So this is my first time making certificates for Mac apps for distribution outside the Mac app store and in the app store. I think I did everything right and I have two certificates, for example Developer ID Applications: myname(xxxxxx) and 3rd Party Mac developer Application:my name (xxxxx) .
So which one do I use for the app store and which one do I use outside of the app store?
Also in XOJO 2022 r3.2, what do I put in the Developer ID ?
Developer ID Application is for signing for direct website distribution.
3rd Party Mac Developer is for Mac App Store, but you need to use the Installer certificate to create an installer package (which, last I knew, was what you uploaded to the MAS). My MAS information may be outdated, so someone else please chime in if I’m not correct.
“Developer ID: My Name (xxxxx)” which just so you’re aware is not a secret.
So do I still use 3rd Party Mac Developer cert for the app and then use the installer cert for the installer package (for the app store) ?
I think so, but it’s been years since I’ve deployed inside the Mac App Store.
App Wrapper can make code signing and notarization significantly easier for older IDEs that don’t have the “Deploy” feature.
The Xojo Blog is full of useful resources, as for example 
: Code Signing on macOS: What Developers Need to Know, Part 4 – Xojo Programming Blog
Of course, the Documentation is waaaay useful: Publishing macOS and iOS Apps to the App Store from Xojo — Xojo documentation
Starting with Xojo 2026r1, handling certificates/publishing is just painless 
: Team-based Signing Arrives to macOS – Xojo Programming Blog
I’ve not yet used the Xojo’s built-in “deploy” feature, because it causes troubles on my side, so I have no experience there. However, my impression is that AppWrapper has more diagnostic tools/help than Xojo and is still a better way; would you agree?
100%.
I havent even tried the Xojo deploy since (as far as I can tell) it concerns itself with the app, but stops short of the DMG or PKG part (I may be wrong)
But App Wrapper will tell you if you are missing certificates, will drill down into the app and sort out what needs to be done for bundled items, it code signs, notarises, applies external icons if you wish, can apply an Apple help file, and so much more.
It’s quite underpriced too.. I wouldn’t be without it.
As Xojo does too. Just to clarify this
As Xojo does too. Just to clarify this
Thanks to everyone for the help/ feedback.
I have figured out (via terminal ) hoe to sign, notarize and staple my apps released outside of the MAS, so all my apps will now appease Gatekeeper.
As for deploying to MAS, I do believe I got it figured out. However issue came up after submitted an app to MAS, it didn’t like some things generated by XOJO like some .dylib and .framework.
I tested an app with sandboxing enabled, (entitlements.plist) but that caused issues with some of my apps. One launches another app via shell command, which sandboxing won’t allow. Then some apps remember last opened items. While I could select a previous opened it wouldn’t do anything. Another thing is one app lets users set paths to certain things so when the app opens it will display the items. Sandboxing wouldn’t allow that.
Anyway I’m not sure its even worth deploying to the MAS.
Thanks.