Skip to content

apple_cert

Jump to bottom
Zwetan Kjukov edited this page Feb 4, 2017 · 15 revisions

Apple Developer Certificates

First, you will need an Apple ID.

Second, you will need to buy an Apple Developer License.

Third, you will need to install and configure those certificates.

Introduction

I'm not here to help sell developer licenses but if your goal is to produce command-line programs, desktop applications and iOS applications that you want to distribute to your final users obtaining a developer license bring a couple of advantages.

  • first, that developer license is not only for iOS
    it will allow you to sign Mac OS X desktop applications
    and also 3rd party applications and installers (pkg)
  • by signing your pkg or app you will avoid to explain
    to your users how to go in "System Preference" then
    "Security & Privacy", and under "Allow apps downloaded from"
    to select "Anywhere"
    apple allow apps
  • if someone else repackage your app it will invalidate the signature

If you plan only to distribute something free, it's better to establish a bit of trust with your users.

Even more true if you plan to actually sell the application you distribute (see this blog post).

Developer ID and Gatekeeper

Gatekeeper is a feature introduced in OS X Mountain Lion that helps
protect users from downloading and installing malicious software.
Signing your applications, plug-ins, and installer packages with a
Developer ID certificate lets Gatekeeper verify that they are not
known malware and have not been tampered with.

Also see App Distribution Guide.

Clean Install

  • Open Xcode
    add your Apple ID (eg. [email protected] )
  • Close Xcode
  • Open Keychain Access app
    (/Applications/Utilities/Keychain Access.app)
    in "View" select "Show Expired Certificates"
    in both login and System
    delete all certificates
  • Download the Apple Worldwide Developer Relations Certification Authority
    AppleWWDRCA.cer
    double-click it to install it in Keychain
  • from Mac certs
    download developerID_application.cer and developerID_installer.cer
    instal both by double clicking them
  • Open Xcode
    in "Preferences / Accounts"
    select your Team Name and click "View Details..."
    either click "Create" or "Reset" for the following
    • iOS Development
    • iOS Distribution
    • Mac Development
    • Mac App Distribution
    • Mac Installer Distribution

The final result should look like
xcode account

and
xcode details

and
keychain certs

(all certs should show in green "This certificate is valid")

Testing Your Certificates

In Mac OS X you have a command-line utility certtool

the documentation indicates
Display certs and CRLs in keychain: certtool y

Show your Mac OS X Developer IDs
$ certtool y | grep Developer\ ID

output should be similar to

   Common Name     : Developer ID Certification Authority
   Common Name     : Developer ID Application: Zwetan Kjukov (4AT3SFJR6C)
   Common Name     : Developer ID Certification Authority
   Common Name     : Developer ID Installer: Zwetan Kjukov (4AT3SFJR6C)

Those common names is what you need to use in general, but not exactly.

It's more about retrieving your "Developer ID",
so if you need an ID to sign an installer "Common Name : Developer ID Installer: Zwetan Kjukov (4AT3SFJR6C)"
indicates you should use "Zwetan Kjukov (4AT3SFJR6C)".

But that's not enough, you need to use also "3rd Party Mac Developer Installer".

In your build script you would define it this way

var DEVELOPER_ID_APPLICATION:String = "3rd Party Mac Developer Application: Zwetan Kjukov (4AT3SFJR6C)";
var DEVELOPER_ID_INSTALLER:String   = "3rd Party Mac Developer Installer: Zwetan Kjukov (4AT3SFJR6C)";

see Signing Under Mac OS X.

Another tool you can use is the security command-line utility, but this time to show your signing identities.

For example:
$ security find-identity -p codesigning

output should be similar to

Policy: Code Signing
  Matching identities
  1) DE62E9B69FEE3A42D000000276C4FBAF6D287F6B "iPhone Developer: Zwetan Kjukov (2532X6C4LG)"
  2) DBC45FAD85A56CB18000000B6424107890D73C65 "iPhone Distribution: Zwetan Kjukov (4AT3SFJR6C)"
  3) 9EFBD72E08E8C66510000003C4C89A6FC6511CAF "Mac Developer: Zwetan Kjukov (2532X6C4LG)"
  4) 169940413DF2E03B90000005FD49C320F65312CB "3rd Party Mac Developer Application: Zwetan Kjukov (4AT3SFJR6C)"
  5) 3083D2FC788B93D92000000E32A9E8F7C1D4B4C7 "gdb-cert"
     5 identities found

  Valid identities only
  1) DE62E9B69FEE3A42D000000276C4FBAF6D287F6B "iPhone Developer: Zwetan Kjukov (2532X6C4LG)"
  2) DBC45FAD85A56CB18000000B6424107890D73C65 "iPhone Distribution: Zwetan Kjukov (4AT3SFJR6C)"
  3) 9EFBD72E08E8C66510000003C4C89A6FC6511CAF "Mac Developer: Zwetan Kjukov (2532X6C4LG)"
  4) 169940413DF2E03B90000005FD49C320F65312CB "3rd Party Mac Developer Application: Zwetan Kjukov (4AT3SFJR6C)"
  5) 3083D2FC788B93D92000000E32A9E8F7C1D4B4C7 "gdb-cert"
     5 valid identities found

see Building Mac OS X Packages for the build utilities

  • show-macosx-developer-id
  • show-macosx-signing-identities

iOS Development

TODO (go in details later on how to sign iOS app)

see

Mac OS X Development

Those certs are needed for signing Desktop applications, especially if you want to distribute your app trough the Mac App Store.

But there is more, the 3rd Party Mac Developer Application and/or Installer, those certs can be used to sign installers like .pkg and other libraries and command-line apps.

Where to download the Developer ID Application cert developerID application

Where to download the Developer ID Installer cert developerID installer

From there you can download developerID_application.cer and developerID_installer.cer instal both by double clicking them (Xcode does not install those or I missed something?).

see

Clone this wiki locally