I’m trying to code sign a macOs application through CMake with a certificate.
I followed the approach mentioned in the book of @craig.scott, using
-DCMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY variables, but it didn’t work.
By the way, the snippet which inspires me is:
"ABC12345DE" CACHE STRING ""
"Apple Development" CACHE STRING ""
I got an error message from Xcode:
<project-name>.xcodeproj: error: No certificate for team '<the-id>' matching '<name>' found: Select a
different signing certificate for CODE_SIGN_IDENTITY, a team that matches your selected certificate, or
switch to automatic provisioning. (in target 'starship_platform_desktop' from project '<project-name>')
I already try this: xcode - No "iOS Development" signing certificate matching team ID "*****"with a private key was found - Stack Overflow
I don’t know if someone already face a similar issue.
I’m @tonygo 's colleague. We are testing this with certificates generated from my personal Apple Developer account. The title of the certificate looks like this: “Developer ID Application: Juan Cruz Viotti (97Z2ARC25P)”
From what we understand,
CMAKE_XCODE_ATTRIBUTE_DEVELOPMENT_TEAM should be
CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY should be
Juan Cruz Viotti.
Is that correct, or are we misinterpreting the variables?
Unless you have multiple different identities on your machine for the same team ID, I’d normally recommend setting
Apple Development. Xcode should then select the appropriate identity matching your specified team ID.
It’s been a while since I’ve revisited these things in my book, and I haven’t been working on any Apple projects lately. It’s possible things have changed recently, but so far I haven’t heard anything to suggest the advice in the book isn’t still applicable. The name on that certificate doesn’t seem like what I’d expect. My signing certificates for development are named “Apple Development: Craig Scott (<some-ID>)”. Are you perhaps trying to use the wrong certificate? EDIT: I noticed that the “(<some-ID>)” part of the certificate name is not my Team ID for my developer signing certificate. All other certificate types do have the Team ID as part of the name. I don’t know why the developer ID certificate name is different for me, but that could just be a historical hang-over from earlier things or it might genuinely be typical behavior.
Thanks! We’ll give this a shot. As far as I understand, the “Apple Development” ones are for App Store / Mac App Store distribution, where as the “Developer ID Application” ones are for distribution outside of the store (which we are aiming for).
I seem to vaguely recall having difficulties trying to use the application certificate for the first signing long ago. I think the workflow that eventually worked for me was to sign with the usual
Apple Developer certificate when building the code. Then, produce the archive using
xcodebuild -archive ..., and lastly export that archive for distribution using
xcodebuild -exportArchive .... The exporting step requires you to specify the method of distribution, and you select that in your export options plist file (using the
-exportOptionsPlist command line argument). Check if one of those distribution methods matches what you want to use. The exporting step will select the appropriate certificate to re-sign your app based on the distribution method you specify.
Thanks for these insights @craig.scott
I tried to replace our current
Apple Development, but it didn’t work.
Regarding the second approach, what I’ve to do is:
- produce an archive with
xcodebuild (I have to figure out how exactly, probably some answers there: Xcode "Build and Archive" from command line - Stack Overflow)
- export the archive still with
xcodebuild with flags
- In the plist file, I should add the property
signingCertificate with the value:
Juan Cruz Viotti (97Z2ARC25P)”
I’ll work on that and see it how it goes.
I think another approach would be to use
CPACK_BUNDLE_APPLE_CERT_APP . I found an example usage on GitHub.
I tried setting these options in the cmake file:
set(CMAKE_XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Developer ID Application")
and it appears that the resultant bundle has been code signed successfully using the right certificate:
$ codesign -dv --verbose=2 examples/hello_world/dist/desktop/Debug/Hello\ World.app
Executable=/Users/raisinten/Desktop/git/starship-next/examples/hello_world/dist/desktop/Debug/Hello World.app/Contents/MacOS/Hello World
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20400 size=16712 flags=0x0(none) hashes=511+7 location=embedded
Authority=Developer ID Application: Juan Cruz Viotti (97Z2ARC25P)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Signed Time=20-Jan-2023 at 12:20:06 PM
Sealed Resources version=2 rules=13 files=5
Internal requirements count=1 size=228
Awesome! @craig.scott This would good for inclusion on the next edition of the book. We are all big fans of it at Postman
@tonygo I’d be interested in knowing what kind of error you get if you use
Apple Development. I’d expect that to work unless you had more than one certificate that matched. Would also be good to know the full command line you’re using to build (presumably some form of
xcodebuild archive ...
I’d like to understand your case better, since I’m revisiting the code signing behavior with Xcode 14 at the moment to see if there have been any significant changes.
Hey dear @craig.scott
Thanks for coming back to me. I gave it a try this morning.
I use this base project: GitHub - tony-go/codesign-macos: This project illustrate how could we codesign a macOS application with CMake. (I prepare a post on this topic)
And If I modify these two lines:
set(XCODE_ATTRIBUTE_CODE_SIGN_IDENTITY "Apple Development")
Then I got the following error:
/Users/tonygorez/perso/codesign-macos/build/MyCLIApp.xcodeproj: error: No signing certificate "Mac Development" found: No "Mac Development" signing certificate matching team ID "BZVTQUQUN8" with a private key was found. (in target 'MyCLIApp' from project 'MyCLIApp')
Right click on the “Apple Development: Tony Gorez (BZVTQUQUN8)” certificate and select “Get Info”. Near the top of the “Details”, take a look at what your “Organisational Unit” is set to. That value is what should be used as your team ID. For me, it is different to the string in the brackets after my name in the development certificate, so I am wondering if you’re using the wrong team ID for your certificate.
I’ve re-tested the approach documented in my Professional CMake book, using Xcode 14. While there have been some changes, the general method still seems to work. I suspect what may be tripping you up are one or both of the following:
- Specifying the wrong Team ID when signing the application (during general development or with the archive operation). If you use the correct Team ID that matches your Apple Development certificate, it should work.
- When exporting your archive using
xcodebuild -exportArchive ..., use the appropriate
method in the export options plist file (the one you list after
-exportOptionsPlist) that matches the way you want to distribute the app. For general distribution outside the App Store, it looks like the
method you should be using in that plist file is
developer-id. The canonical certificate that should match that is “Developer ID Application”, or if you’re producing an installer, “Developer ID Installer”. The “Apple Distribution” certificate is only for distribution through the App Store (e.g. setting
I hope you’re doing well.
Sorry for the last reply; I was swamped these days, and still, thank you for your availability for the community
I tried using the “Organisational Unit” for my Apple Development certificate, which worked nicely.
I updated my example project: GitHub - tony-go/codesign-macos: This project illustrates how we could codesign a macOS application with CMake. and my blog post: Demystifying Code Signing in macOS: A Step-by-Step Tutorial for CLI Applications with CMake