strawberry/build_tools/macos/README_MAS.md

Mac App Store (MAS) submission guide (manual steps)

This repo supports a Mac App Store build mode (BUILD_FOR_MAC_APP_STORE=ON) and includes scripts to build a signed upload .pkg.

If you’re blocked because security find-identity only shows Developer ID and not Apple Distribution / Installer, follow the steps below.

---

Open Keychain Access (macOS “hidden” Utilities)

Any of these work:

• Spotlight: press ⌘ + Space → type Keychain Access → Enter
• Finder: Applications → Utilities → Keychain Access
• Terminal:

open -a "Keychain Access"

---

The core issue: certificate exists but is not a usable identity

If you see certificates like:

• Apple Distribution: ...
• 3rd Party Mac Developer Installer: ...

but security find-identity does not list them, then the certificate is present but the private key is missing (or not paired / in the wrong keychain).

You can confirm with:

./build_tools/macos/check_signing_identities.sh

---

Step 1 — Create the private keys on this Mac (CSR)

1. Open Keychain Access
2. Menu: Keychain Access → Certificate Assistant → Request a Certificate From a Certificate Authority…
3. Fill:
   • User Email Address: your Apple ID email
   • Common Name: e.g. Dry Ark LLC (any label is fine)
   • CA Email Address: leave blank
   • Select: Saved to disk
4. Save the CSR (.certSigningRequest) somewhere safe

This CSR step is what creates the private key locally in your login keychain.

---

Step 2 — Create + download the certificates (Apple Developer portal)

In Apple Developer → Certificates, Identifiers & Profiles → Certificates → +:

• Create Apple Distribution (use the CSR you just made)
• Create Mac Installer Distribution (or “3rd Party Mac Developer Installer”, wording varies) (use a CSR)

Download the resulting .cer files.

---

Step 3 — Install certificates into your login keychain

Double-click each downloaded .cer to install it.

Then in Keychain Access → login → My Certificates:

• Find Apple Distribution: ... and expand it
  • You must see a private key under it.
• Find ... Installer ... and expand it
  • You must see a private key under it.

If there’s no private key under the certificate, it will not be usable for signing on this Mac.

---

Step 4 — Verify identities from the CLI

security find-identity -p codesigning -v
security find-identity -p basic -v
./build_tools/macos/check_signing_identities.sh

Expected:

• Apple Distribution: ... shows up under codesigning
• ... Installer ... shows up as an installer identity (used to sign upload .pkg)

---

Step 5 — Create + install the provisioning profile (Mac App Store)

In Apple Developer → Profiles → +:

• Platform: macOS
• Type: Mac App Store
• App ID: com.dryark.strawberry (or your own bundle id)
• Select the Apple Distribution certificate
• Generate + Download

Install it by double-clicking it, or place it under:

~/Library/MobileDevice/Provisioning Profiles/

---

Step 6 — Build the signed upload package (.pkg)

This repo provides:

• build_tools/macos/build_mas_pkg.sh (build → deploy → embed profile → sign → productbuild)

Example:

./build_tools/macos/build_mas_pkg.sh --run --release --clean \
  --codesign-identity "Apple Distribution: Dry Ark LLC (7628766FL2)" \
  --installer-identity "3rd Party Mac Developer Installer: Dry Ark LLC (7628766FL2)" \
  --provisionprofile "$HOME/Library/MobileDevice/Provisioning Profiles/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX.provisionprofile"

Outputs:

• cmake-build-macos-release-mas/strawberry.app
• cmake-build-macos-release-mas/strawberry-mas.pkg

---

Step 7 — Upload + submit for review

• Upload the .pkg using Apple’s Transporter app (App Store Connect).
• In App Store Connect, wait for processing, select the build, then Submit for Review.