macOS signing and release guide 2020

This guide is focused on creating and signing a macOS application for distribution outside of the AppStore. This is most easily achieved by building + exporting through Xcode, which makes this painful experience just a little bit easier. But it is also entirely possible to achieve via the command line which won't be covered here but I will provide a relevant link at the bottom.

Account

In order to be able to build an application for distribution your Apple Developer account needs to have "Access to Certificates, Identifiers & Profiles" ticked in Developer Resources.

Identifiers, Provisioning profiles and certificates

For distributing an application outside the mac AppStore a Developer ID certificate is required. Apps signed in this way are evaluated by GateKeeper when a user attempts to install the application.

The following steps can be achieved in the Certificates, Identifiers & Profiles page on the Apple Developer website.

1. Create an identifier for your application. This is what uniquely identifies an application in Apple's ecosystem. 
2. Create a provisioning profile (per user) with the type Developer ID Application for distribution and with the App ID set to the identifier created in step 1.
3. Create a signing certificate (per user).

• Generate a Certificate Request from the Keychain Access utility:
  • Keychain Access menu
  • Certificate Assistant
  • Request a Certificate From a Certificate Authority.
• Fill in your details leaving the CA email blank.
• Save to disk. This creates a .certSigningRequest file
• On the Apple Developer website choose "Create a New Certificate" with the type "Developer ID Application" under distribution. When prompted upload the .certSigningRequest file created in the previous step.

Steps in Xcode

In Xcode go to Xcode menu -> preferences -> accounts. Sign into your account if not done so already. Click Download manual profiles and then Manage Certificates. The distribution certificate we just created should be visible in the pop-up window.

Deploy & Release builds

We're mainly focused on signing our app for distribution. But we can also sign for debug + release modes:

• Click on your Target
• Under the Signing Debug / Release menu select the provisioning profile we created above. Xcode should also resolve the Signing certificate. If not check the dropdown
• If this step fails you may need to create specific development certificates.

Archiving

1. Select Product menu -> archive

2. If / when step 1. succeeds open Window -> Organiser where you can find all of your macOS archives. Select the one you wish to export and click Distribute App

3. Select Developer ID as the method of distribution.

4. It is recommended that you click Upload in order to have the application validated by Apple's notary service*. Note if you select this option you must wait for the service to complete and send you a notification back that it has completed. (Export will immediately create your signed application).

5. Select your Distribution Certificate and the Provisioning Profile for your app from the two dropdown menus. Upload to Apple for validation.

6. Once the validation is completed from the Organiser window click Export Notarized App.

   * It is even essential for > macOS 10.14.5

   Beginning in macOS 10.14.5, software signed with a new Developer ID certificate
   and all new or updated kernel extensions must be notarized to run.
   Beginning in macOS 10.15, all software built after June 1, 2019, and distributed
   with Developer ID must be notarized.
   

Further Reading:

All of the above has been assembled out of trial and error and reading Apples' scattered documentation / stack overflow posts

• Distribute outside the mac app store
• Code signing in depth
• Code signing guide
• Notarizing macOS software
• Building from the command line