Add macOS Mac App Store build instructions to README.md

This commit introduces a new section in the README.md detailing the process for building and signing a macOS package for the Mac App Store. It includes requirements for Apple Developer accounts, a manual setup guide for certificates and provisioning profiles, and a command to build the signed upload package. Additionally, it provides instructions for uploading the package to App Store Connect for review.

build_tools/macos/check_signing_identities.sh

@@ -0,0 +1,146 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# macOS signing identity sanity check for:
+# - Developer ID (outside Mac App Store)
+# - Mac App Store (Apple Distribution + 3rd Party Mac Developer Installer)
+
+ts() { date +"%H:%M:%S"; }
+
+if [[ "$(uname -s)" != "Darwin" ]]; then
+  echo "Error: This script is for macOS only." >&2
+  exit 1
+fi
+
+echo "==> [$(ts)] Strawberry macOS signing identity check"
+echo "==> [$(ts)] Host: $(sw_vers -productName 2>/dev/null || true) $(sw_vers -productVersion 2>/dev/null || true)"
+echo
+
+echo "==> [$(ts)] Keychains searched by 'security' (user)"
+security list-keychains -d user || true
+echo
+
+echo "==> [$(ts)] Valid code signing identities (must include private key)"
+codesigning_out="$(security find-identity -p codesigning -v 2>&1 || true)"
+echo "$codesigning_out"
+echo
+
+echo "==> [$(ts)] Valid installer/pkg identities (must include private key)"
+basic_out="$(security find-identity -p basic -v 2>&1 || true)"
+echo "$basic_out"
+echo
+
+echo "==> [$(ts)] Note"
+cat <<'EOF'
+- Apple uses multiple certificate types. The "basic" identity list can include certificates that are not usable
+  for signing a Mac App Store upload package.
+- For App Store Connect uploads via .pkg, you typically need an *Installer* identity (e.g. "3rd Party Mac Developer Installer"
+  or "Mac Installer Distribution") and it must have a private key on this Mac.
+EOF
+echo
+
+list_cert_labels() {
+  local query="$1"
+  # Extract "labl" lines like: "labl"<blob>="Apple Distribution: ..."
+  security find-certificate -a -c "$query" 2>/dev/null \
+    | sed -n 's/.*"labl"<blob>="\(.*\)".*/\1/p' \
+    | sort -u
+}
+
+check_label_in_identities() {
+  local label="$1"
+  local out="$2"
+  if echo "$out" | grep -Fq "$label"; then
+    echo "YES"
+  else
+    echo "NO"
+  fi
+}
+
+check_label_in_installer_identities() {
+  local label="$1"
+  local out="$2"
+  # Only treat as installer-capable if the cert label itself is an installer cert.
+  case "$label" in
+    *Installer*|*installer*) ;;
+    *) echo "NO"; return 0 ;;
+  esac
+  if echo "$out" | grep -Fq "$label"; then
+    echo "YES"
+  else
+    echo "NO"
+  fi
+}
+
+print_section() {
+  local title="$1"
+  shift
+  local queries=("$@")
+
+  echo "==> [$(ts)] ${title}"
+  local any=0
+
+  local q
+  for q in "${queries[@]}"; do
+    local labels
+    labels="$(list_cert_labels "$q" || true)"
+    if [[ -z "$labels" ]]; then
+      continue
+    fi
+    any=1
+    while IFS= read -r label; do
+      [[ -z "$label" ]] && continue
+      local in_codesign in_basic
+      in_codesign="$(check_label_in_identities "$label" "$codesigning_out")"
+      in_basic="$(check_label_in_installer_identities "$label" "$basic_out")"
+      printf -- "- %s\n" "$label"
+      printf -- "  - codesigning identity: %s\n" "$in_codesign"
+      printf -- "  - installer identity:   %s\n" "$in_basic"
+      if [[ "$in_codesign" == "NO" && "$in_basic" == "NO" ]]; then
+        printf -- "  - note: certificate exists, but it is NOT a usable identity on this Mac (almost always missing private key)\n"
+      fi
+    done <<<"$labels"
+  done
+
+  if [[ "$any" -eq 0 ]]; then
+    echo "(no matching certificates found)"
+  fi
+  echo
+}
+
+print_section "Expected for Developer ID (outside Mac App Store)" \
+  "Developer ID Application" \
+  "Developer ID Installer"
+
+print_section "Expected for Mac App Store submissions" \
+  "Apple Distribution" \
+  "Mac App Distribution" \
+  "3rd Party Mac Developer Application" \
+  "3rd Party Mac Developer Installer" \
+  "Mac Installer Distribution"
+
+echo "==> [$(ts)] Quick interpretation"
+cat <<'EOF'
+- If a certificate label appears above, but both:
+    - codesigning identity: NO
+    - installer identity:   NO
+  then the certificate is present but NOT usable for signing on this Mac.
+  The most common cause is: the private key is missing.
+
+Fix:
+- Open Keychain Access → login → "My Certificates"
+- Expand the certificate. You must see a private key underneath it.
+- If there is no private key:
+  - Recreate the certificate on this Mac via Xcode (Accounts → Manage Certificates), OR
+  - Import a .p12 that includes the private key from the machine where it was created.
+EOF
+echo
+
+echo "==> [$(ts)] Provisioning profiles (Mac App Store builds require one)"
+prof_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
+if [[ -d "${prof_dir}" ]]; then
+  ls -la "${prof_dir}" | head -n 50
+else
+  echo "(none found at '${prof_dir}')"
+fi
+