Notarising with Sign in with Apple. Is it possible?

I have Sign in with Apple working in my iOS (primary) app and macOS app, and submission to the iOS App Store and Mac App Store succeeds. This leads me to conclude I have setup the app capabilities correctly.


We also distribute the app outside the Mac App Store, using the Developer ID to notarize. All attempts to notarize the macOS app have failed, and I am beginning to think that Apple never tested this, and that there is probably no 3rd party app using it. (Mac apps that need sign in are few to begin with.)


The provisioning profile on the developer site clearly has Sign in with Apple checked, and lists it as a capabiliity. Sign in with Apple is also in the entitlements of the app in Xcode. By when I choose "Upload" to notarize the archived product, I am told the provisioning profile is missing the "Sign in with Apple" capability.


The question I really want answered is whether there is anyone out there for which this has succeeded. I suspect it is simply broken on Apple's provisioning servers.

Accepted Reply

On Apr 6, 2020, eskimo wrote:

> After posting that I talked with DTS’s Sign in with Apple expert and they confirmed that Sign in with Apple is not supported for Developer ID apps. It’s still reasonable for you to file a bug about this but be aware that it’ll be treated as an enhancement request rather than a straightforward bug report.


Correct. The Sign in with Apple capability is not supported for Developer ID or Apple Developer memberships. An Apple Developer Program membership is required, where members of this paid program can distribute apps on the App Store.


For more information about support capabilityies for macOS, please see the following—

https://help.apple.com/developer-account/#/devadf555df9

Replies

Hmmm, I don’t think this is going to work. Here’s what I did to test it:

  1. I went to the Certificates, Identifiers & Profiles page on the developer web site.

  2. On the left, I selected Identifiers.

  3. I added a new App ID, enabling Sign In with Apple.

  4. On the left, I selected Profiles.

  5. I generated a new macOS App Development profile using the App ID from step 3. I downloaded it as

    Test129263-MASDev.provisionprofile
    .
  6. I repeated the previous step wth a Developer ID profile, naming it

    Test129263-DevID.provisionprofile
    .
  7. I dumped the entitlements whitelisted by both profiles:

    % security cms -D -i Test129263-MASDev.provisionprofile 
    …
    <dict>
      …
      <key>Entitlements</key>
      <dict>
        <key>com.apple.application-identifier</key>
        <string>SKMME9E2Y8.com.example.apple-samplecode.Test129263</string>
        <key>keychain-access-groups</key>
        <array>
          <string>SKMME9E2Y8.*</string>
        </array>
        <key>com.apple.developer.team-identifier</key>
        <string>SKMME9E2Y8</string>
        <key>com.apple.developer.applesignin</key>
        <array>
            <string>Default</string>
        </array>
      </dict>
      …
    </dict>
    </plist>
    % security cms -D -i Test129263-DevID.provisionprofile 
    …
    <dict>
      …
      <key>Entitlements</key>
      <dict>
        <key>com.apple.application-identifier</key>
        <string>SKMME9E2Y8.com.example.apple-samplecode.Test129263</string>
        <key>keychain-access-groups</key>
        <array>
          <string>SKMME9E2Y8.*</string>
        </array>        
        <key>com.apple.developer.team-identifier</key>
        <string>SKMME9E2Y8</string>
      </dict>
      …
    </dict>
    </plist>

    .

As you can see, the macOS App Development profile includes the

com.apple.developer.applesignin
entitlement but the Developer ID one does not.

In my experience this sort of thing is not uncommon. Apple has to explicitly enable entitlements for use with Developer ID. I don’t support Sign In with Apple, so I don’t know whether it was deliberately omitted or not. Either way, the path forward is the same: File a bug report requesting that this be made to work.

Please post your bug number, just for the record.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hit the same issue. Reported bug with ID FB7645479

Running into the same issue (and filed a bug report: FB7652731). Everything is setup correctly, everything works on iOS: I am sharing builds with a select group of (external) testers. Now I have added macOS support as well, and am trying to share a build with my testers. However, since there is no TestFlight for macOS apps, and sharing it using the Developer ID is broken, I am only left with an actual release to the Mac App Store? I am not ready for that yet.


So is there simply no way at the moment to share a macOS app, using Sign In with Apple, to a select group of people?

On 18 Feb post I wrote:

I don’t support Sign In with Apple, so I don’t know whether it was deliberately omitted or not.

After posting that I talked with DTS’s Sign in with Apple expert and they confirmed that Sign in with Apple is not supported for Developer ID apps. It’s still reasonable for you to file a bug about this but be aware that it’ll be treated as an enhancement request rather than a straightforward bug report.

Loopwerk wrote:

So is there simply no way at the moment to share a macOS app, using Sign in with Apple, to a select group of people?

Not easily. You could collect their Mac UUIDs and send them a development-signed build, but that’s a lot of extra admin.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Received response to my ticket from Apple:


> This issue behaves as intended.

> “Sign in with Apple” is not available for use in Developer ID-signed apps.

> Please close this feedback report.


Oh, Apple 😟

On Apr 6, 2020, eskimo wrote:

> After posting that I talked with DTS’s Sign in with Apple expert and they confirmed that Sign in with Apple is not supported for Developer ID apps. It’s still reasonable for you to file a bug about this but be aware that it’ll be treated as an enhancement request rather than a straightforward bug report.


Correct. The Sign in with Apple capability is not supported for Developer ID or Apple Developer memberships. An Apple Developer Program membership is required, where members of this paid program can distribute apps on the App Store.


For more information about support capabilityies for macOS, please see the following—

https://help.apple.com/developer-account/#/devadf555df9