I'm trying to export a Developer-ID-signed app bundle from a post-build trigger in a bot on Xcode 9.1, but I can't get it to pass through Gatekeeper without having to use the right-click-in-Finder workaround.
As suggested by this answer, I tried running codesign -dvv /path/to/my.app and I get this output (server and team IDs have been *'d out):
Executable=/path/to/my.app/Contents/MacOS/myapp
Identifier=com.abbey-code.myapp
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=29403 flags=0x0(none) hashes=911+5 location=embedded
Signature size=4630
Authority=Mac Developer: OS X Server (**********)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Nov 20, 2017, 5:48:21 PM
Info.plist entries=35
TeamIdentifier=**********
Sealed Resources version=2 rules=13 files=141
Internal requirements count=1 size=184
The answer above suggests I should see Developer ID Certification Authority, but I only see "Mac Developer" as teh root authority. I'm invoking xcodebuild with these arguments:
xcodebuild -verbose -exportArchive -exportOptionsPlist exportOptions.plist -archivePath, /path/to/xcarchive, -exportPath, /path/to/place/exported/appbundle
My exportOptions.plist looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>method</key>
<string>mac-application</string>
<key>signingCertificate</key>
<string>Developer ID Application</string>
<key>signingStyle</key>
<string>automatic</string>
</dict>
</plist>
My bot is signed into my developer account, and is set to manage certificates automatically. I have also tried launching Xcode on the server, signing into my account, downloading a Developer ID certificate, and clicking the "Add to Server" button from the Edit Bot sheet.
What am I doing wrong?
My export options plist was incorrect. I was able to use the following successfully:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>method</key>
<string>developer-id</string>
<key>signingStyle</key>
<string>automatic</string>
</dict>
</plist>
I can confirm that manually adding the Developer ID certificate to the server in the Bot configuration is required for this to work. For some reason, it doesn't automatically acquire that one.