How do I Developer ID-sign and export a macOS app with an entitlement through the command-line without being signed in with my Apple ID in Xcode?

Hi,

I'm trying to Developer ID-sign and export a macOS app through my CI/CD pipeline on GitHub Actions, but I've run into an issue signing my app once it has one or more entitlements, in this case, an app group entitlement.

I'm using xcodebuild to archive the app and export that archive, signing it along the way. This works fine as long as my app does not have an entitlement, but once it has an entitlement, exporting the archive fails.

To elaborate a bit on this, I first make sure the development certificate and the Developer ID certificate are installed on the machine. These are installed using the security CLI, and I'm confident that they are installed correctly. Then I proceed to archive the app using xcodebuild as shown below.

xcodebuild archive\
  -scheme MyApp\
  -configuration Release\
  -sdk macosx\
  -archivePath MyApp.xcarchive\
  -destination "platform=OS X,arch=x86_64"\
  -allowProvisioningUpdates\
  -authenticationKeyIssuerID XYZ1234\
  -authenticationKeyID XYZ\
  -authenticationKeyPath AuthKey.p8

Then I export the archive using xcodebuild as shown below.

xcodebuild -exportArchive\
  -archivePath MyApp.xcarchive\
  -exportPath export\
  -exportOptionsPlist ExportOptions.plist\
  -allowProvisioningUpdates\
  -authenticationKeyIssuerID XYZ1234\
  -authenticationKeyID XYZ\
  -authenticationKeyPath AuthKey.p8

When my app has one or more entitlements, this fails with the following error message:

Error: error: exportArchive: Cloud signing permission error
Error: error: exportArchive: No profiles for 'com.example.MyApp' were found

Note that I am not signed into an Apple ID in Xcode when signing and exporting my app through my CI/CD pipeline, as there does not seem to be a way to sign into an Apple ID in Xcode through the CLI. Instead, I'm authenticating with an App Store Connect API key.

Developer ID-signing and exporting my app does work when I do it through Xcode, even if the app has an entitlement, so the signing of the app is configured correctly.

Upon inspecting the contents of ~/Library/MobileDevice/Provisioning Profiles after signing and exporting the app through Xcode, I notice that Xcode automatically creates two provisioning profiles with the titles:

  • Mac Team Provisioning Profile: com.example.MyApp
  • Mac Team Direct Provisioning Profile: com.example.MyApp

These two provisioning profiles are not created when signing and exporting the app through the xcodebuild command-line tool, and I suspect that is part of the problem.

I'd be OK with manually creating these provisioning profiles through Apple's developer portal and installing them as part of my CI/CD pipeline, but I can't seem to find a way to create this type of provisioning profile through the portal. Neither the macOS App Development, Mac App Store Connect, nor Developer ID provisioning profile types yield this kind of provisioning profile.

All of this, leaves me with the question:

How do I Developer ID-sign and export a macOS app with an entitlement through the command-line without being signed in with my Apple ID in Xcode?

Surprisingly to me, the "Mac Team Provisioning Profile: com.example.MyApp" and "Mac Team Direct Provisioning Profile: com.example.MyApp" provisioning profiles that Xcode creates when signing and exporting the app, does not include the com.apple.security.application-groups entitlement that my app uses.

As a test, I extracted the generated provisioning profiles from ~/Library/MobileDevice/Provisioning Profiles and installed them during my CI/CD pipeline to see if that was sufficient and while xcodebuild did pick up the provisioning profiles, the signing failed with the following error because the provisioning profiles does not contain the entitlement.

Error: error: exportArchive: Cloud signing permission error
Error: error: exportArchive: Provisioning profile "Mac Team Direct Provisioning Profile: com.example.MyApp" doesn't include the com.apple.security.application-groups entitlement.

Could it be that app groups aren't available for Developer ID-signed apps? I suppose that would make sense 🤔

It wouldn't really explain why exporting and signing work in Xcode and not in xcodebuild, but maybe Xcode has some magic to remove the app group entitlement before signing and xcodebuild lacks this logic.

From reading Quinn's guide on the difference when adding app groups to an iOS app and a macOS app, I found that the app group identifier I used in my macOS app wasn't correct. I was using the same app group identifier on macOS as I did my iOS app, i.e. group.com.example.MyApp but on macOS it had to be prefixed with the team ID, like 123XY4Z5X6.group.com.example.MyApp.

After changing the app group identifier in my macOS build, the app is signed and exported correctly when using xcodebuild in my CI/CD pipeline. I'm still unsure why it worked when signing through Xcode and not when signing through xcodebuild when using an app group identifier without the team ID prefix, though.

I'm still unsure why it worked when signing through Xcode and not when signing through xcodebuild when using an app group identifier without the team ID prefix, though.

I don’t really have a good answer to that, other than to say that this disparity between the app group ID format and entitlement requirements is an ongoing source of weird problems. IMO it’s something we should fix [1], but I’ve no info to share as to if or when that’ll happen.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Ideally by allowing Mac developers to create a provisioning profile with the app group entitlement in its allowlist.

How do I Developer ID-sign and export a macOS app with an entitlement through the command-line without being signed in with my Apple ID in Xcode?
 
 
Q