Code signing for macOS - quick start version
Creating the App Store Connect API key
Signing macOS applications requires Apple Developer Program membership.
It is recommended to create a dedicated App Store Connect API key for Codemagic in App Store Connect. To do so:
- Log in to App Store Connect and navigate to Users and Access > Integrations » App Store Connect API.
- Click on the + sign to generate a new API key.
- Enter the name for the key and select an access level. We recommend choosing
App Manageraccess rights, read more about Apple Developer Program role permissions here. - Click Generate.
- As soon as the key is generated, you can see it added to the list of active keys. Click Download API Key to save the private key for later. Note that the key can only be downloaded once.
Automatic vs Manual code signing
Signing macOS apps requires a Signing certificate (App Store development or distribution certificate in .p12 format) and a Provisioning profile. In Manual code signing you save these files as Codemagic Environment variables and manually reference them in the appropriate build steps.
In Automatic code signing, Codemagic takes care of Certificate and Provisioning profile management for you. Based on the certificate private key that you provide, Codemagic will automatically fetch the correct certificate from the App Store or create a new one if necessary.
Certificate types
There are several certificate types you can choose to sign your macOS app, depending on the distribution method you plan to use.
MAC_APP_DEVELOPMENTcertificate allows you to build your app for internal testing and debugging.MAC_APP_DISTRIBUTIONcertificate is used to sign a Mac app before submitting it to the Mac App StoreMAC_INSTALLER_DISTRIBUTIONis used to sign and submit a Mac Installer Package to the Mac App StoreDEVELOPER_ID_APPLICATIONis used to sign a Mac app before distributing it outside the Mac App StoreDEVELOPER_ID_INSTALLERis used to sign a Mac Installer Package before distributing it outside the Mac App Store
For example, in order to publish to Mac App Store, the application must be signed with a Mac App Distribution certificate using a Mac App Store provisioning profile. If you want to create a .pkg Installer package, you must use a Mac Installer Distribution certificate.
Obtaining the certificate private key
To enable Codemagic to automatically fetch or create the correct signing certificate on your behalf, you need to provide the corresponding certificate private key. You then have to save that key as a Codemagic environment variable.
You can create a new 2048 bit RSA key by running the command below in your terminal:
ssh-keygen -t rsa -b 2048 -m PEM -f ~/Desktop/mac_distribution_private_key -q -N ""This new private key will be used to create a new Mac App Distribution certificate in your Apple Developer Program account if there isn’t one that already matches this private key.
- On the Mac which created the
Mac App Distributioncertificate, open the Keychain Access, located in the Applications and Utilities folder. - Select the appropriate certificate entry.
- Right-click on it to select “Export.”
- In the export prompt window that appears, make sure the file format is set to Personal Information Exchange (.p12)"**.
- Give the file a name such as “MAC_DISTRIBUTION”, choose a location and click Save.
- On the next prompt, leave the password empty and click OK.
- Use the following
opensslcommand to export the private key:
openssl pkcs12 -in MAC_DISTRIBUTION.p12 -nodes -nocerts | openssl rsa -out mac_distribution_private_key- When prompted for the import password, just press enter. The private key will be written to a file called mac_distribution_private_key in the directory where you ran the command.
Configuring environment variables
Open your Codemagic app settings, and go to the Environment variables tab.
Enter
CERTIFICATE_PRIVATE_KEYas the Variable name.Open the file
mac_distribution_private_keywith a text editor and copy the entire contents of the file, including the-----BEGIN RSA PRIVATE KEY-----and-----END RSA PRIVATE KEY-----tags. Alternatively, you can run the following command on the file:cat mac_distribution_private_key | pbcopyPaste into the Variable value field.
Enter a variable group name, e.g. appstore_credentials. Click the button to create the group.
Make sure the Secure option is selected so that the variable can be protected by encryption.
Click the Add button to add the variable.
Run the following command on the App Store Connect API key file that you downloaded earlier (in our example saved as
codemagic_api_key.p8) to copy its content to clipboard:cat codemagic_api_key.p8 | pbcopyCreate a new Environment variable
APP_STORE_CONNECT_PRIVATE_KEYand paste the value from clipboard.Create variable
APP_STORE_CONNECT_KEY_IDENTIFIER. The value is the Key ID field from App Store Connect > Users and Access > Keys.Create variable
APP_STORE_CONNECT_ISSUER_ID. The value is the Issuer ID field from App Store Connect > Users and Access > Keys.
Environment variables have to be added to the workflow either individually or as a group. Modify your codemagic.yaml file by adding the following:
workflows:
macos-workflow:
name: macOS Workflow
environment:
groups:
- appstore_credentialsAutomatic code signing
To code sign the app, add the following commands in the scripts section of the configuration file, after all the dependencies are installed, right before the build commands.
scripts:
- name: Set up keychain to be used for code signing using Codemagic CLI 'keychain' command
script: keychain initialize
- name: Fetch signing files
script: |
app-store-connect fetch-signing-files "$BUNDLE_ID" \
--platform MAC_OS \
--type MAC_APP_STORE \
--create
- name: Fetch Mac Installer Distribution certificates
script: |
app-store-connect certificates list --type MAC_APP_DISTRIBUTION --save || \
app-store-connect certificates create --type MAC_APP_DISTRIBUTION --save
- name: Set up signing certificate
script: keychain add-certificates
- name: Set up code signing settings on Xcode project
script: xcode-project use-profilesInstead of specifying the exact bundle ID, you can use "$(xcode-project detect-bundle-id)".
Based on the specified bundle ID and provisioning profile type, Codemagic will fetch or create the relevant provisioning profile and certificate to code sign the build.
Creating the Installer package
To package your application into an .pkg Installer package and sign it with the Mac Installer Distribution certificate, use the following script:
scripts:
- name: Package application
script: |
set -x
# Command to find the path to your generated app, may be different
APP_NAME=$(find $(pwd) -name "*.app")
cd $(dirname "$APP_NAME")
PACKAGE_NAME=$(basename "$APP_NAME" .app).pkg
xcrun productbuild --component "$APP_NAME" /Applications/ unsigned.pkg # Create and unsigned package
# Find the installer certificate common name in keychain
INSTALLER_CERT_NAME=$(keychain list-certificates \
| jq '.[]
| select(.common_name
| contains("Mac Developer Installer"))
| .common_name' \
| xargs)
xcrun productsign --sign "$INSTALLER_CERT_NAME" unsigned.pkg "$PACKAGE_NAME" # Sign the package
rm -f unsigned.pkg # Optionally remove the not needed unsigned packageNotarizing macOS applications
Notarization is a process where Apple verifies your application to make sure it has a Developer ID code signature and does not contain malicious content. All apps distributed outside the Mac App Store have to be notarized.
Notarizing an app during the Codemagic build process is possible using the altool command as follows:
xcrun altool --notarize-app -f <file> --primary-bundle-id <bundle_id>
{-u <username> [-p <password>] | --apiKey <api_key> --apiIssuer <issuer_id>}
[--asc-provider <name> | --team-id <id> | --asc-public-id <id>]