How to code sign an app with a "Developer ID Applicatoin" certificate as someone who is not the account holder?

Question

Created Jul ’20

Replies 4

Boosts 0

Views 1.4k

Participants 3

I need to code sign a macOS desktop app with the Adobe AIR SDK adt -package command.

I believe I need to use a "Developer ID Application" certificate because we will be distributing this desktop app outside of the mac app store.

To my knowledge, only the Apple developer account holder can create a "Developer ID Application" certificate - thus I can't create this certificate.

The adt -package command requires a .p12 cert. So right now my non technical client(the account holder) creates the CSR and the cert and then converts it to a .p12 cert. Then they send me the .p12 cert and the password for the .p12 cert.

When I then attempt to sign the app with the adt -package command I get the error:

===
Unable to build a valid certificate chain for the signer.
===

I added the .p12 cert and the WWDC to my keychain.

Should I be able to do all this if my client only gives me the .p12 and the password for the .p12? Or do I need something more?

Is there a way that I can remove my client from this entire workflow, even though they are the account holder, so that I can ensure that all steps are performed properly?

Boost

Answer 1

DTS Engineer OP

Apple

Jul ’20

It sounds like you are missing the WWDR intermediate certificate. Xcode installs that but if you aren’t using Xcode then you have to install it by hand. You can get a copy from the Apple PKI (under the title WWDR Certificate).

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

flyingupweeee OP

Jul ’20

I installed both the 2023 WWDR and the 2030 WWDR and I am still getting the same error message. Do you happen to have any other ideas?

0

Answer 3

TyngJJ OP

Jul ’20

Have you confirmed the certificate chain is correct using Keychain Access or another diagnostic tool? Certificate Assistant can evaluate an identity and show the chain it's constructed, as proof.
For the Developer ID part, depending how AIR signs the product it may be re-signable after you've used your Apple Development or other identity, as a last step. For example, productsign(1) will happily re-sign a PKG to a new file, and that could side-step a broken chain-construction algorithm in the adt tool.

1

Answer 4

DTS Engineer OP

Apple

Jul ’20

Have you confirmed the certificate chain is correct using Keychain Access or another diagnostic tool?

Right. There are two common causes for this problem:

A missing intermediate
A trust settings override

Trust settings are visible, and modifiable, in Keychain Access. All the certificates in the chain should have default settings.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0