That is correct, and is one of the reasons I'm confused. I pass one identity, and it complains about the other. The 9W4G... cert is a "Apple Development", and the F3YT... is a "Mac Installer Distribution". It sounds like neither of these is what I need. (I should note that the code used to use the same cert for everything.) Looking at the page to create new Certs, I'm not sure if I need a "Apple Distribution", or a "Developer ID Application". Our app is a Java app, that is launched by a script, and embeds the JVM in the .app. Xcode is not used for this. We have an Installer application that was written years ago that does what we need at install time. That one item is built with Xcode. The instructions you referenced are very clear on how to do things with Xcode, but don't help much with a shell script command line built system.

The post you referenced helped, though all the dialogs and text were significantly different from what the Mac is showing me. I ended up using the Keychain app to modify the Access Control of the key associated with each Cert to "Allow all applications to access this item". I would have preferred to specify the list of applications, but the Finder window it brought up doesn't seem to have any way to select the relevant folder/file. Though, I do see that when I go back into Keychain, and look at those keys - the "Allow all ..." is no longer selected, but the shell scripts are NOT popping up the Keychain Unlock Dialog anymore. Which makes me wonder if this is going to stop working after the next reboot or something.

Fixing the Keychain access popups, and a couple of typos in the scripts, I get further, but not quite working yet. Now the pkgbuild is failing to sign. [exec] Valid identities only ... [exec] 3) ... "Apple Development: John Lussmyer (9W4G27WAV9)" [exec] 4) ... "Developer ID Application: Eps Us, LLC (F3YTHMJYQ9)" [exec] 4 valid identities found [exec] /usr/bin/pkgbuild --root /Users/jenkins/MetrixSetup/Metrix/MetrixApplication/ --component-plist /Users/jenkins/MetrixSetup/build/temp/component.plist --identifier com.efi.MetrixApplication --version 202220050 --scripts /Users/jenkins/MetrixSetup/build/temp/Scripts --sign F3YTHMJYQ9 --timestamp /Users/jenkins/MetrixSetup/build/MetrixApplication.pkg [exec] pkgbuild: Reading components from /Users/jenkins/MetrixSetup/build/temp/component.plist ... [exec] pkgbuild: error: Could not find appropriate signing identity for “F3YTHMJYQ9”. ... [exec] pkgbuild returned 1 The signing ID is there, and (as far as I can tell) is the correct type. "security find-identity" just before the call did show it as a valid identity.

Ok, now I'm confused. Reading "Creating Distribution-Signed Code for Mac" mentioned in your earlier reply, I found "If you’re distributing a product independently, use a Developer ID Application code signing identity. This is named Developer ID Application: TTT, where TTT identifies your team.". So, we created a "Developer ID Application" cert. Now you are saying we need a "Developer ID Installer" cert. The only problem with that, is the web page to create certs doesn't HAVE a way to create one of that type. So, how do we create one?

After doing more Google searches, I see that this is due to a bug on the create cert web page that won't show that kind of cert even exists if you aren't the account holder. I'll have to get the product manager to create that one as well. (Note: He doesn't have a Mac, and knows nothing about Macs, so this is a royal PITA.)

FB11342355 ("Create New Certificate" page does not show the "Developer ID Installer" choice) Now that I have the correct certs, I have gotten through the first level of getting our new Apple ID to work. Next comes the headache of having to build a whole new script for doing the Notarization step for our DMG. (that was handled by another group, and we don't have the scripts they used.)

Well, the referenced instructions are a bit vague as to exactly which tool I should use when. The particular item in the DMG that the error is about is the actual Application that will be installed, not the installer application. The error just mentions a "Developer ID" certificate - which doesn't narrow down which particular version of certificate is needed. Note that we used to use: productsign --timestamp --sign $SIGNID "$PACKAGE_DEST/Install/MetrixApplication.pkg" "$PACKAGE_DEST/Install/MetrixApplication-signed.pkg" and that worked - before we had to switch to a whole new Apple developer account and certificates. It gets the exact same error as my attempt to use codesign. I think that I am using a Developer ID Installer code signing identity. H2WGX2D1Q6NW:BuildInstaller johnluss$ security find-identity -v   1) 3D7E5672AF0B37ABB6B3963FE0798A6E937FB44D "3rd Party Mac Developer Installer: Eps Us, LLC (F3YTHMJYQ9)"   2) A4BD899689B2C6ABB973D04B3D3519FC2859AAA2 "Developer ID Application: Eps Us, LLC (F3YTHMJYQ9)"   3) 4B963D271E6BA871BFCA42C21ACD6A5A6E812A09 "Developer ID Installer: Eps Us, LLC (F3YTHMJYQ9)"   4) 7FAFF5716D350A39D28FA64049A7E30A4FF929A4 "Apple Development: John Lussmyer (9W4G27WAV9)"      4 valid identities found The SIGNID I pass is F3YTHMJYQ9

Thanks, for the info, but let me clear up a couple items. Vagueness on tools was in relation to this: "For more details on how to work with installer packages, see the man pages for productbuild, productsign, pkgbuild, and pkgutil. " As the man pages don't do a good job of telling me when/why I need to use which one of those. Also note that codesign did NOT fail with an error saying the string was ambiguous. Both codesign and productsign ran without error. If the error you mentioned HAD been reported, it. would have definitely helped me figure out what the problem was. I do have Notarization succeeding now.

Well, after quite a few hours (not sure how many, but > 4) it came back with this: Error: internalError(statusCode: Optional(500), strData: nil, jsonData: Optional(["statusCode": 500, "errors": <__NSSingleObjectArrayI 0x600000db82b0>( {     code = "UNEXPECTED_ERROR";     detail = "<null>";     id = G5FW7NFIIPPCZWYPDTUGODP7EQ;     links = "<null>";     status = 500;     title = "Uncaught server exception"; } ) ])) Please try again at a later time. I'll do some experiments to see if I can narrow down what part of my DMG is breaking the server.

My initial experiment indicates that if I use "zip -ry something.app" to create a zip of the app, then use "unzip something.app.zip" to restore it - that results in the Notarization of the DMG hanging and causing the above error. Previously, I had tried using just "zip -r something.app". When I unzipped that I'd always get a prompt asking to overwrite some file, which probably meant a link wasn't being handled correctly. Being unable to transfer the app via .zip is going to be a PITA.

Notarization server hangs for hours then returns an error FB11547511 — Developer ToolsDeveloper Certificates, Identifiers, and Profilesjust now

Our app logs when it's attempt to use it fails with: java.io.IOException: Cannot run program "df": error=2, No such file or directory When the user tried running "df" in the Terminal, he got the command not found error. After using brew to install it, he was able to run "df -i -n" and it worked. Our app STILL reports the same No such file or directory error. The biggest issue is that this works on hundreds of Mac OS computers. It's only on this one customers systems that it fails. "Full Disk Access" - don't know, didn't even know that setting existed. We'll have to contact the customer again to check on that.

Note that I just tested with my Mac OS 12 box. our App is not listed in the "Full Disk Access" list, but still can use the "df" command. Anyone have any ideas on what security settings might make it impossible to use the "df" command? (Or why it may not have been installed on the Mac?)

Customer finally got back to me. he did the "whereis df", and it gave back the same results at mentioned above. Our app still can't run it though. This is sounding like a permissions issue at this point. "Full Disk Access" isn't needed on any other Mac we've ever run on, so I have trouble believing that is the issue.

The problem with that is that we don't use Xcode for development. We are a Java application, and only use a few of the Xcode tools to sign the app. I still have no idea what I did in the past to get the key into my keychain. The ONLY thing we use the Mac for is to assemble our app, sign it, and assemble an installer and notarize that. Note that I'm am just one of several developers working under a team apple dev account. Note that I tried to use "Keychain Access" to export the relevant private key (which shows the related certificate under it). While the export seemed to work, importing it on the new Mac doesn't seem to have added any thing to the keychain. I had to enter an admin password 3 times, and the p12 password - and then absolutely nothing changed.