I am developing a macOS app that requires the Associated Domains entitlement. The app will be distributed as a custom app.
- The app needs to be signed using Team A’s Developer ID Application certificate and packaged under Team A’s Team ID.
- Team A has a secure signing and packaging setup, but they do not provide access to their Developer ID Application Identity (cert) or their provisioning profile.
- I am part of Team B and have access to Team B’s Developer ID Application identity and provisioning profiles.
I am thinking of doing the following:
- I create a provisioning profile under Team B that authorizes the Associated Domains entitlement.
- I sign the app using Team B’s Developer ID Application identity, ensuring the required entitlements are included.
- Then, I re-sign the app using Team A’s Developer ID Application identity, since Team A has also set up the same bundle ID with the Associated Domains entitlement and corresponding provisioning profile.
Questions:
- Is this approach correct & does it have any drawback?
- Will the double signing process work without issues, given that Team A has the required provisioning profile for the same bundle ID?
- Are there better ways to handle this situation where signing must be done under Team A but access is limited?
Thanks!
I don’t think this’ll work, at least not if I understand your suggestion correctly. I’ve included some general info at the bottom of this post, but I wanted to clarify a key point. You wrote:
2. Team A … do not provide access to their Developer ID Application Identity
but also:
3. I re-sign the app using Team A’s Developer ID Application identity
If Team A doesn’t provide you access to their signing credentials, how can you re-sign the app with their signing credentials?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
The Associated Domains entitlement must be authorised by a provisioning profile. That profiles ties together a bunch of information. TN3125 Inside Code Signing: Provisioning Profiles has lots to say about this, but the critical point here is that the information includes the App ID.
An App ID is composed of two parts: the App ID prefix (on macOS this is always your Team ID) and the bundle ID. You’re proposed to change the App ID prefix part without changing the bundle ID part. That won’t work. The Developer website ensures that the bundle ID part of your App ID is unique. If the other team has registered an App ID with that bundle ID, you won’t be able to register it in your team.