Questions about code signing Mac App with Developer ID

Question

I have several questions about signing Mac App with Developer ID:

First of all, I'm working on a project utilizing GateKeeper. So I have to(?) sign my App with Developer ID.

1. Do I need a provisioning profile to sign with Developer ID? In the build settings tab, the Developer ID certification is marked as Identities without Provisioning Profiles. Looking around in Mac Provision Portal, I found no place to generate provisioning profile to match Developer ID cert rather than submission certs. So do I need a provisioning profile to sign with Developer ID?

2. After archiving my app, when I chose Export Developer ID-signed Application in the organizer, my Developer ID certification is marked with a yellow warning icon. But I can still chose the cert and sign it. Is it OK?

3. After signing my app, I used sudo spctl -a -v MyApp.app to test my app with sudo spctl --master-enable runed before that. The result is as followed:

   EIM.app: rejected
   source=Developer ID
   

Is this rejection related to the warning in question 2?

It's my first time distributing Mac App with Developer ID, thanks for any help.

Answer 1

Re: Provisioning profiles and DeveloperID— they are unnecessary. You should be able to accept your DeveloperID in the automatic section of the Code Signing Identity portion of the Build Settings. If you cannot, your key may be missing or there may be something else wrong with the database that contains the information.

First, go into Keychain Access and verify that your DeveloperID certificate has an accompanying private key associated with it (this will be visible under a disclosure triangle). If it does not, then you should go check around to see if you saved off the key related to that certificate anywhere, because if you can't find and reimport it (from, for example, a Developer Profile exported from Xcode), you will need to revoke and reissue the certificate, since there's no way to sign it.

Second, there is a known bug in 4.6.1 that can corrupt a cached database containing information from the developer portal. There's no specific indication that this behavior can be caused by this problem, but before following the next step, you might want to give it a try. Basically, you will need to quit Xcode, move aside (or delete) ~/Library/Developer/Xcode/connect1.apple.com 4.6.1.db (yes, there's a space in that file name), restart Xcode, go to the Organizer and Refresh your profiles and certificates.

If this doesn't work, you may want to consider revoking your Developer ID.

WARNING If you have successfully distributed code with the certificate, do not revoke it until you have visited Apple's web site (https://developer.apple.com/support/technical/certificates/) and thoroughly understand the implications to shipped code for revoking a developer id. Specifically that installed software will continue to work, but users will not be able to install/reinstall binaries signed with the original certificate.

If you have never successfully distributed code with the certificate (or if your key is irrecoverably lost), you may want to go to the portal and revoke and then reissue your Developer ID certificate. Once you have revoked it, you can create a new certificate by requesting a new certificate.