Step-by-step recipe for signing Mac installers (.dmg)

Question

Apple wants apps to be signed. With newer MacOS versions, unsigned apps look less and less welcome.

As a cross-platform developer with almost no knowledge of Apple specifics, I have to learn how to sign Apple apps. A step-by-step recipe would be helpful.

So far I understood all the following is necessary:

• Register for an Apple ID [1].
  • Agree with endless pages of legalese.
• Apply for an Apple developer account [2].
  • Choose among several categories (individual, nonprofit, government, ...).
  • Accept further pages of legalese.
  • Agree with unspecified membership fees that are waived for open-source projects.
  • Wait for unspecified time until you will or will not be admitted by Apple.
• Create a certificate from Xcode.
  • Open or create an arbitrary project to get to the main menu.
  • In the main menu (Xcode) > Preferences > Accounts > Manage Certificates > "+" (bottom left) to create certificate.
  • In the main menu (Xcode) > Preferences > Accounts > Download Manual Profiles. Seems to create a file with extension .developerprofile.
• From here, an unknown number of steps is missing....
• Maybe the last step involves the command codesign [3], codesign -s <identity> --keychain <full-path-to-keychain> <path-to-disk-image>
  • What is <identity>?
  • What is the keychain file?

Who can confirm or correct the above, and supply the missing steps?

Note that the build process shall ultimately be run from CMake. Therefore command-line tools are preferred over GUI actions.

[1] https://appleid.apple.com/account

[2] https://developer.apple.com/

[3] https://stackoverflow.com/a/37923530/1017348

Answer 1

You can build and sign to completion using Xcode, or you can build and then sign and notarise the binaries using codesign, altool, and stapler tools.

Xcode attempts to handle the complexity for you, at the cost of your not needing to understand or know about the individual steps involved. .developerprofile files are part of Xcode and Xcode is not essential to preparing a binary for distribution.

See Apple's Xcode Guide - Distribute your app and Distribute outside the Mac App Store (macOS).

Apple have also published the following guides on code signing and notarizing:

• Code Signing Guide
• Notarizing macOS Software Before Distribution

Identity

What is <identity>?

identity is common name field of the digital certificate being used to sign the binary. The digital certificate is an X.509 certificate issued by Apple. You can obtain certificates for submission to the Apple app stores, and distribution outside of their stores, through the Apple developer web site.

See Apple Developer - Certificates

Apple Developer Program membership is required to request, download, and use signing certificates issued by Apple. For developers part of a team enrolled as an organization, you must also be the account holder or an admin to request distribution certificates used for submitting apps to the App Store.

Keychain

What is the keychain file?

Keychain files are managed through the Keychain Access application on macOS, see Applications/Utilities/Keychain Access. By default, the user's keychain files are stored in ~/Library/Keychains.

The keychain file is where macOS stores secure user information, such as credentials and certificate keys. The keychain file needs to be specified for the codesign tool to locate the private key associated with the signing certificate.

See Apple Developer - Keychain Services:

Securely store small chunks of data on behalf of the user.

Computer users often have small secrets that they need to store securely. For example, most people manage numerous online accounts. Remembering a complex, unique password for each is impossible, but writing them down is both insecure and tedious. Users typically respond to this situation by recycling simple passwords across many accounts, which is also insecure.

The keychain services API helps you solve this problem by giving your app a mechanism to store small bits of user data in an encrypted database called a keychain. When you securely remember the password for them, you free the user to choose a complicated one.

Support from Apple

If the documentation linked above does not help, please contact Apple. The process you are facing is demanded by Apple, and Apple should burden the support it creates.

As a registered Apple Developer, you have access to Technical Support Incidents:

Requesting Technical Support

A Technical Support Incident (TSI) is a request for code-level support for Apple frameworks, APIs, and tools, and is available to members of the Apple Developer Program and Apple Developer Enterprise Program.