AppStore submission for Ruby/Glimmer app on MacOS without Xcode

Code Signing General
chipcastle OP
Created 2w
Replies 18
Boosts 0
Views 437
Participants 3

Background

I've repeatedly run into codesigning (and missing provisioning profile) issues for my Ruby/Glimmer app and am looking for ways to troubleshoot this outside of Xcode. The app structure is as follows:

PATHmanager.app
└── Contents
    ├── Info.plist
    ├── MacOS
    │   └── PATHmanager
    ├── PkgInfo
    ├── Resources
    │   └── AppIcon.icns
    ├── _CodeSignature
    │   └── CodeResources
    └── embedded.provisionprofile

Architecture

I have a Mac mini Apple M2 Pro with macOS Ventura 13.4. Xcode is not used directly, but the underlying command line tools (e.g., codesign, productbuild, pkgutil, xcrun) are run from a custom Ruby script.

xcodebuild -version
Xcode 14.3.1
Build version 14E300c

Questions

  1. Is the .app directory and file structure/naming sufficient? If not, can you point me in the direction of a minimal example that does not use Xcode?

  2. Info.plist is an XML text document (not binary), which I believe is in an acceptable format, but how do I lint this file and determine if it contains all of the necessary key/value pairs?

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>CFBundleDevelopmentRegion</key>
	<string>en</string>
	<key>CFBundleDisplayName</key>
	<string>PATH manager</string>
	<key>CFBundleExecutable</key>
	<string>PATHmanager</string>
	<key>CFBundleIconFile</key>
	<string>AppIcon.icns</string>
	<key>CFBundleIdentifier</key>
	<string>com.chipcastle.pathmanager</string>
	<key>CFBundleInfoDictionaryVersion</key>
	<string>6.0</string>
	<key>CFBundleName</key>
	<string>PATHmanager</string>
	<key>CFBundlePackageType</key>
	<string>APPL</string>
	<key>CFBundleShortVersionString</key>
	<string>1.15</string>
	<key>CFBundleSupportedPlatforms</key>
	<array>
		<string>MacOSX</string>
	</array>
	<key>CFBundleVersion</key>
	<string>1.15</string>
	<key>ITSAppUsesNonExemptEncryption</key>
	<false/>
	<key>LSApplicationCategoryType</key>
	<string>public.app-category.developer-tools</string>
	<key>LSMinimumSystemVersion</key>
	<string>12.0</string>
	<key>LSUIElement</key>
	<false/>
	<key>NSAppTransportSecurity</key>
	<dict>
		<key>NSAllowsArbitraryLoads</key>
		<true/>
	</dict>
	<key>NSHumanReadableCopyright</key>
	<string>© 2025 Chip Castle Dot Com, Inc.</string>
	<key>NSMainNibFile</key>
	<string>MainMenu</string>
	<key>NSPrincipalClass</key>
	<string>NSApplication</string>
</dict>
</plist>

  1. PATHmanager is a Mach-O 64-bit executable arm64 file created by using Tebako. Does this executable need to be codesigned, or is codesigning the .app folder sufficient?

  2. Does the .app directory need an entitlements file? Here's how I codesign it:

codesign --deep --force --verify --verbose=4 --options runtime --timestamp --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/Desktop/distribution/PATHmanager.app'
  1. Does the PATHmanager binary need an entitlements file? Here's how I codesign it:
codesign --deep --force --verify --verbose=4 --options runtime --timestamp --entitlements '/Users/chip/Desktop/PATHmanager.entitlements' --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/Desktop/distribution/PATHmanager.app/Contents/MacOS/PATHmanager'
  1. How can I verify what entitlements, if any, are required for codesigning the binary? The PATHmanager.entitlements file is an XML text file containing only the following:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
</dict>
</plist>

  1. Is the embedded.provisionprofile necessary, and if so, how do I know determine if it matches the certificate or entitlements that I'm using? Additionally, is it named and located properly?

  2. I submitted this to the AppStore several weeks ago and the reviewer reported that the executable would not load on their machine (even though it worked on mine.) Is it better for me to release via TestFlight for testing, and if so, do I need to following a separate process for codesigning (i.e., using different entitlements, profiles, certs, etc) when doing so?

I've been playing whack-a-mole with this for too long to mention and am hoping to nail down a better deployment flow, so any suggestions for improvement will be greatly appreciated. Thank you in advance.

Answered by DTS Engineer in 826040022
Written by chipcastle in 774923021
Is the .app directory and file structure/naming sufficient?

It looks reasonable enough. A good place to start with this stuff is Placing Content in a Bundle. If you need more info then create a test project in Xcode, build it, and see what it did.

Written by chipcastle in 774923021
how do I lint this file … ?

You can lint it with plutil. Indeed, I recommend you do that.

Actually, my general advice is that you use plutil to convert it to the XML format, which means it’s not just technically correct but in the canonical format.

Written by chipcastle in 774923021
and determine if it contains all of the necessary key/value pairs?

It’s hard to answer that, because it depends what you app does. However, a good place to start is with the above-mentioned Xcode project.

Written by chipcastle in 774923021
is codesigning the .app folder sufficient?

This is answered by Creating distribution-signed code for macOS. I recommend that you follow the advice there, and in Packaging Mac software for distribution.

Written by chipcastle in 774923021
Does the .app directory need an entitlements file?

The file itself? No. Entitlements are baked into the program when you sign it. So you might need an .entitlements file as an input to codesign, but you don’t need to include that specific file in your app.

As to whether you need entitlements at all, that very much depends. See below.

Written by chipcastle in 774923021
Here's how I codesign it:

Don’t use --deep. See --deep Considered Harmful.

Written by chipcastle in 774923021
How can I verify what entitlements, if any, are required for codesigning the binary?

There’s no single answer to that question. It depends on what your code does.

However, if you’re distributing on the App Store then, yes, you definitely need the entitlement that enables the App Sandbox.

Also, if you plan to use TestFlight, which you should, see TestFlight, Provisioning Profiles, and the Mac App Store.

Written by chipcastle in 774923021
Is the embedded.provisionprofile necessary

Only if your app uses restricted entitlements. The App Sandox entitlement is not restricted, but the TestFlight ones are.

Written by chipcastle in 774923021
how do I know determine if it matches the certificate or entitlements that I'm using?

TN3125 Inside Code Signing: Provisioning Profiles explains that in gory detail.

Written by chipcastle in 774923021
Additionally, is it named and located properly?

This is another thing covered by Placing Content in a Bundle.

Written by chipcastle in 774923021
Is it better for me to release via TestFlight for testing

Yes. And that does complicate things somewhat, as I mentioned above.

Written by Etresoft in 825899022
The easiest solution is to setup a demo Xcode app with the same name and bundleID and see how Xcode does it.

This is good advice IMO.

You can both look at the output and also look build transcript to work out how Xcode created that output.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  18
Boosts  0
Views  437
Participants  3
Etresoft OP
2w

The easiest solution is to setup a demo Xcode app with the same name and bundleID and see how Xcode does it. Deviate at your peril.

If you're trying to roll your own app, I recommend consulting all of the existing documentation first. A good place to start would be --deep Considered Harmful

Also, Apple now requires Xcode 15 for App Store submissions. See this news post.. So even if you aren't building and submitting with Xcode 15, you would want to use Xcode 15 to build that demo template app. Xcode 15 does work on Ventura. However, that update was over a year ago now. Apple could change this requirement "any day now".

You should really be testing on a pristine system that has never seen Xcode or your app before. You may be able to use a VM for this.

2
chipcastle OP
2w

@Etresoft Thank you for your prompt reply. I tried upgrading to Xcode 15, but the AppStore would only let me download version 14. I uninstalled Xcode, but afterwards it only offers version 16 and reports, "Requires macOS 14.5 or later.", which means I need to upgrade to Sonoma. Do you have another suggestion for downloading version 15 on Ventura? Thanks again.

0
Etresoft OP
2w

Never download Xcode from the App Store. Always download it directly from the developer site. You can download Xcode 15 there too.

1
chipcastle OP
2w

Thanks for the suggestion. I downloaded Xcode_15.xip, but opening reports, "You can't use this version of the application Xcode with this version of macOS."

0
DTS Engineer OP
Apple
2w
Recommended
Written by chipcastle in 774923021
Is the .app directory and file structure/naming sufficient?

It looks reasonable enough. A good place to start with this stuff is Placing Content in a Bundle. If you need more info then create a test project in Xcode, build it, and see what it did.

Written by chipcastle in 774923021
how do I lint this file … ?

You can lint it with plutil. Indeed, I recommend you do that.

Actually, my general advice is that you use plutil to convert it to the XML format, which means it’s not just technically correct but in the canonical format.

Written by chipcastle in 774923021
and determine if it contains all of the necessary key/value pairs?

It’s hard to answer that, because it depends what you app does. However, a good place to start is with the above-mentioned Xcode project.

Written by chipcastle in 774923021
is codesigning the .app folder sufficient?

This is answered by Creating distribution-signed code for macOS. I recommend that you follow the advice there, and in Packaging Mac software for distribution.

Written by chipcastle in 774923021
Does the .app directory need an entitlements file?

The file itself? No. Entitlements are baked into the program when you sign it. So you might need an .entitlements file as an input to codesign, but you don’t need to include that specific file in your app.

As to whether you need entitlements at all, that very much depends. See below.

Written by chipcastle in 774923021
Here's how I codesign it:

Don’t use --deep. See --deep Considered Harmful.

Written by chipcastle in 774923021
How can I verify what entitlements, if any, are required for codesigning the binary?

There’s no single answer to that question. It depends on what your code does.

However, if you’re distributing on the App Store then, yes, you definitely need the entitlement that enables the App Sandbox.

Also, if you plan to use TestFlight, which you should, see TestFlight, Provisioning Profiles, and the Mac App Store.

Written by chipcastle in 774923021
Is the embedded.provisionprofile necessary

Only if your app uses restricted entitlements. The App Sandox entitlement is not restricted, but the TestFlight ones are.

Written by chipcastle in 774923021
how do I know determine if it matches the certificate or entitlements that I'm using?

TN3125 Inside Code Signing: Provisioning Profiles explains that in gory detail.

Written by chipcastle in 774923021
Additionally, is it named and located properly?

This is another thing covered by Placing Content in a Bundle.

Written by chipcastle in 774923021
Is it better for me to release via TestFlight for testing

Yes. And that does complicate things somewhat, as I mentioned above.

Written by Etresoft in 825899022
The easiest solution is to setup a demo Xcode app with the same name and bundleID and see how Xcode does it.

This is good advice IMO.

You can both look at the output and also look build transcript to work out how Xcode created that output.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
Etresoft OP
2w

Thanks for the suggestion. I downloaded Xcode_15.xip, but opening reports, "You can't use this version of the application Xcode with this version of macOS."

Sorry, according to Xcode support page, Xcode 15 requires macOS 13.5.

1
chipcastle OP
1w

Making progress here:

  1. Upgraded to Sequoia 15.3.1, Xcode 16.2

  2. Codesigning executable returns 'satisfies its Designated Requirement' using:

codesign --force --verify --verbose=4 --options runtime --timestamp --entitlements '/Users/chip/Desktop/PATHmanager.entitlements' --sign 'Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' '/Users/chip/Desktop/distribution/PATHmanager.app/Contents/MacOS/PATHmanager'

  1. Productbuild .pkg file returns successfully using:

productbuild --sign '3rd Party Mac Developer Installer: Chip Castle Dot Com, Inc. (BXN9N7MNU3)' --identifier 'com.chipcastle.pathmanager' --version '1.15' --component '/Users/chip/Desktop/distribution/PATHmanager.app' /Applications '/Users/chip/Desktop/PATHmanager.pkg'

  1. Verifying signature returns 'satisfies its Designated Requirement' using:

codesign --verify --verbose=4 '/Users/chip/Desktop/distribution/PATHmanager.app/Contents/MacOS/PATHmanager'

  1. Transporter uploads successfully.
  2. Running Verify via Transporter returns error: 'Invalid Provisioning Profile Signature'
  3. Other forum posters recommended regenerating a new profile and certificates, which I did using Xcode, and then downloading the profile again. I tried numerous times, but the same error persists via Transporter.

I read 'TN3125: Inside Code Signing: Provisioning Profiles', which mostly covers how to inspect the contents of the profile, but not how to troubleshoot errors. Any suggestions on how to drill down further with this error is appreciated. Thanks.

0
DTS Engineer OP
Apple
5d

I’m glad to hear your making progress.

Regarding your provisioning profile issue, remember that a provisioning profile ties together a bunch of items, including the certificate from the code-signing identity used to sign the code. Given that, a distribution profile must necessarily be different from a development profile, because a distribution certificate is different from a development certificate. So, when you re-sign a development-signed app with your distributing signing identity, you have to first replace its development profile with your distribution profile.

Creating distribution-signed code for macOS covers this in its Embed distribution provisioning profiles section.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
chipcastle OP
5d

Thanks, I just copied my distribution profile to PATHmanager.app/Contents/embedded.provisionprofile, re-signed the .app bundle and executable, and uploaded the pkg file using Transporter, which returns:

Show Progress: Verify failed.
Validation failed
Invalid Code Signing. The executable 'com.chipcastle.pathmanager.pkg/Payload/PATHmanager.app/Contents/MacOS/PATHmanager' must be signed with the certificate that is contained in the provisioning profile. (ID: 1810bc78-dcce-483f-b641-239894446e0d)

I'm confused. How I can match up the profile (shown below) with the cert? Thanks again.

	AppIDName
	PATH Manager
	ApplicationIdentifierPrefix
	
	BXN9N7MNU3
	
	CreationDate
	2025-03-01T00:23:44Z
	Platform
	
		OSX
	
	IsXcodeManaged
	
	DeveloperCertificates
	
		<data>MIIF4TCCBMmgAwIBAgIQPWaGoIfFiyPRVIqVv2CUkDANBgkqhkiG9w0BAQsFADB1MUQwQgYDVQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTELMAkGA1UECwwCRzMxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTI1MDMwMTAwMDcwNVoXDTI2MDMwMTAwMDcwNFowgacxGjAYBgoJkiaJk/IsZAEBDApCWE45TjdNTlUzMUMwQQYDVQQDDDpBcHBsZSBEaXN0cmlidXRpb246IENoaXAgQ2FzdGxlIERvdCBDb20sIEluYy4gKEJYTjlON01OVTMpMRMwEQYDVQQLDApCWE45TjdNTlUzMSIwIAYDVQQKDBlDaGlwIENhc3RsZSBEb3QgQ29tLCBJbmMuMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMOXKCreRiKUTkgQMjYo8CsJps7LwjkrX6CFgT++s8+BQLHFxdmSNbVTBWX+g3V6dWGIkaSuQQ6R6Yba1ZWNtowRyipTNb93OVcI4074gpj175DhcvvVWPnShOoiTUXjH6HsYb/XGd51+iKXV1T5qiqdL+ShBWGxLkJPAChSd9ak+xGh645Bqm6Y9jY/MenK7K0C85fhy+BiSEzvEp5KSB0ab7U7wLbl3+bI06ZvRt7PeGayuWdVp8OSqrpG0XXgdLIjhTMIcMG43+vswZ+wuZRBkyKN4wlQhcJ6F4KJ2HZhotqXwkSp922ImbV8my1ESD/6ftaBkIWTdD/ptdgHpSMCAwEAAaOCAjgwggI0MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUCf7AFZD5r2QKkhK5JihjDJfsp7IwcAYIKwYBBQUHAQEEZDBiMC0GCCsGAQUFBzAChiFodHRwOi8vY2VydHMuYXBwbGUuY29tL3d3ZHJnMy5kZXIwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtd3dkcmczMDUwggEeBgNVHSAEggEVMIIBETCCAQ0GCSqGSIb3Y2QFATCB/zCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA3BggrBgEFBQcCARYraHR0cHM6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5LzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUQAWwIiHin0sbBrQZRaCuhdwr7i4wDgYDVR0PAQH/BAQDAgeAMBMGCiqGSIb3Y2QGAQcBAf8EAgUAMBMGCiqGSIb3Y2QGAQQBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQC6UVQJIWRng6mJdVt9Mcq5Tj4cDvozuuAQ/cZX+xfvFXk8RT2PHtRKSpgc3Ye6KJ6oxNy7D5kRHZpdOGuXlj1vk+U8+rlIvM4QVamrxcNZ9JFMnqJPzd7HrFjlmUWCDCfzXcaCQN6Sa16waJkRciE3HwtkdjXGUL5IyZzCB7eqw3KjiA5AoYPjd4XxJeXB+UYKpzMwyMmlUB8MpusqajXPEMEkapKxeOUwjyuhzLqWpJwiAyXdVnIazWUtwYPFDqmqBQanutqxVS7iwWMkf8Nblh9g1ilHDhzHHR0YK3RevDnnUmLQycYTEk16aym99wJj5E7ImGWqwv1e6dJELiZr</data>
	

	DER-Encoded-Profile
	<data>MIIM9gYJKoZIhvcNAQcCoIIM5zCCDOMCAQExDzANBglghkgBZQMEAgEFADCCArAGCSqGSIb3DQEHAaCCAqEEggKdMYICmTAMDAdWZXJzaW9uAgEBMA0MCFBQUUNoZWNrAQEAMBAMClRpbWVUb0xpdmUCAgFsMBEMCFBsYXRmb3JtMAUMA09TWDATDA5Jc1hjb2RlTWFuYWdlZAEBADAZDAlBcHBJRE5hbWUMDFBBVEggTWFuYWdlcjAdDAxDcmVhdGlvbkRhdGUXDTI1MDMwMTAwMjM0NFowHgwOVGVhbUlkZW50aWZpZXIwDAwKQlhOOU43TU5VMzAfDA5FeHBpcmF0aW9uRGF0ZRcNMjYwMzAxMDAwNzA0WjAgDBdQcm9maWxlRGlzdHJpYnV0aW9uVHlwZQwFU1RPUkUwIgwETmFtZQwabWFjT1MgRGlzdHJpYnV0aW9uIFByb2ZpbGUwJQwIVGVhbU5hbWUMGUNoaXAgQ2FzdGxlIERvdCBDb20sIEluYy4wKwwbQXBwbGljYXRpb25JZGVudGlmaWVyUHJlZml4MAwMCkJYTjlON01OVTMwLAwEVVVJRAwkZjBmZWU4ZTEtYTliOC00N2Q1LWI4N2MtNDBiOTMzZmIwY2VkMDsMFURldmVsb3BlckNlcnRpZmljYXRlczAiBCBO7jqBCZYo3fl70TpnjZBcAYeLVvzbrtIf3KXnWJSxdDCBvwwMRW50aXRsZW1lbnRzcIGuAgEBsIGoMEkMIGNvbS5hcHBsZS5hcHBsaWNhdGlvbi1pZGVudGlmaWVyDCVCWE45TjdNTlUzLmNvbS5jaGlwY2FzdGxlLnBhdGhtYW5hZ2VyMDEMI2NvbS5hcHBsZS5kZXZlbG9wZXIudGVhbS1pZGVudGlmaWVyDApCWE45TjdNTlUzMCgMFmtleWNoYWluLWFjY2Vzcy1ncm91cHMwDgwMQlhOOU43TU5VMy4qoIIIPDCCAkMwggHJoAMCAQICCC3F/IjSxUuVMAoGCCqGSM49BAMDMGcxGzAZBgNVBAMMEkFwcGxlIFJvb3QgQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE0MDQzMDE4MTkwNloXDTM5MDQzMDE4MTkwNlowZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASY6S89QHKk7ZMicoETHN0QlfHFo05x3BQW2Q7lpgUqd2R7X04407scRLV/9R+2MmJdyemEW08wTxFaAP1YWAyl9Q8sTQdHE3Xal5eXbzFc7SudeyA72LlU2V6ZpDpRCjGjQjBAMB0GA1UdDgQWBBS7sN6hWDOImqSKmd6+veuv2sskqzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNoADBlAjEAg+nBxBZeGl00GNnt7/RsDgBGS7jfskYRxQ/95nqMoaZrzsID1Jz1k8Z0uGrfqiMVAjBtZooQytQN1E/NjUM+tIpjpTNu423aF7dkH8hTJvmIYnQ5Cxdby1GoDOgYA+eisigwggLmMIICbaADAgECAggzDe74v0xoLjAKBggqhkjOPQQDAzBnMRswGQYDVQQDDBJBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0xNzAyMjIyMjIzMjJaFw0zMjAyMTgwMDAwMDBaMHIxJjAkBgNVBAMMHUFwcGxlIFN5c3RlbSBJbnRlZ3JhdGlvbiBDQSA0MSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQGa6RWb32fJ9HONo6SG1bNVDZkSsmUaJn6ySB+4vVYD9ziausZRy8u7zukAbQBE0R8WiatoJwpJYrl5gZvT3xao4H3MIH0MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUu7DeoVgziJqkipnevr3rr9rLJKswRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFwcGxlcm9vdGNhZzMwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5hcHBsZS5jb20vYXBwbGVyb290Y2FnMy5jcmwwHQYDVR0OBBYEFHpHujiKFSRIIkbNvo8aJHs0AyppMA4GA1UdDwEB/wQEAwIBBjAQBgoqhkiG92NkBgIRBAIFADAKBggqhkjOPQQDAwNnADBkAjAVDKmOxq+WaWunn91c1ANZbK5S1GDGi3bgt8Wi8Ql84Jrja7HjfDHEJ3qnjon9q3cCMGEzIPEp//mHMq4pyGQ9dntRpNICL3a+YCKR8dU6ddy04sYqlv7GCdxKT9Uk8PzKsjCCAwcwggKtoAMCAQICCFytJiQTGAW/MAoGCCqGSM49BAMCMHIxJjAkBgNVBAMMHUFwcGxlIFN5c3RlbSBJbnRlZ3JhdGlvbiBDQSA0MSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMjQwMTI5MTY0NzA0WhcNMjgwMjI3MTY0NzAzWjBOMSowKAYDVQQDDCFXV0RSIFByb3Zpc2lvbmluZyBQcm9maWxlIFNpZ25pbmcxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExA4Tw8+u8RAvfvVU21RrhAcf4+YnEKh1VopU+QGufyPFEoBwC+9rjC+zqQ59AVoLSjWAGhgIW5Z7KmUH8+LeRKOCAU8wggFLMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUeke6OIoVJEgiRs2+jxokezQDKmkwQQYIKwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFzaWNhNDAzMIGWBgNVHSAEgY4wgYswgYgGCSqGSIb3Y2QFATB7MHkGCCsGAQUFBwICMG0Ma1RoaXMgY2VydGlmaWNhdGUgaXMgdG8gYmUgdXNlZCBleGNsdXNpdmVseSBmb3IgZnVuY3Rpb25zIGludGVybmFsIHRvIEFwcGxlIFByb2R1Y3RzIGFuZC9vciBBcHBsZSBwcm9jZXNzZXMuMB0GA1UdDgQWBBRr/10Dk7rxxeK49Ao2zNRAi/F8HjAOBgNVHQ8BAf8EBAMCB4AwDwYJKoZIhvdjZAwTBAIFADAKBggqhkjOPQQDAgNIADBFAiB3s2+Y1ZcETHVnMzvSQCdSK7UjeX0x+3x9V1lrnjnS2QIhAO8UfIS5gkUlax4hYXfndsw8MCOX9qIHA0A6zhLxnQ0tMYIB1zCCAdMCAQEwfjByMSYwJAYDVQQDDB1BcHBsZSBTeXN0ZW0gSW50ZWdyYXRpb24gQ0EgNDEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTAghcrSYkExgFvzANBglghkgBZQMEAgEFAKCB6TAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yNTAzMDEwMDIzNDRaMCoGCSqGSIb3DQEJNDEdMBswDQYJYIZIAWUDBAIBBQChCgYIKoZIzj0EAwIwLwYJKoZIhvcNAQkEMSIEII6cJih1EG259W0VA/Z+Ntsp82fbrdSHP33yRSlelomfMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqGSM49BAMCBEcwRQIgDshcpP+Osgm/LCMF/AW3eq3oRTQCc7y67DtJstCzrgoCIQCasrdA05ESaIR2yM41f6tyexFFQAEkhy43o0GGt/SZ8A==</data>
										
			PPQCheck
	

	Entitlements
	
				
				com.apple.application-identifier
		BXN9N7MNU3.com.chipcastle.pathmanager
				
				keychain-access-groups
		
				BXN9N7MNU3.*
		
				
				com.apple.developer.team-identifier
		BXN9N7MNU3
		
	
	ExpirationDate
	2026-03-01T00:07:04Z
	Name
	macOS Distribution Profile
	TeamIdentifier
	
		BXN9N7MNU3
	
	TeamName
	Chip Castle Dot Com, Inc.
	TimeToLive
	364
	UUID
	f0fee8e1-a9b8-47d5-b87c-40b933fb0ced
	Version
	1
0
chipcastle OP
5d

security find-identity -v

  1. B9C100CC75910543E3FCD9AE63357AE4E2736723 "Apple Development: Harroll Dean Castle (76CZ7DC9QM)"

  2. D67F1D2EE9FC682B0BDAFDA1924936335C6E7595 "Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3)"

  3. D99EF2166A4F18DC4DA375C39F20F3DF2656E841 "3rd Party Mac Developer Installer: Chip Castle Dot Com, Inc. (BXN9N7MNU3)"

    3 valid identities found

0
DTS Engineer OP
Apple
4d
Written by chipcastle in 827583022
How I can match up the profile (shown below) with the cert?

TN3125 Inside Code Signing: Provisioning Profiles explains how to extract the certificates that are authorised by a profile. See The who section.

TN3161 Inside Code Signing: Certificates explains how to extract the certificate chain from a code signature. See the Chain of trust section.

I recommend that you do both and then check whether the certificate list in the profile contains the leaf certificate from the code’s certificate chain.

IMPORTANT Don’t rely on the common name in the certificate. Rather, look at the issuer and the serial number. Those are the properties that uniquely identify a certificate.

Or just compare the certificates byte-for-byte [1]. Or use shasum to generate a SHA-1 checksum for both certificates. The latter is handy because it aligns with the output from find-identity.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] This works because ASN.1 DER rules mean that there’s only one correct way to encode a certificate.

1
chipcastle OP
3d

1. Unpack profile:

security cms -D -i distribution/PATHmanager.app/Contents/embedded.provisionprofile -o profile.plist

(attached profile.plist) 

	AppIDName
	PATH Manager
	ApplicationIdentifierPrefix
	
	BXN9N7MNU3
	
	CreationDate
	2025-03-01T00:23:44Z
	Platform
	
		OSX
	
	IsXcodeManaged
	
	DeveloperCertificates
	
		<data>MIIF4TCCBMmgAwIBAgIQPWaGoIfFiyPRVIqVv2CUkDANBgkqhkiG9w0BAQsFADB1MUQwQgYDVQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTELMAkGA1UECwwCRzMxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTI1MDMwMTAwMDcwNVoXDTI2MDMwMTAwMDcwNFowgacxGjAYBgoJkiaJk/IsZAEBDApCWE45TjdNTlUzMUMwQQYDVQQDDDpBcHBsZSBEaXN0cmlidXRpb246IENoaXAgQ2FzdGxlIERvdCBDb20sIEluYy4gKEJYTjlON01OVTMpMRMwEQYDVQQLDApCWE45TjdNTlUzMSIwIAYDVQQKDBlDaGlwIENhc3RsZSBEb3QgQ29tLCBJbmMuMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMOXKCreRiKUTkgQMjYo8CsJps7LwjkrX6CFgT++s8+BQLHFxdmSNbVTBWX+g3V6dWGIkaSuQQ6R6Yba1ZWNtowRyipTNb93OVcI4074gpj175DhcvvVWPnShOoiTUXjH6HsYb/XGd51+iKXV1T5qiqdL+ShBWGxLkJPAChSd9ak+xGh645Bqm6Y9jY/MenK7K0C85fhy+BiSEzvEp5KSB0ab7U7wLbl3+bI06ZvRt7PeGayuWdVp8OSqrpG0XXgdLIjhTMIcMG43+vswZ+wuZRBkyKN4wlQhcJ6F4KJ2HZhotqXwkSp922ImbV8my1ESD/6ftaBkIWTdD/ptdgHpSMCAwEAAaOCAjgwggI0MAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUCf7AFZD5r2QKkhK5JihjDJfsp7IwcAYIKwYBBQUHAQEEZDBiMC0GCCsGAQUFBzAChiFodHRwOi8vY2VydHMuYXBwbGUuY29tL3d3ZHJnMy5kZXIwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtd3dkcmczMDUwggEeBgNVHSAEggEVMIIBETCCAQ0GCSqGSIb3Y2QFATCB/zCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRlIGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBwbGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNlcnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0ZW1lbnRzLjA3BggrBgEFBQcCARYraHR0cHM6Ly93d3cuYXBwbGUuY29tL2NlcnRpZmljYXRlYXV0aG9yaXR5LzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAdBgNVHQ4EFgQUQAWwIiHin0sbBrQZRaCuhdwr7i4wDgYDVR0PAQH/BAQDAgeAMBMGCiqGSIb3Y2QGAQcBAf8EAgUAMBMGCiqGSIb3Y2QGAQQBAf8EAgUAMA0GCSqGSIb3DQEBCwUAA4IBAQC6UVQJIWRng6mJdVt9Mcq5Tj4cDvozuuAQ/cZX+xfvFXk8RT2PHtRKSpgc3Ye6KJ6oxNy7D5kRHZpdOGuXlj1vk+U8+rlIvM4QVamrxcNZ9JFMnqJPzd7HrFjlmUWCDCfzXcaCQN6Sa16waJkRciE3HwtkdjXGUL5IyZzCB7eqw3KjiA5AoYPjd4XxJeXB+UYKpzMwyMmlUB8MpusqajXPEMEkapKxeOUwjyuhzLqWpJwiAyXdVnIazWUtwYPFDqmqBQanutqxVS7iwWMkf8Nblh9g1ilHDhzHHR0YK3RevDnnUmLQycYTEk16aym99wJj5E7ImGWqwv1e6dJELiZr</data>
	

	DER-Encoded-Profile
	<data>MIIM9gYJKoZIhvcNAQcCoIIM5zCCDOMCAQExDzANBglghkgBZQMEAgEFADCCArAGCSqGSIb3DQEHAaCCAqEEggKdMYICmTAMDAdWZXJzaW9uAgEBMA0MCFBQUUNoZWNrAQEAMBAMClRpbWVUb0xpdmUCAgFsMBEMCFBsYXRmb3JtMAUMA09TWDATDA5Jc1hjb2RlTWFuYWdlZAEBADAZDAlBcHBJRE5hbWUMDFBBVEggTWFuYWdlcjAdDAxDcmVhdGlvbkRhdGUXDTI1MDMwMTAwMjM0NFowHgwOVGVhbUlkZW50aWZpZXIwDAwKQlhOOU43TU5VMzAfDA5FeHBpcmF0aW9uRGF0ZRcNMjYwMzAxMDAwNzA0WjAgDBdQcm9maWxlRGlzdHJpYnV0aW9uVHlwZQwFU1RPUkUwIgwETmFtZQwabWFjT1MgRGlzdHJpYnV0aW9uIFByb2ZpbGUwJQwIVGVhbU5hbWUMGUNoaXAgQ2FzdGxlIERvdCBDb20sIEluYy4wKwwbQXBwbGljYXRpb25JZGVudGlmaWVyUHJlZml4MAwMCkJYTjlON01OVTMwLAwEVVVJRAwkZjBmZWU4ZTEtYTliOC00N2Q1LWI4N2MtNDBiOTMzZmIwY2VkMDsMFURldmVsb3BlckNlcnRpZmljYXRlczAiBCBO7jqBCZYo3fl70TpnjZBcAYeLVvzbrtIf3KXnWJSxdDCBvwwMRW50aXRsZW1lbnRzcIGuAgEBsIGoMEkMIGNvbS5hcHBsZS5hcHBsaWNhdGlvbi1pZGVudGlmaWVyDCVCWE45TjdNTlUzLmNvbS5jaGlwY2FzdGxlLnBhdGhtYW5hZ2VyMDEMI2NvbS5hcHBsZS5kZXZlbG9wZXIudGVhbS1pZGVudGlmaWVyDApCWE45TjdNTlUzMCgMFmtleWNoYWluLWFjY2Vzcy1ncm91cHMwDgwMQlhOOU43TU5VMy4qoIIIPDCCAkMwggHJoAMCAQICCC3F/IjSxUuVMAoGCCqGSM49BAMDMGcxGzAZBgNVBAMMEkFwcGxlIFJvb3QgQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE0MDQzMDE4MTkwNloXDTM5MDQzMDE4MTkwNlowZzEbMBkGA1UEAwwSQXBwbGUgUm9vdCBDQSAtIEczMSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASY6S89QHKk7ZMicoETHN0QlfHFo05x3BQW2Q7lpgUqd2R7X04407scRLV/9R+2MmJdyemEW08wTxFaAP1YWAyl9Q8sTQdHE3Xal5eXbzFc7SudeyA72LlU2V6ZpDpRCjGjQjBAMB0GA1UdDgQWBBS7sN6hWDOImqSKmd6+veuv2sskqzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAKBggqhkjOPQQDAwNoADBlAjEAg+nBxBZeGl00GNnt7/RsDgBGS7jfskYRxQ/95nqMoaZrzsID1Jz1k8Z0uGrfqiMVAjBtZooQytQN1E/NjUM+tIpjpTNu423aF7dkH8hTJvmIYnQ5Cxdby1GoDOgYA+eisigwggLmMIICbaADAgECAggzDe74v0xoLjAKBggqhkjOPQQDAzBnMRswGQYDVQQDDBJBcHBsZSBSb290IENBIC0gRzMxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzAeFw0xNzAyMjIyMjIzMjJaFw0zMjAyMTgwMDAwMDBaMHIxJjAkBgNVBAMMHUFwcGxlIFN5c3RlbSBJbnRlZ3JhdGlvbiBDQSA0MSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQGa6RWb32fJ9HONo6SG1bNVDZkSsmUaJn6ySB+4vVYD9ziausZRy8u7zukAbQBE0R8WiatoJwpJYrl5gZvT3xao4H3MIH0MA8GA1UdEwEB/wQFMAMBAf8wHwYDVR0jBBgwFoAUu7DeoVgziJqkipnevr3rr9rLJKswRgYIKwYBBQUHAQEEOjA4MDYGCCsGAQUFBzABhipodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFwcGxlcm9vdGNhZzMwNwYDVR0fBDAwLjAsoCqgKIYmaHR0cDovL2NybC5hcHBsZS5jb20vYXBwbGVyb290Y2FnMy5jcmwwHQYDVR0OBBYEFHpHujiKFSRIIkbNvo8aJHs0AyppMA4GA1UdDwEB/wQEAwIBBjAQBgoqhkiG92NkBgIRBAIFADAKBggqhkjOPQQDAwNnADBkAjAVDKmOxq+WaWunn91c1ANZbK5S1GDGi3bgt8Wi8Ql84Jrja7HjfDHEJ3qnjon9q3cCMGEzIPEp//mHMq4pyGQ9dntRpNICL3a+YCKR8dU6ddy04sYqlv7GCdxKT9Uk8PzKsjCCAwcwggKtoAMCAQICCFytJiQTGAW/MAoGCCqGSM49BAMCMHIxJjAkBgNVBAMMHUFwcGxlIFN5c3RlbSBJbnRlZ3JhdGlvbiBDQSA0MSYwJAYDVQQLDB1BcHBsZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTETMBEGA1UECgwKQXBwbGUgSW5jLjELMAkGA1UEBhMCVVMwHhcNMjQwMTI5MTY0NzA0WhcNMjgwMjI3MTY0NzAzWjBOMSowKAYDVQQDDCFXV0RSIFByb3Zpc2lvbmluZyBQcm9maWxlIFNpZ25pbmcxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAExA4Tw8+u8RAvfvVU21RrhAcf4+YnEKh1VopU+QGufyPFEoBwC+9rjC+zqQ59AVoLSjWAGhgIW5Z7KmUH8+LeRKOCAU8wggFLMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUeke6OIoVJEgiRs2+jxokezQDKmkwQQYIKwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFzaWNhNDAzMIGWBgNVHSAEgY4wgYswgYgGCSqGSIb3Y2QFATB7MHkGCCsGAQUFBwICMG0Ma1RoaXMgY2VydGlmaWNhdGUgaXMgdG8gYmUgdXNlZCBleGNsdXNpdmVseSBmb3IgZnVuY3Rpb25zIGludGVybmFsIHRvIEFwcGxlIFByb2R1Y3RzIGFuZC9vciBBcHBsZSBwcm9jZXNzZXMuMB0GA1UdDgQWBBRr/10Dk7rxxeK49Ao2zNRAi/F8HjAOBgNVHQ8BAf8EBAMCB4AwDwYJKoZIhvdjZAwTBAIFADAKBggqhkjOPQQDAgNIADBFAiB3s2+Y1ZcETHVnMzvSQCdSK7UjeX0x+3x9V1lrnjnS2QIhAO8UfIS5gkUlax4hYXfndsw8MCOX9qIHA0A6zhLxnQ0tMYIB1zCCAdMCAQEwfjByMSYwJAYDVQQDDB1BcHBsZSBTeXN0ZW0gSW50ZWdyYXRpb24gQ0EgNDEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTAghcrSYkExgFvzANBglghkgBZQMEAgEFAKCB6TAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yNTAzMDEwMDIzNDRaMCoGCSqGSIb3DQEJNDEdMBswDQYJYIZIAWUDBAIBBQChCgYIKoZIzj0EAwIwLwYJKoZIhvcNAQkEMSIEII6cJih1EG259W0VA/Z+Ntsp82fbrdSHP33yRSlelomfMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMAoGCCqGSM49BAMCBEcwRQIgDshcpP+Osgm/LCMF/AW3eq3oRTQCc7y67DtJstCzrgoCIQCasrdA05ESaIR2yM41f6tyexFFQAEkhy43o0GGt/SZ8A==</data>
										
			PPQCheck
	

	Entitlements
	
				
				com.apple.application-identifier
		BXN9N7MNU3.com.chipcastle.pathmanager
				
				keychain-access-groups
		
				BXN9N7MNU3.*
		
				
				com.apple.developer.team-identifier
		BXN9N7MNU3
		
	
	ExpirationDate
	2026-03-01T00:07:04Z
	Name
	macOS Distribution Profile
	TeamIdentifier
	
		BXN9N7MNU3
	
	TeamName
	Chip Castle Dot Com, Inc.
	TimeToLive
	364
	UUID
	f0fee8e1-a9b8-47d5-b87c-40b933fb0ced
	Version
	1

2. Extract the cert chain:

codesign --display --extract-certificates distribution/PATHmanager.app
openssl x509 -in codesign0 -inform der -text > leaf

(attached leaf) 

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4a:9a:24:59:ac:96:e8:e8:45:f6:71:ab:59:b8:69:32
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=G3, O=Apple Inc., C=US
        Validity
            Not Before: Mar  1 00:37:19 2025 GMT
            Not After : Mar  1 00:37:18 2026 GMT
        Subject: UID=BXN9N7MNU3, CN=Apple Distribution: Chip Castle Dot Com, Inc. (BXN9N7MNU3), OU=BXN9N7MNU3, O=Chip Castle Dot Com, Inc., C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e1:30:c9:71:6d:f1:02:2b:43:07:29:9d:13:64:
                    43:b1:b1:19:39:67:02:eb:ee:12:7a:84:e9:7f:57:
                    4a:75:f8:57:c7:75:f6:cd:f8:89:22:17:40:54:79:
                    0c:1a:59:24:b6:39:8c:be:11:a4:72:c5:fd:9e:49:
                    f0:1d:b0:ef:f8:11:4f:e7:51:20:7d:43:87:77:42:
                    da:8c:b9:1a:3e:1d:da:9c:47:88:1e:71:f3:df:10:
                    9c:18:91:12:9d:28:14:ce:09:4d:e0:62:d3:9a:1b:
                    d5:b0:05:ae:6a:02:3d:15:f8:3d:29:58:98:c7:b6:
                    bb:52:5b:45:6e:4a:af:e3:fa:cb:9b:8f:13:50:c0:
                    0d:58:3c:9d:7b:5f:b6:a7:88:53:94:6e:c8:07:c5:
                    a5:41:c2:20:32:74:11:b0:51:2a:8b:34:28:cd:1e:
                    e1:3d:58:f6:77:59:5d:18:c6:a9:d6:79:66:ed:1c:
                    e1:73:3a:e2:a4:fe:85:45:3f:05:ef:a1:9c:51:e9:
                    79:3e:a7:b0:42:ac:2a:5a:f1:c9:14:de:e4:cd:03:
                    f0:ac:c7:35:0a:ce:7a:a6:5a:d5:75:4c:e5:41:80:
                    34:17:2e:20:08:c1:e4:f7:c6:f2:6e:b7:1c:9a:93:
                    bc:f8:c2:10:1a:68:e1:dc:91:56:77:a5:de:cf:97:
                    fd:5d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                09:FE:C0:15:90:F9:AF:64:0A:92:12:B9:26:28:63:0C:97:EC:A7:B2
            Authority Information Access: 
                CA Issuers - URI:http://certs.apple.com/wwdrg3.der
                OCSP - URI:http://ocsp.apple.com/ocsp03-wwdrg305
            X509v3 Certificate Policies: 
                Policy: 1.2.840.113635.100.5.1
                  User Notice:
                    Explicit Text: Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.
                  CPS: https://www.apple.com/certificateauthority/
            X509v3 Extended Key Usage: critical
                Code Signing
            X509v3 Subject Key Identifier: 
                02:37:EF:12:ED:02:5A:32:25:5A:EE:D0:23:75:74:62:F0:84:88:0A
            X509v3 Key Usage: critical
                Digital Signature
            1.2.840.113635.100.6.1.7: critical
                ..
            1.2.840.113635.100.6.1.4: critical
                ..
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        76:bf:74:16:20:f0:a8:f7:26:87:27:2f:29:10:36:73:bd:48:
        60:22:d2:c7:5f:bd:93:61:c7:af:73:0f:e1:9d:08:90:10:2a:
        bd:a4:d4:e3:ff:5b:11:e4:9c:2a:a3:7c:f6:55:e8:d6:8c:d3:
        ff:69:61:34:c4:81:a8:f4:b8:fb:04:f8:ce:d3:bb:fa:1e:7c:
        41:e6:24:30:11:60:f9:74:ec:9b:86:39:10:9b:6c:c6:55:89:
        92:69:af:2d:3a:c2:19:5d:e1:09:7e:bf:fd:fd:02:a0:a4:f0:
        5f:a6:02:9e:ff:0c:3f:92:b1:a5:80:33:fe:36:85:e0:a0:a6:
        c5:a0:5c:fc:3f:8e:9c:82:b7:ca:da:c5:be:49:17:d6:85:53:
        96:b2:3e:39:05:b9:2a:c0:24:06:b4:1f:32:e4:97:2b:8f:97:
        37:ff:0e:be:b4:a7:b5:46:b1:0e:26:8e:37:96:63:fe:71:39:
        a5:41:fa:7f:89:0d:87:f6:8d:14:98:2f:06:94:cf:88:b1:d6:
        8d:19:97:5d:4b:24:24:bb:ad:58:99:34:94:c7:ca:f3:05:e1:
        47:ee:bd:b1:a7:2d:2e:f6:cd:bc:c0:30:cf:f4:a3:d5:6f:29:
        0e:b3:40:0d:ca:45:03:7a:f5:6a:dd:f2:dd:61:14:77:d7:c3:
        49:c1:6c:de
-----BEGIN CERTIFICATE-----
MIIF4TCCBMmgAwIBAgIQSpokWayW6OhF9nGrWbhpMjANBgkqhkiG9w0BAQsFADB1
MUQwQgYDVQQDDDtBcHBsZSBXb3JsZHdpZGUgRGV2ZWxvcGVyIFJlbGF0aW9ucyBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTELMAkGA1UECwwCRzMxEzARBgNVBAoMCkFw
cGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTI1MDMwMTAwMzcxOVoXDTI2MDMwMTAw
MzcxOFowgacxGjAYBgoJkiaJk/IsZAEBDApCWE45TjdNTlUzMUMwQQYDVQQDDDpB
cHBsZSBEaXN0cmlidXRpb246IENoaXAgQ2FzdGxlIERvdCBDb20sIEluYy4gKEJY
TjlON01OVTMpMRMwEQYDVQQLDApCWE45TjdNTlUzMSIwIAYDVQQKDBlDaGlwIENh
c3RsZSBEb3QgQ29tLCBJbmMuMQswCQYDVQQGEwJVUzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAOEwyXFt8QIrQwcpnRNkQ7GxGTlnAuvuEnqE6X9XSnX4
V8d19s34iSIXQFR5DBpZJLY5jL4RpHLF/Z5J8B2w7/gRT+dRIH1Dh3dC2oy5Gj4d
2pxHiB5x898QnBiREp0oFM4JTeBi05ob1bAFrmoCPRX4PSlYmMe2u1JbRW5Kr+P6
y5uPE1DADVg8nXtftqeIU5RuyAfFpUHCIDJ0EbBRKos0KM0e4T1Y9ndZXRjGqdZ5
Zu0c4XM64qT+hUU/Be+hnFHpeT6nsEKsKlrxyRTe5M0D8KzHNQrOeqZa1XVM5UGA
NBcuIAjB5PfG8m63HJqTvPjCEBpo4dyRVnel3s+X/V0CAwEAAaOCAjgwggI0MAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUCf7AFZD5r2QKkhK5JihjDJfsp7IwcAYI
KwYBBQUHAQEEZDBiMC0GCCsGAQUFBzAChiFodHRwOi8vY2VydHMuYXBwbGUuY29t
L3d3ZHJnMy5kZXIwMQYIKwYBBQUHMAGGJWh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9v
Y3NwMDMtd3dkcmczMDUwggEeBgNVHSAEggEVMIIBETCCAQ0GCSqGSIb3Y2QFATCB
/zCBwwYIKwYBBQUHAgIwgbYMgbNSZWxpYW5jZSBvbiB0aGlzIGNlcnRpZmljYXRl
IGJ5IGFueSBwYXJ0eSBhc3N1bWVzIGFjY2VwdGFuY2Ugb2YgdGhlIHRoZW4gYXBw
bGljYWJsZSBzdGFuZGFyZCB0ZXJtcyBhbmQgY29uZGl0aW9ucyBvZiB1c2UsIGNl
cnRpZmljYXRlIHBvbGljeSBhbmQgY2VydGlmaWNhdGlvbiBwcmFjdGljZSBzdGF0
ZW1lbnRzLjA3BggrBgEFBQcCARYraHR0cHM6Ly93d3cuYXBwbGUuY29tL2NlcnRp
ZmljYXRlYXV0aG9yaXR5LzAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAzAdBgNVHQ4E
FgQUAjfvEu0CWjIlWu7QI3V0YvCEiAowDgYDVR0PAQH/BAQDAgeAMBMGCiqGSIb3
Y2QGAQcBAf8EAgUAMBMGCiqGSIb3Y2QGAQQBAf8EAgUAMA0GCSqGSIb3DQEBCwUA
A4IBAQB2v3QWIPCo9yaHJy8pEDZzvUhgItLHX72TYcevcw/hnQiQECq9pNTj/1sR
5Jwqo3z2VejWjNP/aWE0xIGo9Lj7BPjO07v6HnxB5iQwEWD5dOybhjkQm2zGVYmS
aa8tOsIZXeEJfr/9/QKgpPBfpgKe/ww/krGlgDP+NoXgoKbFoFz8P46cgrfK2sW+
SRfWhVOWsj45BbkqwCQGtB8y5Jcrj5c3/w6+tKe1RrEOJo43lmP+cTmlQfp/iQ2H
9o0UmC8GlM+IsdaNGZddSyQku61YmTSUx8rzBeFH7r2xpy0u9s28wDDP9KPVbykO
s0ANykUDevVq3fLdYRR318NJwWze
-----END CERTIFICATE-----

3. Serial number for leaf:

λ head leaf         
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            4a:9a:24:59:ac:96:e8:e8:45:f6:71:ab:59:b8:69:32
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=G3, O=Apple Inc., C=US
        Validity
            Not Before: Mar  1 00:37:19 2025 GMT
            Not After : Mar  1 00:37:18 2026 GMT

4. What part of the profile should I compare to the leaf serial number?

λ shasum leaf
ce0e2fc70a9bde62745332b843ef650a918a39dc  leaf
0
DTS Engineer OP
Apple
2d

I extracted the DeveloperCertificates property from the profile.plist you posted:

% cat profile-cert.b64                               
MIIF4TCCBMmgAwIBAgIQPWaGoIfFiyPRVIqVv2CUkDANBgkqhkiG9w0BAQsFADB1MUQwQgYD…

I then Base64 decoded it:

% base64 -d < profile-cert.b64 > profile-cert.der

And dumped it with openssl:

% openssl x509 -in profile-cert.cer -inform der -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            3d:66:86:a0:87:c5:8b:23:d1:54:8a:95:bf:60:94:90
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Apple Worldwide Developer Relations Certification Authority, OU=G3, O=Apple Inc., C=US

The issuer is correct but the serial number is different from the leaf example you posted.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1
chipcastle OP
2d

Thanks for detailed commands! That really helped.

  1. I found the matching profile, copied it over to embedded.provisionprofile, resigned the executable & bundle, and uploaded using Transporter.
  2. Received "missing an application identifier" error and fixed it from https://developer.apple.com/forums/thread/748589?login=true and TestFlight, Provisioning Profiles, and the Mac App Store
  3. Uploaded & Validated w/ Transporter, but received an email about:
ITMS-91109: Invalid package contents - The package contains one or more files with the com.apple.quarantine extended file attribute, such as “com.chipcastle.pathmanager.pkg/Payload/PATHmanager.app/Contents/embedded.provisionprofile”. This attribute isn’t permitted in macOS apps distributed on TestFlight or the App Store. Please remove the attribute from all files within your app and upload again.
  1. Attempted to remove extended attributes as follows (sudo had no effect):
~/Desktop/distribution/PATHmanager.app/Contents
λ xattr embedded.provisionprofile                  
com.apple.macl

~/Desktop/distribution/PATHmanager.app/Contents
λ xattr -c embedded.provisionprofile               

~/Desktop/distribution/PATHmanager.app/Contents
λ xattr embedded.provisionprofile   
com.apple.macl

~/Desktop/distribution/PATHmanager.app/Contents
λ xattr -d com.apple.macl embedded.provisionprofile

~/Desktop/distribution/PATHmanager.app/Contents
λ xattr embedded.provisionprofile                  
com.apple.macl

~/Desktop/distribution/PATHmanager.app/Contents
λ ls -l@ embedded.provisionprofile                         
-rw-r--r--@ 1 chip  staff  12303 Feb 28 18:57 embedded.provisionprofile
	com.apple.macl	  72 

~/Desktop/distribution/PATHmanager.app/Contents
λ xattr -d com.apple.macl:72 embedded.provisionprofile
xattr: embedded.provisionprofile: No such xattr: com.apple.macl:72

~/Desktop/distribution/PATHmanager.app/Contents
λ sudo xattr -d com.apple.macl:72 embedded.provisionprofile     
Password:
xattr: embedded.provisionprofile: No such xattr: com.apple.macl:72

~/Desktop/distribution/PATHmanager.app/Contents
❮ sudo xattr -d com.apple.macl embedded.provisionprofile 

~/Desktop/distribution/PATHmanager.app/Contents
λ ls -l@ embedded.provisionprofile                    
-rw-r--r--@ 1 chip  staff  12303 Feb 28 18:57 embedded.provisionprofile
	com.apple.macl	  72

I've had no trouble using xattr before, so not sure what's happening here. Suggestions are appreciated. Thanks in advance.

0
chipcastle OP
2d 

~/Desktop/distribution/PATHmanager.app/Contents

λ xattr -d com.apple.quarantine embedded.provisionprofile 

xattr: embedded.provisionprofile: No such xattr: com.apple.quarantine
0
AppStore submission for Ruby/Glimmer app on MacOS without Xcode
First post date Last post date
 
 
Q