How to app distribution for Mac

App & System Services Core OS
DevO96 OP
Created Feb ’22
Replies 8
Boosts 0
Views 2.7k
Participants 2

I'm developing an app for mac, and I'm a complete novice I've never done in my life.

There are a total of 2 targets via extension, one of which contains endpoint-security.

Anyway, I succeeded in setting up the provisioning file on the developing PC, building it, and running it. I also wanted to bundle all those apps via dmg and run them on different Macos. But here's the problem: When I run it on another PC, I get a notification being blocked by the gatekeeper.

When I ran the following command through Google, rejected was confirmed, and I found out that this is the difference between notarization. command : spctl --assess --verbose=4 --type exec /Applications/My.app result : /Applications/My.app : rejected

Afterwards I created Certificates -> Add -> Developer ID Applications certificate from Apple Developer site and registered it to my keychain. After doing Xcode's Product -> Archives -> Distribute App -> Developer ID -> Upload for notarization, I selected as follows.

Distribution Certificate => Developer ID Applications

App1: [Error] Profile doesn't include the selected signing certificate. [Error] Profile is not a "Developer ID" profile.

App2: [Error] Profile doesn't include the selected signing certificate. [Error] Profile is not a "Developer ID" profile.

An error occurred in the provisioning profile, and when you use the provisioning used for build, I confirmed that the error occurred because the Type was Development.

[Where you need help] So I chose Developer ID from Create Profile on Apple developer site to create a new provisioning profile for Developer ID Applications. But it says no certificate here. Also, Distribution has the following items, and no matter which one I select, I could not create a provisioning file using the Developer ID Applications certificate created above.

[Distribution List]

  1. ad hoc

Create a distribution provisioning profile to install your app on a limited number of registered devices.

  1. tvOS Ad Hoc

Create a distribution provisioning profile to install your app on a limited number of registered tvOS devices.

  1. Developer ID

Create a Developer ID provisioning profile to use Apple services with your Developer ID signed applications.

  1. In House

To sign iOS apps for In House Distribution, you need a Certificate.

  1. tvOS In House

To sign tvOS apps for In House Distribution, you need a Certificate.

I would like to create a provisioning file for notarization, can you tell me in detail where to create it?

Replies  8
Boosts  0
Views  2.7k
Participants  2
DTS Engineer OP
Apple
Feb ’22

Lemme start by pointing you at my Signing a Mac Product For Distribution post. This should answer a bunch of your questions. If you still can’t get this working, post back with details about where you got stuck.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DTS Engineer OP
Apple
Feb ’22

In future, it’d help if you posted long replies as replies. The comment box is best reserved for… well… comments.

Then, to check if the gatekeeper is affected

I recommend against using spctl for checking for Gatekeeper compatibility. Rather, use the process described in Testing a Notarised Product.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DevO96 OP
Feb ’22

Feel free to ignore the comments I left above. The case is an error with the extension app, and it is considered normal, not an error with the actual app.

I also encountered the following problem: I've read all the documentation to fix the issue, but I can't confirm any idea why this is happening?

Case 1

I had an existing Apple Development signed app for distribution.

Command : codesign -dvvv --entitlements - /Users/MyUserID/Desktop/release/SystemExtensions.app

Command : codesign -dvvv --entitlements - /Users/MyUserID/Desktop/release/SystemExtensions.app/Contents/Library/SystemExtensions/My.Domain.SystemExtensions.Extension.systemextension

Command : security cms -D -i /Users/MyUserID/Desktop/release/SystemExtensions.app/Contents/embedded.provisionprofile

Command : security cms -D -i /Users/MyUserID/Desktop/release/SystemExtensions.app/Contents/Library/SystemExtensions/My.Domain.SystemExtensions.Extension.systemextension/Contents/embedded.provisionprofile

However, in order to distribute the app, as mentioned above, you must sign with Developer ID Applications to avoid being blocked by the gatekeeper. Therefore, I re-signed, and the result of code signing is as follows.

Command : codesign -s "Developer ID Application: My Team (Team_id)" --options=runtime --force /Users/MyUserID/Desktop/release/SystemExtensions.app/Contents/Library/SystemExtensions/My.Domain.SystemExtensions.Extension.systemextension

Command : codesign -s "Developer ID Application: My Team (Team_id)" --options=runtime --force /Users/MyUserID/Desktop/release/SystemExtensions.app

Command : codesign -dvvv --entitlements - /Users/MyUserID/Desktop/release/SystemExtensions.app

Command : codesign -dvvv --entitlements - /Users/MyUserID/Desktop/release/SystemExtensions.app/Contents/Library/SystemExtensions/My.Domain.SystemExtensions.Extension.systemextension

embedded.provisionprofile properties are the same as before sign.

And when I run the app, the following error occurs. Also, the square red box is the log being taken by my app. What could be causing this error? Was it my fault?

=======================================================================================

Case 2

As I saw in Case 1, the entitlement property before and after signing is different, so when re-signing, I put the --preserve-metadata=entitlements option to bring the entitlement property as it is.

Command : codesign -dvvv --entitlements - /Users/MyUserID/Desktop/release/SystemExtensions.app

Command : codesign -dvvv --entitlements - /Users/MyUserID/Desktop/release/SystemExtensions.app/Contents/Library/SystemExtensions/My.Domain.SystemExtensions.Extension.systemextension

Command : security cms -D -i /Users/MyUserID/Desktop/release/SystemExtensions.app/Contents/embedded.provisionprofile

Command : security cms -D -i /Users/MyUserID/Desktop/release/SystemExtensions.app/Contents/Library/SystemExtensions/My.Domain.SystemExtensions.Extension.systemextension/Contents/embedded.provisionprofile

Command : codesign --preserve-metadata=entitlements --force --verbose -s "Developer ID Application: My Team (Team_id)" --options=runtime --force /Users/MyUserID/Desktop/release/SystemExtensions.app/Contents/Library/SystemExtensions/My.Domain.SystemExtensions.Extension.systemextension

Command : codesign --preserve-metadata=entitlements --force --verbose -s "Developer ID Application: My Team (Team_id)" --options=runtime --force /Users/MyUserID/Desktop/release/SystemExtensions.app

After that, if you check the information, you can see that everything is normal as shown below.

Command : codesign -dvvv --entitlements - /Users/MyUserID/Desktop/release/SystemExtensions.app

Command : codesign -dvvv --entitlements - /Users/MyUserID/Desktop/release/SystemExtensions.app/Contents/Library/SystemExtensions/My.Domain.SystemExtensions.Extension.systemextension

embedded.provisionprofile properties are the same as before sign.

Then, when you run it, an error different from Case1 is displayed as shown below.

0
DTS Engineer OP
Apple
Feb ’22

Please don’t post screen shots of things that are fundamentally textual, like Terminal transcripts and log files. This causes a bunch of problems:

  • I struggle to read some of your screen shots, particularly the wider ones.

  • I can’t copy’n’paste from them.

  • I can’t search the text.

It’s better to post text in one of two ways:

  • For short stuff, use a code block — Click the Code Block button to get this.

  • For long stuff, use a text attachment — Click the paperclip icon and then Add Text.

Also, if you redact things, use the process described in Posting a Crash Report; it makes it easier for me to check that the various strings line up correctly.

With regards case 1, you wrote:

However, in order to distribute the app, as mentioned above, you must sign with Developer ID Applications to avoid being blocked by the gatekeeper. Therefore, I re-signed, and the result of code signing is as follows.

Your re-signing process seems to have dropped the entitlements, but it seems you’ve figured that out already (-:

With regards case 2, I think the issue relates to this:

I had an existing Apple Development signed app for distribution.

and this:

embedded.provisionprofile properties are the same as before sign.

Apple Development and Developer ID signing need different provisioning profiles. See What exactly is a provisioning profile? for an explanation of why.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DevO96 OP
Feb ’22

In order to sign using your Developer ID, you need to create a provisioning file for it, right?

Naturally, I proceeded as follows to create a custom provisioning on the developer site with the provisioning file.

MAC PC Create .CSR

Generate certificate Account -> Certificates, Identifiers & Profiles -> Certificates -> Add -> Option: Software(Developer ID Application) -> Attach and create .CSR created on MAC PC

Create provisioning file Account -> Certificates, Identifiers & Profiles -> Profile -> Add -> Option: Distribution(Developer ID) -> Enter the Bundle ID and the following screen will be displayed.

I created the certificate, but it says it doesn't exist. Why is this?

Also, my MAC PC logged in is not the owner id of the Apple Developer site and I have the admin role in it.

In other words Apple Developer Site Account: A My MAC login account: B

0
DevO96 OP
Feb ’22

I've been trying a lot to fix the issue where the certificate is not showing up and I've been to a lot of sites. Also, it turns out that other people besides me also have this problem.

https://stackoverflow.com/questions/71100475/macos-unable-to-create-provisioning-profile-to-distribute-outside-the-mac-app

0
DTS Engineer OP
Apple
Feb ’22

In order to sign using your Developer ID, you need to create a provisioning file for it, right?

That depends. Developer ID signed code only needs a provisioning profile if it uses an entitlement that must be allowed by that profile. The Entitlements on the Mac section of What exactly is a provisioning profile? explains this.

MAC PC Create .CSR

I was under the impression you already had a Developer ID signing identity. If so, creating a second one should not be required and can cause problems. See my posts on this thread for more background.

With regards the “No Certificates are available”

I’ve also seen that before. Oh, wait, it was your thread!

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DevO96 OP
Feb ’22

Yep that's right I asked the same question.

But the problem still occurs. I've tried it as an account owner and as an administrator, but they all have the same symptoms.

0
How to app distribution for Mac
First post date Last post date
 
 
Q