Can an "Apple Distribution" certificate be used instead of a "Mac Installer Distribution" certificate?

If I understand correctly, Apple Distribution certificate type aims to replace the separate platform-specific certificate types. (Please don't jump me, I know this is a very simplified way to put it :D)

I am 100% sure Apple Distribution certificate can be used instead of a "Mac App Distribution" certificate, but I'm not sure whether the same is true for installers, namely the "Mac Installer Distribution" certificate.

I have read eskimo's great articles on packaging (https://developer.apple.com/forums/thread/701581) and signing (https://developer.apple.com/forums/thread/128166) but I have not seen a definite answer to this question in those.

Our command line builds started to fail with a 'no certificate of type Mac Installer Distribution is found' without any actual apparent change to the build process, so I'm just trying to understand this certificate type better.

  • I see no sign of this certificate ever having existed in developer.apple.com under Certificates tab.
  • We use the xcodebuild -exportArchive command with an -exportOptionsPlist that has the following content:
	<dict>
		<key>[redacted]</key>
		<string>[redacted]</string>
		<key>[redacted]</key>
		<string>[redacted]</string>
	</dict>
	<key>installerSigningCertificate</key>
	<string>3rd Party Mac Developer Installer</string>
	<key>signingCertificate</key>
	<string>Mac App Distribution</string>

and this has not changed at all either between the last successful build and the failing ones.

I listed the existing code signing identities with security find-identity -p codesigning and only an Apple Distribution certificate shows up, not Mac Installer Distribution certificate.

Answered by DTS Engineer in 770176022

but I'm not sure whether the same is true for installers, namely the "Mac Installer Distribution" certificate.

It is not.

Installer certificates have different OIDs that code signing certificates [1]. They are not interchangeable in any way.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] If you really want to dig into the details, check out the various policy docs on the Apple PKI page.

Accepted Answer

but I'm not sure whether the same is true for installers, namely the "Mac Installer Distribution" certificate.

It is not.

Installer certificates have different OIDs that code signing certificates [1]. They are not interchangeable in any way.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] If you really want to dig into the details, check out the various policy docs on the Apple PKI page.

Thank you Quinn for your answer and the confirmation.

Reading your post again ("Packaging Mac Software for distribution"), I realized that the Mac Installer Distribution certificate will not show up with security find-identity -p codesigning because it is not a code signing certificate. I removed the -p part and then it listed the certificate as CSSMERR_TP_CERT_EXPIRED. I'm hoping this will fix the issue, but this forum question has been answered. Thanks again!

Can an "Apple Distribution" certificate be used instead of a "Mac Installer Distribution" certificate?
 
 
Q