Hi. I’m delving into this now for the first time to code sign my app using AppWrapper and also DMG Canvas but I’m confused about the process of generating a certificate from the Mac Developer Center and installing it.
First I tried downloading a certificate from the macOS section (it had an expiry of May 2018) and double-clicking it and it showed up in Keychain but AppWrapper said it was no good. Then I created a CSR (Certificate Signing Request) from my computer for Mac “Application” and downloaded the certificate generated with that (which now had an expiry of June 2022) and installed it but AppWrapper still said it was no good.
So then I created another certificate for Mac “Installer” and installed it and then AppWrapper said it was ok.
But I also had to add my Apple ID to Xcode I think, not sure if that made it work.
Anyway, it’s all very confusing. Is there a simple how-to on Xojo or somewhere else about this?
Right now I also need to know a few specific things:
When I create the CSR from my Mac should I use my name for it or a company name? Is this viewable to the public?
Should I select “self-signed root” as identity type and “code signing” as certificate type?
Do I need to create a different CSR and generate another pair of certificates from the dev centre for my other Mac if I intend to code sign on that too?
Seems to me… I went to the Apple Developer site, into my account. And it did it all for me… including installing them to Xcode.
Once Xcode knew about them, So did Appwrapper, and even a simple signing program I wrote of my own.
I spent about 2 pos. fighting with this earlier this year. When it was finished and my certs. were signing correctly, I made notes of a few things I learned (with Sam’s help). I share them here in the hopes it will help somebody.
Additionally, I strongly recommend that you do not try to set up 2 different Macs for signing purposes. I tried that and it failed miserably as setting up #2 revoked the certs on #1. Just move your completed apps over to the Mac set up to sign.
Good luck…
App Wrapper
Turn off “View All Certificates”
See “Code Signing Diagnostics”
KeyChain Access
The Developer ID and Developer ID Installer certs. are for Gate Keeper
The 3rd party Mac Developer, and 3rd Party Installer are for MAS
(they are not named that on the developer.apple.com site but will become that when installed)
You can safely delete duplicate certs with different expiration dates.
Keep the latest dated one.
Right-click to do a diagnostic on the selected cert.
XCode
Go to Preferences, Accounts, and click on details to see your certs
If a cert has been revoked, there will be a “reset” button beside that cert.
If the reset btn takes you to the web site, you probalby need to re-DL the cert.
Otherwise, it will revoke the old one and create a new one.
Delete the old one from Keychain
I can confirm that what Roger says is true; I found out the hard way also. When you use Xcode to configure your signing identities (which is the easiest way); if you then do it on another machine, it actually invalidates the identities on the first machine. But here’s the kicker, you won’t know UNTIL someone tries to run the application on a third machine!
You can try using the technique in this App Wrapper Help topic to copy the identities from one machine to another; I’ve not proven it, but at least it won’t cancel your existing identities.
I’m glad I’m not the only one who finds this confusing.
[quote=335586:@Roger Clary]I spent about 2 pos. fighting with this earlier this year. When it was finished and my certs. were signing correctly, I made notes of a few things I learned (with Sam’s help). I share them here in the hopes it will help somebody.
[/quote]
Thanks, Roger. That was very helpful in understanding it all.
Thanks, Sam. That also helps. It’s still confusing but I’m now beginning to get my head around the process. I think the problem was signing online and creating a CSR on one machine and then going to another machine and using Xcode.
For some reason Xcode on El Capitan allowed me to create and install certificates for MAS and iOS but not the Developer ones. All it had was reset button option which as Roger explained just took me to the website. And the certificates on the website didn’t seem to have the revoke button enabled which also doesn’t make sense to me.
Is it possible to create Developer Certificates (for distribution outside of the Apple Store) via Xcode or can that only be done manually via their online process? Do you know why the revoke buttons aren’t enabled?
If you don’t have the Developer Cert. then you don’t need to revoke anything. Just DL your Dev. cert from the Apple Developer site, double-click it, and make sure it’s then installed in your keychain.
I filed this as a bug with Apple; because even I thought “What the heck am I supposed to do now?” It came back with “Operating as designed”. I tried to argue that the design is obviously poor because it leaves people confused and unable to release their apps. I got the unanimous “We don’t give a ####” response, by no response at all.
I would love to be able to handle these bits of code signing that are so complicated; but alas it’s way beyond my pay grade. The Xcode route is a major improvement over the old way of doing it, but it’s still too incomplete.
I called Apple Developer Support 2-3 times trying to get my certs in order. The techs tried to help, but it was obvious that they really didn’t know much about this area. Finally, a “supervisor” emailed me and told me, in so many words" to stop bothering his techs over this matter. I am convinced that Apple has made this process intentionally obtuse for whatever reason.
It’s crazy and is clearly where the whole cult of “Apple” falls flat on its face. If you choose the stance of designing everything the way “you think is best” for everyone then you need to make sure it is actually better and works properly otherwise Apple need to change their “I am God” stance or provide better support for something so crucial… and listen to developers whom without which they would not have a company or any customers.
Anyway, I will endeavor to get it working and report back if I have any problems. Thanks again for all your help.