Hi,
I'm trying to Developer ID-sign and export a macOS app through my CI/CD pipeline on GitHub Actions, but I've run into an issue signing my app once it has one or more entitlements, in this case, an app group entitlement.
I'm using xcodebuild to archive the app and export that archive, signing it along the way. This works fine as long as my app does not have an entitlement, but once it has an entitlement, exporting the archive fails.
To elaborate a bit on this, I first make sure the development certificate and the Developer ID certificate are installed on the machine. These are installed using the security
CLI, and I'm confident that they are installed correctly. Then I proceed to archive the app using xcodebuild as shown below.
xcodebuild archive\
-scheme MyApp\
-configuration Release\
-sdk macosx\
-archivePath MyApp.xcarchive\
-destination "platform=OS X,arch=x86_64"\
-allowProvisioningUpdates\
-authenticationKeyIssuerID XYZ1234\
-authenticationKeyID XYZ\
-authenticationKeyPath AuthKey.p8
Then I export the archive using xcodebuild as shown below.
xcodebuild -exportArchive\
-archivePath MyApp.xcarchive\
-exportPath export\
-exportOptionsPlist ExportOptions.plist\
-allowProvisioningUpdates\
-authenticationKeyIssuerID XYZ1234\
-authenticationKeyID XYZ\
-authenticationKeyPath AuthKey.p8
When my app has one or more entitlements, this fails with the following error message:
Error: error: exportArchive: Cloud signing permission error
Error: error: exportArchive: No profiles for 'com.example.MyApp' were found
Note that I am not signed into an Apple ID in Xcode when signing and exporting my app through my CI/CD pipeline, as there does not seem to be a way to sign into an Apple ID in Xcode through the CLI. Instead, I'm authenticating with an App Store Connect API key.
Developer ID-signing and exporting my app does work when I do it through Xcode, even if the app has an entitlement, so the signing of the app is configured correctly.
Upon inspecting the contents of ~/Library/MobileDevice/Provisioning Profiles
after signing and exporting the app through Xcode, I notice that Xcode automatically creates two provisioning profiles with the titles:
- Mac Team Provisioning Profile: com.example.MyApp
- Mac Team Direct Provisioning Profile: com.example.MyApp
These two provisioning profiles are not created when signing and exporting the app through the xcodebuild command-line tool, and I suspect that is part of the problem.
I'd be OK with manually creating these provisioning profiles through Apple's developer portal and installing them as part of my CI/CD pipeline, but I can't seem to find a way to create this type of provisioning profile through the portal. Neither the macOS App Development, Mac App Store Connect, nor Developer ID provisioning profile types yield this kind of provisioning profile.
All of this, leaves me with the question:
How do I Developer ID-sign and export a macOS app with an entitlement through the command-line without being signed in with my Apple ID in Xcode?