Discrepancy in certificate common name for macOS App Signing

[vincent-herlemont]

If you are looking for help, please confirm the following...

• I confirm I have searched the Docs, Codemagic Sample Projects, and GitHub Discussions.
• I confirm the software versions on my local computer match the ones in CI environment (e.g. Xcode version, Gradle version). See here
• I confirm I am able to do a fresh clone of the repository and build the project on my local computer.

Which mobile framework are you using?

Flutter (Dart)

Steps to reproduce

I followed the instructions from this documentation with the Automatic signature system to create a MacOS app with Flutter, just to test Code Magic and its integration.

In the conclusion, there is this code:

          # Find the installer certificate common name in keychain
          INSTALLER_CERT_NAME=$(keychain list-certificates \
            | jq '.[]
            | select(.common_name
            | contains("Mac Developer Installer"))
            | .common_name' \
            | xargs)

This means that the common_name field must contain the string Mac Developer Installer, but that is not the case for me.

Here is the result of the keychain list-certificates command in the CodeMagic CI

> keychain list-certificates | jq
[
  {
    "common_name": "Apple Distribution: Vincent Herlemont (...)",
    "extensions": [
      "basicConstraints",
      "authorityKeyIdentifier",
      "authorityInfoAccess",
      "certificatePolicies",
      "extendedKeyUsage",
      "subjectKeyIdentifier",
      "keyUsage",
      "Unknown OID",
      "Unknown OID"
    ],
    "has_expired": false,
    "is_development_certificate": false,
    "issuer": {
      "C": "US",
      "CN": "Apple Worldwide Developer Relations Certification Authority",
      "O": "Apple Inc.",
      "OU": "G3"
    },
    "not_after": "...",
    "not_before": "...",
    "serial": ...,
    "subject": {
      "C": "US",
      "CN": "Apple Distribution: Vincent Herlemont (...)",
      "O": "Vincent Herlemont",
      "OU": "...",
      "UID": "..."
    }
  }
]

We see that the .common_name field contains Apple Distribution instead of Mac Developer Installer from the Code Magic example. Why is this? And what impact could this have?

Expected results

The env varibles INSTALLER_CERT_NAME should be filled.

Actual results

The CI fail: The env varibles INSTALLER_CERT_NAME is empty.

Build id (optional)

66a2849f89f6667f00c441e1

[vincent-herlemont]

If I use the common_name with the Apple Distribution... certificate to fill the INSTALLER_CERT_NAME variable, I get the following error, which proves that something hasn't been configured properly.

productsign: error: Could not find appropriate signing identity for “Apple Distribution: Vincent Herlemont (...)”. An installer signing identity (not an application signing identity) is required for signing flat-style products.

Do you have any suggestions?

Related thread: https://stackoverflow.com/a/69048270 / https://forums.developer.apple.com/forums/thread/665901: The solution found there is to add the "3rd Party Mac Developer Installer" certificate. However, this should be added automatically by Code Magic with the use of the app-store-connect fetch-signing-files ... --create tool, right?

Build ID: 66a39fa8dd251d2f0281a449

[vincent-herlemont]

For previous posts, I generated the certificate private key with the following documentation Obtaining the certificate private key.

You an create a new 2048 bit RSA key by running the command below in your terminal:

 ssh-keygen -t rsa -b 2048 -m PEM -f ~/Desktop/mac_distribution_private_key -q -N ""

This new private key will be used to create a new Mac App Distribution certificate in your Apple Developer Program account if there isn’t one that already matches this private key.

When this documentation says that this new private key will be used to create the new "Mac App Distribution certificate," we agree that it's automatic, right? Because the following line given in your example seems to create the certificates (I found the detailed documentation here cli-tools/app-store-connect/certificates/create):

app-store-connect certificates create --type MAC_INSTALLER_DISTRIBUTION --save

However, this does not seem to work correctly because the certificates created are "Enterprise Distribution Certificates" and not "Mac Installer Distribution Certificates." How is this possible? Do you have any leads?

[dtrdic]

Note: Resolved over Intercom chat

There were two concerns:

1. Why was the distribution certificate created?

Answer: The distribution certificate was created due to the command app-store-connect fetch-signing-files "$BUNDLE_ID" --platform MAC_OS --type MAC_APP_STORE --create in the previous step.

2. Why was the Mac installer certificate not created, even though the user ran the commands to automatically create it if missing?

Answer: The command app-store-connect certificates list --type MAC_INSTALLER_DISTRIBUTION --save exits with a successful status code 0 even if no certificates were found for the given private key. As a result, the subsequent command app-store-connect certificates create --type MAC_INSTALLER_DISTRIBUTION --save was never executed.
The workaround was to comment out the first command:
# app-store-connect certificates list --type MAC_INSTALLER_DISTRIBUTION --save
Then, let the create command run to create the certificate:
app-store-connect certificates create --type MAC_INSTALLER_DISTRIBUTION --save