codesign use of Cloud-managed Developer ID

My non-cloud Developer ID certificate will expire soon, and my account also has a cloud-managed Developer ID Certificate. My Mac application build workflow uses Archiving, so the cloud cert should be fine for that. But my workflow also signs bundled apps, such as Sparkle framwork's Autodupate app, using the codesign tool.

Is it correct that codesign only uses certificates from the local Keychain, and so cannot use a Cloud-managed Developer ID certificate?

Before I manually renew the non-cloud Developer ID certificate, I want to make sure I'm not missing some easier method. Thanks.

Answered by DTS Engineer in 814008022
Is it correct that codesign only uses certificates from the local Keychain … ?

Correct.

If you use the Xcode organiser to export a Developer ID signed app [1], you can look at Packaging.log to see how this works. codesign is used to generate the data to be signed and then to apply the signature, but the actual signing is done using a web service. AFAIK all of this is considered an implementation detail and not documented for third-party use (other than via Xcode and xcodebuild, of course).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] You have to remove your Developer ID signing identity from the keychain in order to get cloud signing. I have mine in a separate keychain — I talk about that more in The Care and Feeding of Developer ID — so I just removed that keychain from the search list in Keychain Access.

Accepted Answer
Is it correct that codesign only uses certificates from the local Keychain … ?

Correct.

If you use the Xcode organiser to export a Developer ID signed app [1], you can look at Packaging.log to see how this works. codesign is used to generate the data to be signed and then to apply the signature, but the actual signing is done using a web service. AFAIK all of this is considered an implementation detail and not documented for third-party use (other than via Xcode and xcodebuild, of course).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] You have to remove your Developer ID signing identity from the keychain in order to get cloud signing. I have mine in a separate keychain — I talk about that more in The Care and Feeding of Developer ID — so I just removed that keychain from the search list in Keychain Access.

codesign use of Cloud-managed Developer ID
 
 
Q