How does this impacts certs etc?
Yes. Your code signing identities are tied to your team and thus you’ll need to redo those.
A bigger concern is the impact of this on your users. macOS typically identifies an app by its bundle ID. If you use a new bundle ID then you have a new app. That’s the safest approach here.
If you use the same bundle ID then things get complicated. That’s because the bundle ID isn’t the
only way that macOS identifies an app. In certain circumstances, most notably the keychain, macOS will use your App ID (or its equivalent) to identify your app. Your Team ID is part of your App ID, so changing Team ID will cause code identity problems.
For example, the keychain uses an app’s designated requirement (DR) to track which keychain items belong to which app [1]. That DR embeds the Team ID. For example:
Code Block | % codesign -d -r - QProcessDock.app |
| Executable=/Applications/QProcessDock.app/Contents/MacOS/QProcessDock |
| designated => anchor apple generic and \ |
| identifier "com.example.apple-samplecode.QProcessDock" and |
| (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or \ |
| certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and \ |
| certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and \ |
| certificate leaf[subject.OU] = SKMME9E2Y8) |
If your Team ID changes then your DR changes and the keychain starts prompting the user to grant the app access to its ‘own’ keychain items.
This isn’t the only potential issue. There are numerous other subsystems within macOS that identify your app based on its App ID (or equivalent).
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"[1] I’m assuming the old school macOS file-based keychain here. In the new iOS-style database keychain you’ll see a similar effect though, because your keychain access groups all use your Team ID as their prefix.
