Isn’t it super easy to generate a new certificate for signing from Apple’s website?
I think that’s true for signing applications (and by extension plugins) but not for signing pkg installers! From memory you’re only allowed 5 within a certain time period of several years. It’s been a while since I looked but that was the case some years ago.
Personally for distribution certificates I tend to prefer to store the certificate as base64 in a secret and then only create a keychain and the certificate while signing is required. This works well if you also want to sign using an empheral node running in the cloud and it reduces the time there is a machine with a certificate that someone else might gain access to.
I’m still having problems with the Developer ID Application Certificate on the new computer. Originally I installed this certificate on my laptop following these instructions:
https://developer.apple.com/help/account/create-certificates/create-developer-id-certificates/
I see this certificate in Keychain Access on the laptop, and it is marked in green: “This certificate is valid”.
I later on followed instructions from Apple above to install this type of certificate on my new Sonoma Mac, but on this machine it is marked in red as “not Trusted”. So I exported the certificate from the laptop, saved it to the desktop of the new machine and double-clicked on it. It installed in the keychain. Also this certificate is marked as “not trusted”. What am I missing? I have followed all instructions…
I used the Certificate Assistant to evaluate the certificate, and here it says it is valid. Still marked as not trusted in the keychain though.
Also, I compared the evaluation info from the certificates on the two computers and they were identical except for serial number.
Do you have the private key that corresponds to the certificate?
I don’t know. I guess I have it on the laptop. Where should I look for it?
In Keychain Access the screenshot you posted is on the Certificates tab. What does it say on the Keys tab?
Go into the login keychain, not the System one. (I see that System was selected for your certificates too but that’s the wrong one.)
Thanks,
OK, now I see a difference between the two computers. A lot is missing on the new Mac. What to do? here’s the new mac:
Here’s the old laptop:
Right, so you only exported the certificate but not the private key that belongs to it. You need both parts for it to work.
On the old laptop, right-click on the key(s) that you want to export and choose the Export option. This will save a p12 file. You need to protect it with a password.
Now copy that p12 file to your new computer and import it into the keys tab.
1 Like
I copied both the Apple Development Key and the Intonator Dev Key(s). When trying to sign I first got the message:
xcrun codesign --force --verbose -s "Developer ID Application: Hans Adamson (ABCDE12345)" "/Users/Hans/Library/Audio/Plug-Ins/VST3/Art Vista Intonator i.vst3" --timestamp
Developer ID Application: Hans Adamson (ABCDE12345): ambiguous (matches "Developer ID Application: Hans Adamson (ABCDE12345)" and "Developer ID Application: Hans Adamson (ABCDE12345)" in /Library/Keychains/System.keychain)
So I deleted the oldest of the two certificates with same name. When I try to sign again, I receive this message:
xcrun codesign --force --verbose -s "Developer ID Application: Hans Adamson (ABCDE12345)" "/Users/Hans/Library/Audio/Plug-Ins/VST3/Art Vista Intonator i.vst3" --timestamp
/Users/Hans/Library/Audio/Plug-Ins/VST3/Art Vista Intonator i.vst3: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Developer ID Application: Hans Adamson (ABCDE12345)"
/Users/Hans/Library/Audio/Plug-Ins/VST3/Art Vista Intonator i.vst3: errSecInternalComponent
Update:
I hadn’t put my Apple account into Xcode on the new Mac. SO I did, and now it seems the signing went through.
Here’s a tool I wrote to export the certs and things needed so that I can take the files to a builder VM easily … you might find this useful next time, or indeed as a reference for the current situation.
Check the following environment variables used in this script - obviously you’ll have to make your own values for these environment variables:
KEYCHAIN_PASSWORD
CERT_LABEL
EXPORT_PASSWORD
Remember: the intention is to create a temporary keychain, import the certs and password, do the codesigning and notarization, then delete the keychain so that everything for the Production build is sealed up, and not intermixed with other certs/keys/passwords that might be floating around on a developer workstation. The Builder VM where these items are used is intended to be as clinical as possible, in our case …
#!/bin/bash
# Configuration
SOURCE_KEYCHAIN=~/Library/Keychains/login.keychain-db
DEST_KEYCHAIN=/tmp/ci-import.keychain
KEYCHAIN_PASSWORD="makeSomethingUpHere" # Password for the new keychain
CERT_LABEL="Developer ID Application: Your Developer ID (ABCDEFGHI0)" # Adjust to match your cert label
EXPORT_PASSWORD="makeSomethingUpHereAlso" # Password for the .p12 file
# Create the destination keychain
echo "Creating destination keychain: $DEST_KEYCHAIN"
security create-keychain -p "$KEYCHAIN_PASSWORD" "$DEST_KEYCHAIN"
# Unlock both keychains
echo "Unlocking source keychain: $SOURCE_KEYCHAIN"
security unlock-keychain -p "devopsisit" "$SOURCE_KEYCHAIN"
echo "Unlocking destination keychain: $DEST_KEYCHAIN"
security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$DEST_KEYCHAIN"
# Export certificate and private key to a .p12 file
P12_FILE=Certificates/ExportedCert.p12
echo "Exporting certificate and private key to: $P12_FILE"
security export -k "$SOURCE_KEYCHAIN" -t identities -f pkcs12 -o "$P12_FILE" -P "$EXPORT_PASSWORD"
if [ $? -ne 0 ]; then
echo "Failed to export certificate: $CERT_LABEL"
exit 1
fi
# Import the .p12 file into the new keychain
echo "Importing certificate into destination keychain: $DEST_KEYCHAIN"
security import "$P12_FILE" -k "$DEST_KEYCHAIN" -P "$EXPORT_PASSWORD" -T /usr/bin/codesign -T /usr/bin/productsign
if [ $? -ne 0 ]; then
echo "Failed to import certificate into: $DEST_KEYCHAIN"
rm -f "$P12_FILE"
exit 1
fi
# Set key partition list for automation
echo "Setting key partition list for certificate: $CERT_LABEL"
security set-key-partition-list -S apple-tool:,apple: -s -k "$KEYCHAIN_PASSWORD" -t private "$DEST_KEYCHAIN"
if [ $? -ne 0 ]; then
echo "Failed to set key partition list for: $CERT_LABEL"
rm -f "$P12_FILE"
exit 1
fi
# Clean up
Later on … the following code is used to create the temporary signing keychain:
log "Setting up CI keychain used for signing process..."
# default again user login keychain
security list-keychains -d user -s login.keychain
# Create signing keychain
security create-keychain -p "$SIGNING_KEYCHAIN_PASSWORD" "$SIGNING_KEYCHAIN"
# Append signing keychain to the user domain
security list-keychains -d user -s "$SIGNING_KEYCHAIN" $(security list-keychains -d user | sed s/\"//g)
# Remove relock timeout
security set-keychain-settings "$SIGNING_KEYCHAIN"
# Unlock keychain
security unlock-keychain -p "$SIGNING_KEYCHAIN_PASSWORD" "$SIGNING_KEYCHAIN"
# Add certificate to keychain
security import "$CERT_FILE" -k "$SIGNING_KEYCHAIN" -P "$CERT_PASSWORD" -A -T "/usr/bin/codesign" -T "/usr/bin/productsign"
# Enable codesigning from a non user interactive shell
echo security set-key-partition-list -S apple-tool:,apple:, -s -k $SIGNING_KEYCHAIN_PASSWORD -D "$PKG_SIGNING_IDENTITY" -t private $SIGNING_KEYCHAIN
security set-key-partition-list -S apple-tool:,apple:, -s -k $SIGNING_KEYCHAIN_PASSWORD -D "$PKG_SIGNING_IDENTITY" -t private $SIGNING_KEYCHAIN
# .. do some codesigning ..
codesign --force --keychain $SIGNING_KEYCHAIN -s "$DEV_SIGNING_IDENTITY" ${BUILD_DIR}/${PKG_PROJECT_NAME}_artefacts/${BUILD_TYPE}/AU/${PKG_PRODUCT_NAME}.component
# .. product signing/notarization/etc.
# productsign .. etc
# xcrun notarytool .. etc
# Clean up the signing keychain
security delete-keychain "$SIGNING_KEYCHAIN"
# default again user login keychain
security list-keychains -d user -s login.keychain
3 Likes