Moving signing to a new machine

Code Signing Certificates, Identifiers & Profiles
JohnLussmyer OP
Created Apr ’23
Replies 13
Boosts 0
Views 2.2k
Participants 4

We have a Mac that is used to sign and notarize our installers. This Mac will be going away soon, so I have to setup a new Mac to do that work. I've been able to install all the tools, but I can't get them to work. The certificates are in the keychain, but don't show up in the "My Certificates", probably because the related keys don't exist in the "Keys" list. I'm using the same Apple Dev ID that I used on the other machine.

HOW do I get things setup on the new machine to work? There must be some way to get key/certificate pairs to work. (I am very definitely NOT a Mac expert, barely even a novice.)

Replies  13
Boosts  0
Views  2.2k
Participants  4
DTS Engineer OP
Apple
Apr ’23

The easiest way to do this is use Xcode’s import/export feature. Launch Xcode, choose Xcode > Settings, select Accounts, select the account in question, then choose Export Apple ID and Code Signing Assets from the action (…) menu.

Having said that, Developer ID signing identities are precious and I encourage you to maintain your own backup of them. See the various posts on this thread.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
JohnLussmyer OP
Apr ’23

The problem with that is that we don't use Xcode for development. We are a Java application, and only use a few of the Xcode tools to sign the app. I still have no idea what I did in the past to get the key into my keychain.
The ONLY thing we use the Mac for is to assemble our app, sign it, and assemble an installer and notarize that. Note that I'm am just one of several developers working under a team apple dev account.

Note that I tried to use "Keychain Access" to export the relevant private key (which shows the related certificate under it). While the export seemed to work, importing it on the new Mac doesn't seem to have added any thing to the keychain. I had to enter an admin password 3 times, and the p12 password - and then absolutely nothing changed.

0
JohnLussmyer OP
Apr ’23

Note that I HAVE made progress. I figured out that I had to setup (again) a new stored credential for the notary tool. I was able to do that, and now I get further.

Notarization is attempted, takes a while, and then fails.

Current status: Invalid........................Processing complete
  id: 0e4af460-82b1-468e-9396-f711485e0a11
  status: Invalid

Not an especially helpful message.

0
DTS Engineer OP
Apple
Apr ’23

Not an especially helpful message.

The next step is to fetch the notary log.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
JohnLussmyer OP
Apr ’23

Yup, and I immediately found a problem with our build system. It didn't save the notarization log. Had to fix that. So, i fixed it and ran again. The log contained 3 errors, all for the same file:

      "path": "Metrix Installer.dmg/Metrix-Installer.app/Contents/MacOS/Installer",
      "message": "The binary is not signed with a valid Developer ID certificate.",
      "message": "The signature does not include a secure timestamp.",
      "message": "The executable requests the com.apple.security.get-task-allow entitlement.",

The interesting thing is that the same set of files will work if run on the old Mac VM - using the same Apple Dev account.

We built the Installer app last year (using a different Apple Dev account), and have just been re-using it since. The stuff that changes is what the app installs.

I started up XCode to see if I could just recompile the Installer app - but now, with the most current xcode, there are various errors with text controls (size mostly) and some permissions settings, and it won't build until those issues are fixed. (at least, running a build does not result in an "Installer.app" like it used to.) While I have been able to fix some minor issues with the code in the past (mostly changing some strings), I've been unable to find solutions to the current compile issues. When I search for the various error messages I find solutions from 2 years ago that use settings that don't exist.

Yes, I'm annoyed, tired, and grumpy right now, and definitely NOT an Apple Developer with experience using XCode. Gonna have to see if we have somebody on staff that knows how to deal with this mess.

0
wnsoft OP
Mar ’25

I raise this question again. Earlier you suggested:

"The easiest way to do this is use Xcode’s import/export feature. Launch Xcode, choose Xcode > Settings, select Accounts, select the account in question, then choose Export Apple ID and Code Signing Assets from the action (…) menu."

In Xcode 16 I cannot find any import/export commands to move existing codesign certificates/keys to my second Mac.

Probably it will easier to create a NEW individual codesign certificate for EVERY Mac I use?

0
DTS Engineer OP
Apple
Mar ’25
Recommended
In Xcode 16 I cannot find any import/export commands

Indeed. My understanding is that this feature was removed.

The best path forward depends on the type of code signing identity you’re using:

  • For Developer ID, I recommend managing those independently. See The Care and Feeding of Developer ID.

  • For Apple Development, just enable automatic code signing and let Xcode do its thing. It’ll create a new signing identity on each machine and that’s fine.

  • For App Store stuff — Apple Distribution and friends — the story is less clear cut because you don’t really want to create them willy-nilly but losing one is not Bad™ like it is for Developer ID. I suspect that the best choice is gonna be informed by your organisational structure.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
wnsoft OP
Mar ’25

Hi Quinn,

Thanks for your reply.

I use "Developer ID Application" certificate. So I've read your recommended article: https://developer.apple.com/forums/thread/732320

If I understood you rightly, you suggested to create 2 independent "Developer ID Application" certificates/keys for 2 my Macs with the same Apple ID account?

I've read your mentition that 5 certificates are maximum allowed. In another source I've read that once I create new certificate, it will deactivate other existing certificates.

Also on Apple Developer website I can only download created certificates and cannot delete unused certificates. I mistakenly created one more certificate which wass not used.

Note, that your article still contain a mention of export/import features in Xcode which are no longer available in current V16: "Alternatively, Xcode has a feature to export and import your developer account, including your Developer ID signing identities. <...>"

0
DTS Engineer OP
Apple
Mar ’25
you suggested to create 2 independent "Developer ID Application" certificates/keys for 2 my Macs with the same Apple ID account?

No. Indeed, that’s the exact opposite of what I suggest. Developer ID signing identifiers are limited, so you should create the minimum number that’s necessary. Quoting The Care and Feeding of Developer ID

Don’t create Developer ID signing identities unnecessarily. Most folks only need to create one.

I've read your mentition that 5 certificates are maximum allowed. In another source I've read that once I create new certificate, it will deactivate other existing certificates.

When reading discussions like this, pay careful attention to the certificate type being discussed. I believe the latter refers to Apple Distribution certificates. Developer ID follows different rules.

Also on Apple Developer website I can only download created certificates and cannot delete unused certificates.

Again, the certificate type is critical. You can’t delete Developer ID certificates because that’d revoke them, and revoking them has significant consequences. If you need to revoke a Developer ID certificate, follow the process Developer > Support > Certificates.

IMPORTANT Don’t do this just to clean up. Only do it if the private key was compromised.

your article still contain a mention of export/import features in Xcode

Ah, yes. Thanks for letting me know. I’ve update that post accordingly.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
wnsoft OP
Mar ’25

Quinn,

Thanks again for your reply.

Sorry, I'm still confused, please can you write a separate chapter with an instruction how to copy existing "Developer ID" certificate/key to second Mac?

0
DTS Engineer OP
Apple
Mar ’25

Consider the process described in the Back Up Your Signing Identities section of that post. To migrate a signing identity:

  1. Back it up on the source machine.

  2. Transfer the .p12 file to the destination machine.

  3. Restore it on that machine.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
pbierre OP
Jul ’25

Quinn, on my sw manufacturing iMac(intel), I'm able to sign my .dmg installers.

That said, when I attempt to port the signing environment over to my M2, I'm thwarted in creating the .p12 file. This Export option is grayed out. What could be causing that?

0
DTS Engineer OP
Apple
Jul ’25

It looks like you started a couple of new threads for these issues:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Moving signing to a new machine
First post date Last post date
 
 
Q