# Signing macOS apps > How to set up macOS code signing in codemagic.yaml All macOS applications have to be digitally signed before they can be installed on devices or made available to the public via the Mac App Store or outside of the Mac App Store. > > This guide only applies to workflows configured with the **codemagic.yaml**. If your workflow is configured with **Flutter workflow editor** please go to [Signing macOS apps using the Flutter workflow editor](../code-signing/macos-code-signing). > ## Automatic vs Manual code signing > > Signing macOS applications requires [Apple Developer Program](https://developer.apple.com/programs/enroll/) membership. > Signing macOS apps requires a `Signing certificate` (App Store **development** or **distribution** certificate in `.p12` format) and a `Provisioning profile`. In **Manual code signing** you save these files as Codemagic `Environment variables` and manually reference them in the appropriate build steps. In **Automatic code signing**, Codemagic takes care of Certificate and Provisioning profile management for you. Based on the `certificate private key` that you provide, Codemagic will automatically fetch the correct certificate from the App Store or create a new one if necessary. ## Certificate types There are several certificate types you can choose to sign your macOS app, depending on the distribution method you plan to use. - `MAC_APP_DEVELOPMENT` certificate allows you to build your app for internal testing and debugging. - `MAC_APP_DISTRIBUTION` certificate is used to sign a Mac app before submitting it to the Mac App Store - `MAC_INSTALLER_DISTRIBUTION` is used to sign and submit a Mac Installer Package to the Mac App Store - `DEVELOPER_ID_APPLICATION` is used to sign a Mac app before distributing it outside the Mac App Store - `DEVELOPER_ID_INSTALLER` is used to sign a Mac Installer Package before distributing it outside the Mac App Store For example, in order to publish to Mac App Store, the application must be signed with a `Mac App Distribution` certificate using a `Mac App Store` provisioning profile. If you want to create a `.pkg` Installer package, you must use a `Mac Installer Distribution` certificate. ## Obtaining the certificate private key To enable Codemagic to automatically fetch or create the correct signing certificate on your behalf, you need to provide the corresponding `certificate private key`. You then have to save that key as a Codemagic environment variable. ### Option: Create a new key You can create a new 2048 bit RSA key by running the command below in your terminal: ```Shell ssh-keygen -t rsa -b 2048 -m PEM -f ~/Desktop/mac_distribution_private_key -q -N "" ``` This new private key will be used to create a new Mac App Distribution certificate in your Apple Developer Program account if there isn't one that already matches this private key. ### Option: Use an existing key"%}} 1. On the Mac which created the `Mac App Distribution` certificate, open the **Keychain Access**, located in the **Applications and Utilities** folder. 2. Select the appropriate certificate entry. 3. Right-click on it to select "Export." 4. In the export prompt window that appears, make sure the file format is set to **Personal Information Exchange (.p12)**"**. 5. Give the file a name such as "MAC_DISTRIBUTION", choose a location and click **Save**. 6. On the next prompt, leave the password empty and click **OK**. 7. Use the following `openssl` command to export the private key: ```Shell openssl pkcs12 -in MAC_DISTRIBUTION.p12 -nodes -nocerts | openssl rsa -out mac_distribution_private_key ``` 8. When prompted for the import password, just press enter. The private key will be written to a file called **mac_distribution_private_key** in the directory where you ran the command. ## Automatic code signing When automatic code signing is used, then most up-to-date signing files are obtained directly from Apple during the build time. This requires that Codemagic has access to your Apple Developer portal account, which is achieved by using App Store Connect API key. ### Creating the App Store Connect API key It is recommended to create a dedicated App Store Connect API key for Codemagic in [App Store Connect](https://appstoreconnect.apple.com/access/integrations/api). To do so: 1. Log in to App Store Connect and navigate to **Users and Access > Integrations >> App Store Connect API**. 2. Click on the + sign to generate a new API key. 3. Enter the name for the key and select an access level. We recommend choosing `App Manager` access rights, read more about Apple Developer Program role permissions [here](https://help.apple.com/app-store-connect/#/deve5f9a89d7). 4. Click **Generate**. 5. As soon as the key is generated, you can see it added to the list of active keys. Click **Download API Key** to save the private key for later. Note that the key can only be downloaded once. > > Take note of the **Issuer ID** above the table of active keys as well as the **Key ID** of the generated key as these will be required when setting up the Apple Developer Portal integration in the Codemagic UI. > ### Configuring environment variables Provisioning profiles and code signing certificates are obtained from Apple Developer portal with the command [`app-store-connect fetch-signing-files`](https://github.com/codemagic-ci-cd/cli-tools/blob/master/docs/app-store-connect/fetch-signing-files.md#fetch-signing-files). App Store Connect API key information can be passed to it via environment variables [`APP_STORE_CONNECT_KEY_IDENTIFIER`](https://github.com/codemagic-ci-cd/cli-tools/blob/master/docs/app-store-connect/fetch-signing-files.md#--key-idkey_identifier), [`APP_STORE_CONNECT_ISSUER_ID`](https://github.com/codemagic-ci-cd/cli-tools/blob/master/docs/app-store-connect/fetch-signing-files.md#--issuer-idissuer_id), [`APP_STORE_CONNECT_PRIVATE_KEY`](https://github.com/codemagic-ci-cd/cli-tools/blob/master/docs/app-store-connect/fetch-signing-files.md#--private-keyprivate_key). %!s() ### Option: Use App Store Connect integrationThe Apple Developer Portal integration can be enabled in the **Team integrations** section in your team settings (if you're a team admin). This allows you to conveniently use the same access credentials for automatic code signing and publishing across different apps and workflows. 1. In the list of available integrations, click the **Connect** button for **Developer Portal**. 2. In the **App Store Connect API key name**, provide a name for the key you are going to set up the integration with. This is for identifying the key in Codemagic. 3. Enter the **Issuer ID** related to your Apple Developer account. You can find it above the table of active keys on the Integrations tab of the [Users and Access](https://appstoreconnect.apple.com/access/integrations/api) page. 4. Enter the **Key ID** of the key to be used for code signing. 5. In the **API key** field, upload the private API key downloaded from App Store Connect. 6. Click **Save** to finish the setup. If you work with multiple Apple Developer teams, you can add additional keys by clicking **Add another key** right after adding the first key and repeating the steps described above. You can delete existing keys or add new ones when you click **Manage keys** next to the Developer Portal integration in personal account or team settings. Integration will take care of the App Store Connect API authentication part, but additionally the certificate private key has to be exported too. For this additional environment variable [`CERTIFICATE_PRIVATE_KEY`](https://github.com/codemagic-ci-cd/cli-tools/blob/master/docs/app-store-connect/fetch-signing-files.md#--certificate-keyprivate_key) has to be defined. 1. Open your Codemagic app settings, and go to the **Environment variables** tab. 2. Enter `CERTIFICATE_PRIVATE_KEY` as the **_Variable name_**. 3. Open the file `ios_distribution_private_key` with a text editor and copy the **entire contents** of the file, including the `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----` tags. Alternatively, you can run the following command on the file: ```Shell cat ios_distribution_private_key | pbcopy ``` 4. Paste into the **_Variable value_** field. 5. Enter a variable group name, e.g. **_code-signing_**. Click the button to create the group. 6. Make sure the **Secret** option is selected so that the variable can be protected by encryption. 7. Click the **Add** button to add the variable. In your workflow you can now simply use the following to ensure that all variables are readily available during build: ```yaml workflows: ios-workflow: environment: groups: - code-signing integrations: app_store_connect: ``` This will expose necessary environment variables during the build. %!s() ### Option: Define environment variables by yourself %!s()