Code Signing macOs application

tonygo · January 18, 2023, 3:47pm

Hi

I’m trying to code sign a macOs application through CMake with a certificate.

I followed the approach mentioned in the book of @craig.scott, using -DCMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM and -DCMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY variables, but it didn’t work.

By the way, the snippet which inspires me is:

set(CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM
    "ABC12345DE" CACHE STRING ""
)
set(CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY
    "Apple Development" CACHE STRING ""
)

I got an error message from Xcode:

<project-name>.xcodeproj: error: No certificate for team '<the-id>' matching '<name>' found: Select a
different signing certificate for CODE_SIGN_IDENTITY, a team that matches your selected certificate, or
switch to automatic provisioning. (in target 'starship_platform_desktop' from project '<project-name>')

I already try this: xcode - No "iOS Development" signing certificate matching team ID "*****"with a private key was found - Stack Overflow

I don’t know if someone already face a similar issue.

Cheers ^^

cc @jviotti

jviotti · January 18, 2023, 4:00pm

I’m @tonygo 's colleague. We are testing this with certificates generated from my personal Apple Developer account. The title of the certificate looks like this: “Developer ID Application: Juan Cruz Viotti (97Z2ARC25P)”

From what we understand, CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM should be 97Z2ARC25P and CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY should be Juan Cruz Viotti.

Is that correct, or are we misinterpreting the variables?

craig.scott · January 18, 2023, 8:42pm

Unless you have multiple different identities on your machine for the same team ID, I’d normally recommend setting CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY to Apple Development. Xcode should then select the appropriate identity matching your specified team ID.

It’s been a while since I’ve revisited these things in my book, and I haven’t been working on any Apple projects lately. It’s possible things have changed recently, but so far I haven’t heard anything to suggest the advice in the book isn’t still applicable. The name on that certificate doesn’t seem like what I’d expect. My signing certificates for development are named “Apple Development: Craig Scott (<team-ID>)”. Are you perhaps trying to use the wrong certificate?

jviotti · January 18, 2023, 9:21pm

Thanks! We’ll give this a shot. As far as I understand, the “Apple Development” ones are for App Store / Mac App Store distribution, where as the “Developer ID Application” ones are for distribution outside of the store (which we are aiming for).

craig.scott · January 18, 2023, 9:33pm

I seem to vaguely recall having difficulties trying to use the application certificate for the first signing long ago. I think the workflow that eventually worked for me was to sign with the usual Apple Developer certificate when building the code. Then, produce the archive using xcodebuild -archve ..., and lastly export that archive for distribution using xcodebuild -exportArchive .... The exporting step requires you to specify the method of distribution, and you select that in your export options plist file (using the -exportOptionsPlist command line argument). Check if one of those distribution methods matches what you want to use. The exporting step will select the appropriate certificate to re-sign your app based on the distribution method you specify.

tonygo · January 19, 2023, 8:58am

Thanks for these insights @craig.scott

I tried to replace our current CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY with Apple Development, but it didn’t work.

Regarding the second approach, what I’ve to do is:

produce an archive with xcodebuild (I have to figure out how exactly, probably some answers there: Xcode "Build and Archive" from command line - Stack Overflow)
export the archive still with xcodebuild with flags -exportArchive and -exportOptionsPlist.
- In the plist file, I should add the property signingCertificate with the value: Juan Cruz Viotti (97Z2ARC25P)”

I’ll work on that and see it how it goes.

RaisinTen · January 19, 2023, 10:24am

I think another approach would be to use CPACK_BUNDLE_APPLE_CERT_APP . I found an example usage on GitHub.

RaisinTen · January 20, 2023, 6:54am

I tried setting these options in the cmake file:

set(CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM "97Z2ARC25P")
set(CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Developer ID Application")
set(CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_STYLE "Manual")

and it appears that the resultant bundle has been code signed successfully using the right certificate:

$ codesign -dv --verbose=2 examples/hello_world/dist/desktop/Debug/Hello\ World.app
Executable=/Users/raisinten/Desktop/git/starship-next/examples/hello_world/dist/desktop/Debug/Hello World.app/Contents/MacOS/Hello World
Identifier=com.postmanlabs.starship.hello-world
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20400 size=16712 flags=0x0(none) hashes=511+7 location=embedded
Signature size=4674
Authority=Developer ID Application: Juan Cruz Viotti (97Z2ARC25P)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=20-Jan-2023 at 12:20:06 PM
Info.plist entries=25
TeamIdentifier=97Z2ARC25P
Sealed Resources version=2 rules=13 files=5
Internal requirements count=1 size=228

jviotti · January 20, 2023, 4:04pm

Awesome! @craig.scott This would good for inclusion on the next edition of the book. We are all big fans of it at Postman