问题
We are developing a Mac OS X application that we are going to distribute outside the Mac App Store. We ended up having these certificates in the Mac Developers program:
and when I go to select one for signing the application, I find this:
Am I correct in that I should use Developer ID: * for Debug? Will that allow developers that don’t have my company’s certificate to sign the application to be able to run it locally?
What certificate should I use for Release?
回答1:
For development (for example, the Debug configuratino) use the Mac Developer option, which will choose your local Mac Developer certificate (in your case "Mac Developer: José Fernández"), which is meant for team members working on your project (includes testing/debugging).
For Release, use "Developer ID: *" which will pick the standard application release certificate used outside the AppStore, in your case "Developer ID Application: Carousel Apps. I recommend doing a final test/debug after codesigning to ensure it's working as expected.
The way Xcode picks up certificates is by a simple substring matching.
Apple Codesigning Certificate Types
(Name, Type, Description)
iOS Development
- iPhone Developer: Team Member Name Used to run an iOS app on devices and use certain app services during development.
iOS Distribution
- iPhone Distribution: Team Name Used to distribute your iOS app on designated devices for testing or to submit it to the App Store.
Mac Development
- Mac Developer: Team Member Name Used to enable certain app services during development and testing.
Mac App Distribution
- 3rd Party Mac Developer Application: Team Name Used to sign a Mac app before submitting it to the Mac App Store.
Mac Installer Distribution
- 3rd Party Mac Developer Installer: Team Name Used to sign and submit a Mac Installer Package, containing your signed app, to the Mac App Store.
Developer ID Application
- Developer ID Application: Team Name Used to sign a Mac app before distributing it outside the Mac App Store.
Developer ID Installer
- Developer ID Installer: Team Name Used to sign and distribute a Mac Installer Package, containing your signed app, outside the Mac App Store
Once codesigned you can also simulate the launch behavior of your app when Gatekeeper is enabled from Terminal.app:
spctl -a -v Carousel.app
./Carousel.app: accepted
source=Developer ID
The
Developer ID Applicationcertificate allows your app to run withGatekeeperon the setting "allow apps downloaded from Mac App Store and identified developers"
回答2:
To code sign via the terminal (if not using Xcode):
codesign -s "Developer ID" -v Carousel.app # to sign with "Developer ID Application" for distribution
codesign -s "Mac Developer" -v CarouselDebug.app # to sign with "Mac Developer:*" for testing
spctl -a -v Carousel.app # to verify, look for "accepted"
spctl -a -v CarouselDebug.app # to verify, look for "accepted"
Codesign finds the correct certificate by looking for certificates in your keychain that have the -s string as a substring. If only more than one certificate matches, it will warn you and you can give a longer string.
Reference: https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW4
来源:https://stackoverflow.com/questions/29039462/which-certificate-should-i-use-to-sign-my-mac-os-x-application