I’m trying to code sign a macOs application through CMake with a certificate.
I followed the approach mentioned in the book of @craig.scott, using -DCMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM and -DCMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY variables, but it didn’t work.
<project-name>.xcodeproj: error: No certificate for team '<the-id>' matching '<name>' found: Select a
different signing certificate for CODE_SIGN_IDENTITY, a team that matches your selected certificate, or
switch to automatic provisioning. (in target 'starship_platform_desktop' from project '<project-name>')
I’m @tonygo 's colleague. We are testing this with certificates generated from my personal Apple Developer account. The title of the certificate looks like this: “Developer ID Application: Juan Cruz Viotti (97Z2ARC25P)”
From what we understand, CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM should be 97Z2ARC25P and CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY should be Juan Cruz Viotti.
Is that correct, or are we misinterpreting the variables?
Unless you have multiple different identities on your machine for the same team ID, I’d normally recommend setting CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY to Apple Development. Xcode should then select the appropriate identity matching your specified team ID.
It’s been a while since I’ve revisited these things in my book, and I haven’t been working on any Apple projects lately. It’s possible things have changed recently, but so far I haven’t heard anything to suggest the advice in the book isn’t still applicable. The name on that certificate doesn’t seem like what I’d expect. My signing certificates for development are named “Apple Development: Craig Scott (<some-ID>)”. Are you perhaps trying to use the wrong certificate? EDIT: I noticed that the “(<some-ID>)” part of the certificate name is not my Team ID for my developer signing certificate. All other certificate types do have the Team ID as part of the name. I don’t know why the developer ID certificate name is different for me, but that could just be a historical hang-over from earlier things or it might genuinely be typical behavior.
Thanks! We’ll give this a shot. As far as I understand, the “Apple Development” ones are for App Store / Mac App Store distribution, where as the “Developer ID Application” ones are for distribution outside of the store (which we are aiming for).
I seem to vaguely recall having difficulties trying to use the application certificate for the first signing long ago. I think the workflow that eventually worked for me was to sign with the usual Apple Developer certificate when building the code. Then, produce the archive using xcodebuild -archive ..., and lastly export that archive for distribution using xcodebuild -exportArchive .... The exporting step requires you to specify the method of distribution, and you select that in your export options plist file (using the -exportOptionsPlist command line argument). Check if one of those distribution methods matches what you want to use. The exporting step will select the appropriate certificate to re-sign your app based on the distribution method you specify.
@tonygo I’d be interested in knowing what kind of error you get if you use Apple Development. I’d expect that to work unless you had more than one certificate that matched. Would also be good to know the full command line you’re using to build (presumably some form of xcodebuild archive ...
I’d like to understand your case better, since I’m revisiting the code signing behavior with Xcode 14 at the moment to see if there have been any significant changes.
/Users/tonygorez/perso/codesign-macos/build/MyCLIApp.xcodeproj: error: No signing certificate "Mac Development" found: No "Mac Development" signing certificate matching team ID "BZVTQUQUN8" with a private key was found. (in target 'MyCLIApp' from project 'MyCLIApp')
Right click on the “Apple Development: Tony Gorez (BZVTQUQUN8)” certificate and select “Get Info”. Near the top of the “Details”, take a look at what your “Organisational Unit” is set to. That value is what should be used as your team ID. For me, it is different to the string in the brackets after my name in the development certificate, so I am wondering if you’re using the wrong team ID for your certificate.
I’ve re-tested the approach documented in my Professional CMake book, using Xcode 14. While there have been some changes, the general method still seems to work. I suspect what may be tripping you up are one or both of the following:
Specifying the wrong Team ID when signing the application (during general development or with the archive operation). If you use the correct Team ID that matches your Apple Development certificate, it should work.
When exporting your archive using xcodebuild -exportArchive ..., use the appropriate method in the export options plist file (the one you list after -exportOptionsPlist) that matches the way you want to distribute the app. For general distribution outside the App Store, it looks like the method you should be using in that plist file is developer-id. The canonical certificate that should match that is “Developer ID Application”, or if you’re producing an installer, “Developer ID Installer”. The “Apple Distribution” certificate is only for distribution through the App Store (e.g. setting method to app-store).
