dryark/strawberry
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
a30b4c1ac22e361c2fc3080b8ba85bf92f12d7df
strawberry/build_tools/macos/check_signing_identities.sh
David Helkowski a30b4c1ac2
Some checks failed
Build / Build openSUSE (leap:15.6) (push) Has been cancelled
Details
Build / Build openSUSE (leap:16.0) (push) Has been cancelled
Details
Build / Build openSUSE (tumbleweed) (push) Has been cancelled
Details
Build / Build Fedora (42) (push) Has been cancelled
Details
Build / Build Fedora (43) (push) Has been cancelled
Details
Build / Build Fedora (44) (push) Has been cancelled
Details
Build / Build OpenMandriva (cooker) (push) Has been cancelled
Details
Build / Build Mageia (9) (push) Has been cancelled
Details
Build / Build Debian (bookworm) (push) Has been cancelled
Details
Build / Build Debian (forky) (push) Has been cancelled
Details
Build / Build Debian (trixie) (push) Has been cancelled
Details
Build / Build Ubuntu (noble) (push) Has been cancelled
Details
Build / Build Ubuntu (questing) (push) Has been cancelled
Details
Build / Build Ubuntu (resolute) (push) Has been cancelled
Details
Build / Upload Ubuntu PPA (noble) (push) Has been cancelled
Details
Build / Upload Ubuntu PPA (questing) (push) Has been cancelled
Details
Build / Upload Ubuntu PPA (resolute) (push) Has been cancelled
Details
Build / Build FreeBSD (push) Has been cancelled
Details
Build / Build OpenBSD (push) Has been cancelled
Details
Build / Build macOS Public (release, macos-15) (push) Has been cancelled
Details
Build / Build macOS Public (release, macos-15-intel) (push) Has been cancelled
Details
Build / Build macOS Private (release, macos-arm64) (push) Has been cancelled
Details
Build / Build Windows MinGW (i686, debug) (push) Has been cancelled
Details
Build / Build Windows MinGW (i686, release) (push) Has been cancelled
Details
Build / Build Windows MinGW (x86_64, debug) (push) Has been cancelled
Details
Build / Build Windows MinGW (x86_64, release) (push) Has been cancelled
Details
Build / Build Windows MSVC (arm64, debug, arm64 debug, windows-11-arm) (push) Has been cancelled
Details
Build / Build Windows MSVC (arm64, release, arm64 release, windows-11-arm) (push) Has been cancelled
Details
Build / Build Windows MSVC (x86, debug, x86 debug, windows-2022) (push) Has been cancelled
Details
Build / Build Windows MSVC (x86, release, x86 release, windows-2022) (push) Has been cancelled
Details
Build / Build Windows MSVC (x86_64, debug, x86_64 debug, windows-2022) (push) Has been cancelled
Details
Build / Build Windows MSVC (x86_64, release, x86_64 release, windows-2022) (push) Has been cancelled
Details
Build / Upload (push) Has been cancelled
Details
Build / Attach to release (push) Has been cancelled
Details
Add macOS Mac App Store build instructions to README.md 
This commit introduces a new section in the README.md detailing the process for building and signing a macOS package for the Mac App Store. It includes requirements for Apple Developer accounts, a manual setup guide for certificates and provisioning profiles, and a command to build the signed upload package. Additionally, it provides instructions for uploading the package to App Store Connect for review.
2026-01-22 20:07:00 +09:00

147 lines
4.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
set -euo pipefail
# macOS signing identity sanity check for:
# - Developer ID (outside Mac App Store)
# - Mac App Store (Apple Distribution + 3rd Party Mac Developer Installer)
ts() { date +"%H:%M:%S"; }
if [[ "$(uname -s)" != "Darwin" ]]; then
echo "Error: This script is for macOS only." >&2
exit 1
fi
echo "==> [$(ts)] Strawberry macOS signing identity check"
echo "==> [$(ts)] Host: $(sw_vers -productName 2>/dev/null || true) $(sw_vers -productVersion 2>/dev/null || true)"
echo
echo "==> [$(ts)] Keychains searched by 'security' (user)"
security list-keychains -d user || true
echo
echo "==> [$(ts)] Valid code signing identities (must include private key)"
codesigning_out="$(security find-identity -p codesigning -v 2>&1 || true)"
echo "$codesigning_out"
echo
echo "==> [$(ts)] Valid installer/pkg identities (must include private key)"
basic_out="$(security find-identity -p basic -v 2>&1 || true)"
echo "$basic_out"
echo
echo "==> [$(ts)] Note"
cat <<'EOF'
- Apple uses multiple certificate types. The "basic" identity list can include certificates that are not usable
for signing a Mac App Store upload package.
- For App Store Connect uploads via .pkg, you typically need an *Installer* identity (e.g. "3rd Party Mac Developer Installer"
or "Mac Installer Distribution") and it must have a private key on this Mac.
EOF
echo
list_cert_labels() {
local query="$1"
# Extract "labl" lines like: "labl"<blob>="Apple Distribution: ..."
security find-certificate -a -c "$query" 2>/dev/null \
| sed -n 's/.*"labl"<blob>="\(.*\)".*/\1/p' \
| sort -u
}
check_label_in_identities() {
local label="$1"
local out="$2"
if echo "$out" | grep -Fq "$label"; then
echo "YES"
else
echo "NO"
fi
}
check_label_in_installer_identities() {
local label="$1"
local out="$2"
# Only treat as installer-capable if the cert label itself is an installer cert.
case "$label" in
*Installer*|*installer*) ;;
*) echo "NO"; return 0 ;;
esac
if echo "$out" | grep -Fq "$label"; then
echo "YES"
else
echo "NO"
fi
}
print_section() {
local title="$1"
shift
local queries=("$@")
echo "==> [$(ts)] ${title}"
local any=0
local q
for q in "${queries[@]}"; do
local labels
labels="$(list_cert_labels "$q" || true)"
if [[ -z "$labels" ]]; then
continue
fi
any=1
while IFS= read -r label; do
[[ -z "$label" ]] && continue
local in_codesign in_basic
in_codesign="$(check_label_in_identities "$label" "$codesigning_out")"
in_basic="$(check_label_in_installer_identities "$label" "$basic_out")"
printf -- "- %s\n" "$label"
printf -- " - codesigning identity: %s\n" "$in_codesign"
printf -- " - installer identity: %s\n" "$in_basic"
if [[ "$in_codesign" == "NO" && "$in_basic" == "NO" ]]; then
printf -- " - note: certificate exists, but it is NOT a usable identity on this Mac (almost always missing private key)\n"
fi
done <<<"$labels"
done
if [[ "$any" -eq 0 ]]; then
echo "(no matching certificates found)"
fi
echo
}
print_section "Expected for Developer ID (outside Mac App Store)" \
"Developer ID Application" \
"Developer ID Installer"
print_section "Expected for Mac App Store submissions" \
"Apple Distribution" \
"Mac App Distribution" \
"3rd Party Mac Developer Application" \
"3rd Party Mac Developer Installer" \
"Mac Installer Distribution"
echo "==> [$(ts)] Quick interpretation"
cat <<'EOF'
- If a certificate label appears above, but both:
- codesigning identity: NO
- installer identity: NO
then the certificate is present but NOT usable for signing on this Mac.
The most common cause is: the private key is missing.
Fix:
- Open Keychain Access → login → "My Certificates"
- Expand the certificate. You must see a private key underneath it.
- If there is no private key:
- Recreate the certificate on this Mac via Xcode (Accounts → Manage Certificates), OR
- Import a .p12 that includes the private key from the machine where it was created.
EOF
echo
echo "==> [$(ts)] Provisioning profiles (Mac App Store builds require one)"
prof_dir="${HOME}/Library/MobileDevice/Provisioning Profiles"
if [[ -d "${prof_dir}" ]]; then
ls -la "${prof_dir}" | head -n 50
else
echo "(none found at '${prof_dir}')"
fi
Reference in New Issue View Git Blame Copy Permalink