Mac Developer Code Signing Certificate

Hi. I’m delving into this now for the first time to code sign my app using AppWrapper and also DMG Canvas but I’m confused about the process of generating a certificate from the Mac Developer Center and installing it.

First I tried downloading a certificate from the macOS section (it had an expiry of May 2018) and double-clicking it and it showed up in Keychain but AppWrapper said it was no good. Then I created a CSR (Certificate Signing Request) from my computer for Mac “Application” and downloaded the certificate generated with that (which now had an expiry of June 2022) and installed it but AppWrapper still said it was no good.

So then I created another certificate for Mac “Installer” and installed it and then AppWrapper said it was ok.

But I also had to add my Apple ID to Xcode I think, not sure if that made it work.

Anyway, it’s all very confusing. Is there a simple how-to on Xojo or somewhere else about this?

Right now I also need to know a few specific things:

  1. When I create the CSR from my Mac should I use my name for it or a company name? Is this viewable to the public?
  2. Should I select “self-signed root” as identity type and “code signing” as certificate type?
  3. Do I need to create a different CSR and generate another pair of certificates from the dev centre for my other Mac if I intend to code sign on that too?


Seems to me… I went to the Apple Developer site, into my account. And it did it all for me… including installing them to Xcode.
Once Xcode knew about them, So did Appwrapper, and even a simple signing program I wrote of my own.

This stuff is totally confusing. Don’t expect a simple how-to. Either it works after much grumbling or you pray to the gods of your choice.

First Xcode crashed. Now it tells me that I need to accept the latest license. But why doesn’t it show me the license???

It’s still very confusing, Dave. Maybe not for you but it is for me…a novice to this.

I just did it via Xcode on the other Mac and now I have two different types of certificates stated there than on the original Mac.

On Mac 1 with certificates created via Apple Developer Site my Xcode Preference>Account states:

Developer ID Application
Developer ID Installer

And under its Keychain it states:

Developer ID Application - expires June 2022
Developer ID Installer - expires June 2022

On Mac 2 with certificates created via Xcode “Create” function and imported, my Xcode Preference>Account states:

Developer ID Application
Developer ID Installer
Mac App Distribution
Mac Installer Distribution

And under its Keychain it states:

3rd Party Mac Developer Application - expires June 2018
3rd Party Mac Developer Installer - expires June 2018

What do the different types mean and why are there different types on each Mac?

I spent about 2 pos. fighting with this earlier this year. When it was finished and my certs. were signing correctly, I made notes of a few things I learned (with Sam’s help). I share them here in the hopes it will help somebody.
Additionally, I strongly recommend that you do not try to set up 2 different Macs for signing purposes. I tried that and it failed miserably as setting up #2 revoked the certs on #1. Just move your completed apps over to the Mac set up to sign.
Good luck…

App Wrapper
Turn off “View All Certificates”
See “Code Signing Diagnostics”

KeyChain Access
The Developer ID and Developer ID Installer certs. are for Gate Keeper
The 3rd party Mac Developer, and 3rd Party Installer are for MAS
(they are not named that on the site but will become that when installed)
You can safely delete duplicate certs with different expiration dates.
Keep the latest dated one.
Right-click to do a diagnostic on the selected cert.

Go to Preferences, Accounts, and click on details to see your certs
If a cert has been revoked, there will be a “reset” button beside that cert.
If the reset btn takes you to the web site, you probalby need to re-DL the cert.
Otherwise, it will revoke the old one and create a new one.
Delete the old one from Keychain

I can confirm that what Roger says is true; I found out the hard way also. When you use Xcode to configure your signing identities (which is the easiest way); if you then do it on another machine, it actually invalidates the identities on the first machine. But here’s the kicker, you won’t know UNTIL someone tries to run the application on a third machine!

You can try using the technique in this App Wrapper Help topic to copy the identities from one machine to another; I’ve not proven it, but at least it won’t cancel your existing identities.

3rd Party Mac Developer & 3rd Party Mac Installer are for App Store submission only; Developer ID identities are for everything else.

I’m glad I’m not the only one who finds this confusing.

[quote=335586:@Roger Clary]I spent about 2 pos. fighting with this earlier this year. When it was finished and my certs. were signing correctly, I made notes of a few things I learned (with Sam’s help). I share them here in the hopes it will help somebody.

Thanks, Roger. That was very helpful in understanding it all.

Thanks, Sam. That also helps. It’s still confusing but I’m now beginning to get my head around the process. I think the problem was signing online and creating a CSR on one machine and then going to another machine and using Xcode.

For some reason Xcode on El Capitan allowed me to create and install certificates for MAS and iOS but not the Developer ones. All it had was reset button option which as Roger explained just took me to the website. And the certificates on the website didn’t seem to have the revoke button enabled which also doesn’t make sense to me.

Is it possible to create Developer Certificates (for distribution outside of the Apple Store) via Xcode or can that only be done manually via their online process? Do you know why the revoke buttons aren’t enabled?

If you don’t have the Developer Cert. then you don’t need to revoke anything. Just DL your Dev. cert from the Apple Developer site, double-click it, and make sure it’s then installed in your keychain.

I filed this as a bug with Apple; because even I thought “What the heck am I supposed to do now?” It came back with “Operating as designed”. I tried to argue that the design is obviously poor because it leaves people confused and unable to release their apps. I got the unanimous “We don’t give a ####” response, by no response at all.

If you have the developer ID certificate already installed on one machine, you can use the technique I described here to copy it to the other machine.

I would love to be able to handle these bits of code signing that are so complicated; but alas it’s way beyond my pay grade. The Xcode route is a major improvement over the old way of doing it, but it’s still too incomplete.

I called Apple Developer Support 2-3 times trying to get my certs in order. The techs tried to help, but it was obvious that they really didn’t know much about this area. Finally, a “supervisor” emailed me and told me, in so many words" to stop bothering his techs over this matter. I am convinced that Apple has made this process intentionally obtuse for whatever reason.

It’s crazy and is clearly where the whole cult of “Apple” falls flat on its face. If you choose the stance of designing everything the way “you think is best” for everyone then you need to make sure it is actually better and works properly otherwise Apple need to change their “I am God” stance or provide better support for something so crucial… and listen to developers whom without which they would not have a company or any customers.

Anyway, I will endeavor to get it working and report back if I have any problems. Thanks again for all your help.