xcodebuild with provision profile and no private key

Question

We are building a MacOS app in a large enterprise company where we need to enable push notifications for our desktop app.

To support notifications, we need to build our app with the provision profile -

xcodebuild PROVISIONING_PROFILE="<provision profile id>"

This results in an error -

Check dependencies
Code Signing Error: No signing certificate "<Cert name>" found:  
No "<Cert name>" signing certificate matching team ID "<team id>" 
with a private key was found.

It looks like we need the private key installed on our machine. Access to private key is restricted since we are working in a large enterprise where many apps are released under one distribution certificate.

Is it possible to build the mac os app without the private key (retaining the push notifications functionality) ? Ideally we would want to build the app without the private key during development and sign it later when we want to release it to the world.

We have tried the following unsuccessfully -

xcodebuild clean build CODE_SIGN_IDENTITY="" CODE_SIGNING_REQUIRED=NO PROVISIONING_PROFILE="<profile id>"

Answer 1

The simple answer to your question is no. In order to sign an app on MacOS or iOS, you need to have the signing identity files. This means you will need the provisioning profile, the certificate, and the private key for the certificate.

If you could sign an app without the private key, anyone could impersonate you as a developer, which would be a big problem in terms of developer trust.

Really, though, what you should have is a different signing identity for development than for release. Use the Development profile, cert and key for development (you can give developers the private key for the development cert). The you have a separate signing identity for distribution that is locked down to only the official build machine.