Install codesign certs on second Mac

Question

Created Oct ’20

Replies 4

Boosts 0

Views 2.9k

Participants 3

How to correctly install codesign certificates on second Mac?

I have first Mac where I successfully sign and notarize my apps for macOS outside AppStore.

On second Mac I downloaded existing "Developer ID Installer" and "Developer ID Application" certificates and installed in KeyChain. Also I downloaded and installed Intermediate Certificate.

When I try to sign anything on second Mac I see the error:
"error: The specified item could not be found in the keychain."

Also I have a file "CertificateSigningRequest.certSigningRequest" saved from first Mac. No idea how to use it.

What I missed in this nightmare to get it work? And keep codesigning on first Mac, too.

Answered by DTS Engineer in 643038022

On second Mac I downloaded existing "Developer ID Installer" and
"Developer ID Application" certificates and installed in KeyChain.

The problem here is one of terminology. When folks say “code signing certificate” they usually mean “code signing identity”, where a digital identity is the combination of a certificate and a private key. When you download a signing certificate from Apple you download just that, a certificate. A certificate is only half of the digital identity; you can’t sign anything without the private key. And you can’t download the private key from Apple because Apple doesn’t have a copy. Rather, it’s stored in the keychain on your original Mac.

The best way to move signing credentials between Macs is via the Xcode’s import/export feature. Go to Xcode > Preferences > Accounts, select your account, and then choose Export Apple ID and Code Signing Assets. Then do the reverse on your other Mac.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Oct ’20

Accepted Answer

On second Mac I downloaded existing "Developer ID Installer" and
"Developer ID Application" certificates and installed in KeyChain.

The problem here is one of terminology. When folks say “code signing certificate” they usually mean “code signing identity”, where a digital identity is the combination of a certificate and a private key. When you download a signing certificate from Apple you download just that, a certificate. A certificate is only half of the digital identity; you can’t sign anything without the private key. And you can’t download the private key from Apple because Apple doesn’t have a copy. Rather, it’s stored in the keychain on your original Mac.

The best way to move signing credentials between Macs is via the Xcode’s import/export feature. Go to Xcode > Preferences > Accounts, select your account, and then choose Export Apple ID and Code Signing Assets. Then do the reverse on your other Mac.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

1

Answer 2

wnsoft OP

Oct ’20

Many thanks! Really simple solution. Now I can sign my app on my second Mac.

0

Answer 3

MirrorMan OP

Dec ’21

Apple's Certificates, Identifiers, and Profiles page says clearly "Download your certificate" and gives instructions on how to install it by double-clicking the .cer file. No clue that an export/import would be necessary. => Any terminology problems are starting real close to home.

0

Answer 4

DTS Engineer OP

Apple

Dec ’21

Any terminology problems are starting real close to home.

I agree that Apple is inconsistent about this, an attribute shared by the entire industry. However, in the specific case you mentioned the terminology is correct. The thing you download from the developer web site is a certificate. You are expected to combine that with the private key that you already have in order to form a digital identity. Apple never gets a copy of your private key [1].

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] In the traditional model. This changes if you adopt cloud signing.

0