - which would display an alert saying: “<APPLICATION> can’t be opened. You should move it to the Trash.”
spctl would report that the certificate had been revoked: spctl --assess --type execute —verbose <APPLICATION PATH> <APPLICATION PATH>: CSSMERR_TP_CERT_REVOKED I had turned on “Automatically manage signing” in the General section of Targets settings, and this set the certificate type to be “Mac Developer”. I find the whole area of application certificates quite confusing, but I think that this is the wrong certificate type for applications that are distributed outside the app store. I *think* there are three types of certificates for Mac applications: Mac Developer (for submission to the app store), Mac Distribution (for distribution in the app store), and Developer ID (for distribution outside the app store). So the next thing I tried doing was to set the Code Signing Identity (in Build Settings) to be “Developer ID: *”. This produced the following build error: <APPLICATION> has conflicting provisioning settings. <APPLICATION> is automatically signed, but code signing identity Developer ID Application: Softpress Systems Ltd has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor. Assuming that “project editor” means General target settings, I’ve turned off “Automatically manage signing”, and the application now builds and is verified by Gatekeeper. My questions are: 1. Have I understood application certificates correctly? 2. Does the “Automatically manage signing” option only apply to app-store applications? 3. Is CSSMERR_TP_CERT_REVOKED the expected error message for an application that is signed with the wrong certificate? Jeremy
|
|
|
|
Jeremy Hughes
I’ve been trying to code-sign an application for distribution outside the app store, and running into problems with Gatekeeper - which would display an alert saying: “<APPLICATION> can’t be opened. You should move it to the Trash.”
spctl would report that the certificate had been revoked: spctl --assess --type execute —verbose <APPLICATION PATH> <APPLICATION PATH>: CSSMERR_TP_CERT_REVOKED I had turned on “Automatically manage signing” in the General section of Targets settings, and this set the certificate type to be “Mac Developer”. I find the whole area of application certificates quite confusing, but I think that this is the wrong certificate type for applications that are distributed outside the app store. I *think* there are three types of certificates for Mac applications: Mac Developer (for submission to the app store), Mac Distribution (for distribution in the app store), and Developer ID (for distribution outside the app store). So the next thing I tried doing was to set the Code Signing Identity (in Build Settings) to be “Developer ID: *”. This produced the following build error: <APPLICATION> has conflicting provisioning settings. <APPLICATION> is automatically signed, but code signing identity Developer ID Application: Softpress Systems Ltd has been manually specified. Set the code signing identity value to "Mac Developer" in the build settings editor, or switch to manual signing in the project editor. Assuming that “project editor” means General target settings, I’ve turned off “Automatically manage signing”, and the application now builds and is verified by Gatekeeper. My questions are: 1. Have I understood application certificates correctly? 2. Does the “Automatically manage signing” option only apply to app-store applications? 3. Is CSSMERR_TP_CERT_REVOKED the expected error message for an application that is signed with the wrong certificate? Jeremy
|
|
|
|
Jeremy Hughes
Sorry for the duplicate messages - they seem to have happened when my computer froze!
Jeremy
|
|
|
|
Quincey Morris
On Aug 8, 2017, at 16:09 , Jeremy Hughes <moon.rabbit@...> wrote:
The Mac App Distribution is the *secure* certificate for all app store submissions. It’s validated by Apple. The Developer ID certificate is also a *secure* certificate validated by Apple, use for distribution outside the app store. GateKeeper accepts the last two without complaint. It won’t run the first kind of app unless you force it to.
This error message is confusing. What it’s trying to tell you do is set *all* of your code signing build settings to “Mac Developer” (the insecure setting, because it doesn’t matter here). Then you choose the actual signing method in the General tab of the target info (Automatic signing/Team). The reason it doesn’t matter is that your app will be *re-signed* when you export an archive, depending on which of the 3 distribution methods you choose at that time. This is what automatic signing does for you. It takes away the need to care how signing happens during building and (development-) running, and ensures correct signing when you get to an archive. The only problem is that if your build settings are crufty and have inconsistent values, Xcode now prompts you to “fix” them by setting them all to the same thing (Mac Developer, but I suspect it works fine if all target just have the same setting. The problem is inconsistent settings, suggesting you think you’re doing signing manually.)
See above. There used to be a parallel set of “installer” certificates that you used for PackageMaker (or whatever it was) but that’s all gone away, at least in the automatic-signing scenario. FWIW, I think calling the personal certificate “Mac Developer” is a mistake, because it sounds like one of the other things.
Nope. It applies to any app where you don’t choose the final code signing technique at build time, but rather at archive export time.
No comment. ;)
|
|
|
|
Jeremy Hughes
That’s really helpful - thanks!
Using Archive/Export to create a signed application was the main thing I'd missed. Jeremy
|
|
|