I am responsible for the mobile app and thus also of the apple developer and app store connect accounts of a company.
An external freelancer developed a software package for us which we aim to offer for installation and use on macOS systems of our customers; distributed exclusively outside of the Apple App Store. The software package has nothing to do with the mobile app. MacOS' Gatekeeper currently warns or even prevents our customers regarding the installation of the package on their device; pretty much as described here: https://developer.apple.com/developer-id/.
According to a previous talk with Apple's Support, the software package (.app) the Freelancer developed must be signed with one of our own certificates. As we cannot grant selective app store connect access to third persons (only for the concerned certificates), we prefer to not provide access to our entire apple developer account to the freelancer, for the sole reason of the certificate & signing process. According to previous attempts with Apples' support regarding the most feasible solution in this case, they recommended me to manage the signing of the package of the freelancer, and simply request the package from the freelancer.
I've thus generated an according Developer ID Certificate, but regarding the signing process, I'm confused. I know how signing works with mobile apps in XCode, but regarding software that is not distributed throughout the App Store on macOS, I'm unsure about the process. Also, as far as I know, the entitlements of the application are involved in the signing process. So my concern is that simply having the software package (.app) from the freelancer is not really enough to complete the signing + notarization process? Won't I need further information about the app's entitlements etc.?
I would like to have a clear solution about the procedure that is required in these cases, as online documentations and / or forums as well as previous talks with your non-technical support from Apple did not resolve the issue.
You’re right to be careful about giving this freelancer full access to your Developer ID credentials. Those are precious, as I discuss in The Care and Feeding of Developer ID.
IMO the easiest path forward is:
- Add your freelancer to your team as you would for iOS.
- They’ll be able do day-to-day development for your team, using an Apple Developer signing identity, just like they would on iOS.
- When they’re done, have them do a Product > Archive and send you the resulting
.xcarchive
. - You can import that into your Xcode organiser.
- And do Developer ID distribution from there.
This is a manual process but you can take various steps to automate it. Specifically:
xcodebuild
can do the equivalent of the Product > Archive in step 3.- And it can also export from an archive, so you can automate the first part of step 5.
- Finally,
notarytool
lets you automate the second part of step 5. See Customizing the notarization workflow.
The beginning of Creating distribution-signed code for macOS has a quick summary of the xcodebuild
automation.
Note It then goes on to discuss manual code signing, but you shouldn’t need to do that if you’re developing a standard app in Xcode.
There’s an accompanying doc, Packaging Mac software for distribution, which may be more interesting to you. It talks about the steps after code signing, like packaging into a disk image and notarisation.
And if you have any follow-up questions, I’d be happy to answer them here.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"