macOS signing and release guide 2020
This guide is focused on creating and signing a macOS application for distribution outside of the AppStore. This is most easily achieved by building + exporting through Xcode, which makes this painful experience just a little bit easier. But it is also entirely possible to achieve via the command line which won't be covered here but I will provide a relevant link at the bottom.
In order to be able to build an application for distribution your Apple Developer account needs to have "Access to Certificates, Identifiers & Profiles" ticked in Developer Resources.
Identifiers, Provisioning profiles and certificates
For distributing an application outside the mac AppStore a Developer ID certificate is required. Apps signed in this way are evaluated by GateKeeper when a user attempts to install the application.
The following steps can be achieved in the Certificates, Identifiers & Profiles page on the Apple Developer website.
- Create an identifier for your application. This is what uniquely identifies an application in Apple's ecosystem.
- Create a provisioning profile (per user) with the type
Developer ID Applicationfor distribution and with the App ID set to the identifier created in step 1.
- Create a signing certificate (per user).
- Generate a Certificate Request from the Keychain Access utility:
- Keychain Access menu
- Certificate Assistant
- Request a Certificate From a Certificate Authority.
- Fill in your details leaving the CA email blank.
- Save to disk. This creates a .certSigningRequest file
- On the Apple Developer website choose "Create a New Certificate" with the type "Developer ID Application" under distribution. When prompted upload the .certSigningRequest file created in the previous step.
Steps in Xcode
In Xcode go to Xcode menu -> preferences -> accounts. Sign into your account if not done so already. Click Download manual profiles and then Manage Certificates. The distribution certificate we just created should be visible in the pop-up window.
Deploy & Release builds
We're mainly focused on signing our app for distribution. But we can also sign for debug + release modes:
- Click on your Target
- Under the Signing Debug / Release menu select the provisioning profile we created above. Xcode should also resolve the Signing certificate. If not check the dropdown
- If this step fails you may need to create specific development certificates.
Select Product menu -> archive
If / when step 1. succeeds open Window -> Organiser where you can find all of your macOS archives. Select the one you wish to export and click
Developer IDas the method of distribution.
It is recommended that you click
Uploadin order to have the application validated by Apple's notary service*. Note if you select this option you must wait for the service to complete and send you a notification back that it has completed. (
Exportwill immediately create your signed application).
Distribution Certificateand the
Provisioning Profilefor your app from the two dropdown menus. Upload to Apple for validation.
Once the validation is completed from the Organiser window click
Export Notarized App.
* It is even essential for > macOS 10.14.5
Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run. Beginning in macOS 10.15, all software built after June 1, 2019, and distributed with Developer ID must be notarized.
All of the above has been assembled out of trial and error and reading Apples' scattered documentation / stack overflow posts