So to sum things up concretely and all in all, the required steps are: Create an Apple Development Certificate. Add the Freelancer into our Apple Account, with the role 'Developer'. Forward the private key of the Apple Development Certificiate to the Freelancer, such that he can use it to develop the macOS App in XCode on his own machine. When creating the new user, under the "Additional Resources" tab, I will have to tick "Access to Certificates, Identifiers & Profiles.", such that he can use the Apple Development Certificate. Once the Freelancer's done, he should do Product > Archive and send me the resulting .xcarchive. I create a Developer ID Certificate in my app store account for direct macOS distribution. I do not forward its private key to the Freelancer. I import the obtained .xcarchive into my XCode organizer, and do Developer ID distribution, including eventual notarization etc., from there.

Yes. Just like you would do for iOS. But that is exactly the problem, no? If I grant access to app store connect, they will have access to all certificates, as you cannot grant selective certificate access. And that's what you warned about in your first post, no? Or did I misunderstand you here? As a follow-up to that, I understood now that it is clear that there is no solution to perform our signing process without granting the freelancer access to our app store connect account, correct? Hence: That’s a balance between what authority you want to grant them and how much time you want to spend servicing their requests for credential manipulation. Although, having said that, I’ll note that this is no different than it is for iOS. What is the role that allows the freelancer to do as you say and nothing else? I'm asking you as an expert because I cannot risk any unwanted data exposure; as we initially thought (according to initial talks with Apple Support) that we cannot grant access to our app store connect account.

Hi Quinn, Thanks for your reply, yet I'm still a little confused, as mentioned all I've done so far is to release mobile apps through automated signing via XCode for iOS (iPhones and iPads). I am also not sure if the freelancer developed the app within XCode. Can you maybe be more precise regarding: Regarding 1., do you mean adding the freelancer to my app store connect account? If not, where? If so, which role would you recommend, according to the principle of least needed access? You also say that we should not grant access to any certificates, so I'm a little confused by this proposition. Regarding 2., are we supposed to provide that Apple Developer Identity to him? Regarding 5., do yo mean sign codesign the app with the developer ID I generated and then notarize the app? If I understand things correctly, these two things have to be done also in the future before releasing any update, correct ?