David Helkowski
c26e09e90b
This commit updates the check_signing_identities.sh script to search for provisioning profiles in multiple common directories, improving the detection process. Additionally, the README_MAS.md is updated to clarify where provisioning profiles are stored in newer Xcode versions and provides guidance on locating the correct profile for Mac App Store builds. This enhances the overall usability and clarity for developers working with macOS builds.
160 lines
4.7 KiB
Bash
Executable File
160 lines
4.7 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
# macOS signing identity sanity check for:
|
|
# - Developer ID (outside Mac App Store)
|
|
# - Mac App Store (Apple Distribution + 3rd Party Mac Developer Installer)
|
|
|
|
ts() { date +"%H:%M:%S"; }
|
|
|
|
if [[ "$(uname -s)" != "Darwin" ]]; then
|
|
echo "Error: This script is for macOS only." >&2
|
|
exit 1
|
|
fi
|
|
|
|
echo "==> [$(ts)] Strawberry macOS signing identity check"
|
|
echo "==> [$(ts)] Host: $(sw_vers -productName 2>/dev/null || true) $(sw_vers -productVersion 2>/dev/null || true)"
|
|
echo
|
|
|
|
echo "==> [$(ts)] Keychains searched by 'security' (user)"
|
|
security list-keychains -d user || true
|
|
echo
|
|
|
|
echo "==> [$(ts)] Valid code signing identities (must include private key)"
|
|
codesigning_out="$(security find-identity -p codesigning -v 2>&1 || true)"
|
|
echo "$codesigning_out"
|
|
echo
|
|
|
|
echo "==> [$(ts)] Valid installer/pkg identities (must include private key)"
|
|
basic_out="$(security find-identity -p basic -v 2>&1 || true)"
|
|
echo "$basic_out"
|
|
echo
|
|
|
|
echo "==> [$(ts)] Note"
|
|
cat <<'EOF'
|
|
- Apple uses multiple certificate types. The "basic" identity list can include certificates that are not usable
|
|
for signing a Mac App Store upload package.
|
|
- For App Store Connect uploads via .pkg, you typically need an *Installer* identity (e.g. "3rd Party Mac Developer Installer"
|
|
or "Mac Installer Distribution") and it must have a private key on this Mac.
|
|
EOF
|
|
echo
|
|
|
|
list_cert_labels() {
|
|
local query="$1"
|
|
# Extract "labl" lines like: "labl"<blob>="Apple Distribution: ..."
|
|
security find-certificate -a -c "$query" 2>/dev/null \
|
|
| sed -n 's/.*"labl"<blob>="\(.*\)".*/\1/p' \
|
|
| sort -u
|
|
}
|
|
|
|
check_label_in_identities() {
|
|
local label="$1"
|
|
local out="$2"
|
|
if echo "$out" | grep -Fq "$label"; then
|
|
echo "YES"
|
|
else
|
|
echo "NO"
|
|
fi
|
|
}
|
|
|
|
check_label_in_installer_identities() {
|
|
local label="$1"
|
|
local out="$2"
|
|
# Only treat as installer-capable if the cert label itself is an installer cert.
|
|
case "$label" in
|
|
*Installer*|*installer*) ;;
|
|
*) echo "NO"; return 0 ;;
|
|
esac
|
|
if echo "$out" | grep -Fq "$label"; then
|
|
echo "YES"
|
|
else
|
|
echo "NO"
|
|
fi
|
|
}
|
|
|
|
print_section() {
|
|
local title="$1"
|
|
shift
|
|
local queries=("$@")
|
|
|
|
echo "==> [$(ts)] ${title}"
|
|
local any=0
|
|
|
|
local q
|
|
for q in "${queries[@]}"; do
|
|
local labels
|
|
labels="$(list_cert_labels "$q" || true)"
|
|
if [[ -z "$labels" ]]; then
|
|
continue
|
|
fi
|
|
any=1
|
|
while IFS= read -r label; do
|
|
[[ -z "$label" ]] && continue
|
|
local in_codesign in_basic
|
|
in_codesign="$(check_label_in_identities "$label" "$codesigning_out")"
|
|
in_basic="$(check_label_in_installer_identities "$label" "$basic_out")"
|
|
printf -- "- %s\n" "$label"
|
|
printf -- " - codesigning identity: %s\n" "$in_codesign"
|
|
printf -- " - installer identity: %s\n" "$in_basic"
|
|
if [[ "$in_codesign" == "NO" && "$in_basic" == "NO" ]]; then
|
|
printf -- " - note: certificate exists, but it is NOT a usable identity on this Mac (almost always missing private key)\n"
|
|
fi
|
|
done <<<"$labels"
|
|
done
|
|
|
|
if [[ "$any" -eq 0 ]]; then
|
|
echo "(no matching certificates found)"
|
|
fi
|
|
echo
|
|
}
|
|
|
|
print_section "Expected for Developer ID (outside Mac App Store)" \
|
|
"Developer ID Application" \
|
|
"Developer ID Installer"
|
|
|
|
print_section "Expected for Mac App Store submissions" \
|
|
"Apple Distribution" \
|
|
"Mac App Distribution" \
|
|
"3rd Party Mac Developer Application" \
|
|
"3rd Party Mac Developer Installer" \
|
|
"Mac Installer Distribution"
|
|
|
|
echo "==> [$(ts)] Quick interpretation"
|
|
cat <<'EOF'
|
|
- If a certificate label appears above, but both:
|
|
- codesigning identity: NO
|
|
- installer identity: NO
|
|
then the certificate is present but NOT usable for signing on this Mac.
|
|
The most common cause is: the private key is missing.
|
|
|
|
Fix:
|
|
- Open Keychain Access → login → "My Certificates"
|
|
- Expand the certificate. You must see a private key underneath it.
|
|
- If there is no private key:
|
|
- Recreate the certificate on this Mac via Xcode (Accounts → Manage Certificates), OR
|
|
- Import a .p12 that includes the private key from the machine where it was created.
|
|
EOF
|
|
echo
|
|
|
|
echo "==> [$(ts)] Provisioning profiles (Mac App Store builds require one)"
|
|
prof_dirs=(
|
|
"${HOME}/Library/Developer/Xcode/UserData/Provisioning Profiles"
|
|
"${HOME}/Library/MobileDevice/Provisioning Profiles"
|
|
)
|
|
any_prof=0
|
|
for prof_dir in "${prof_dirs[@]}"; do
|
|
if [[ -d "${prof_dir}" ]]; then
|
|
any_prof=1
|
|
echo " ${prof_dir}"
|
|
ls -la "${prof_dir}" | head -n 20
|
|
echo
|
|
fi
|
|
done
|
|
if [[ "$any_prof" -eq 0 ]]; then
|
|
echo "(no provisioning profile directories found in common locations)"
|
|
fi
|
|
|
|
echo "Tip: to pick the right MAS profile for a bundle id, run:"
|
|
echo " ./build_tools/macos/find_mas_provisioning_profile.sh --bundle-id com.dryark.strawberry"
|
|
|