productsign can't find identity

To start, code signing identities are not the same as installer signing identities. You have to sign your code with your code signing identity and your installer with your installer signing identity. See Creating Distribution-Signed Code for Mac for more about that whole topic.

I’d like to clarify the transcript your posted. It seems that you’re invoking productsign with --sign F3YTHMJYQ9:

[exec] productsign --timestamp --sign F3YTHMJYQ9 /Users/jenkins/MetrixSetup/OSX_Metrix/OSX/MetrixApplication.pkg /Users/jenkins/MetrixSetup/OSX_Metrix/OSX/MetrixApplication-signed.pkg

but its error message is printing 9W4G27WAV9:

[exec] productsign: error: Could not find appropriate signing identity for “9W4G27WAV9”.

Is that correct? Or am I misunderstanding the transcript?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

That is correct, and is one of the reasons I'm confused. I pass one identity, and it complains about the other.

The 9W4G... cert is a "Apple Development", and the F3YT... is a "Mac Installer Distribution". It sounds like neither of these is what I need. (I should note that the code used to use the same cert for everything.)

Looking at the page to create new Certs, I'm not sure if I need a "Apple Distribution", or a "Developer ID Application".

Our app is a Java app, that is launched by a script, and embeds the JVM in the .app. Xcode is not used for this. We have an Installer application that was written years ago that does what we need at install time. That one item is built with Xcode. The instructions you referenced are very clear on how to do things with Xcode, but don't help much with a shell script command line built system.

Looking at the page to create new Certs, I'm not sure if I need a Apple Distribution, or a Developer ID Application.

That depends on your distribution channel. I go into this in depth in Creating Distribution-Signed Code for Mac. Search that post for channel to find the info.

The instructions you referenced are very clear on how to do things with Xcode, but don't help much with a shell script command line built system.

Ah, um, that post is all about signing outside of Xcode. The Export an App from Xcode section is the only thing that depends on Xcode’s code signing. Everything else is about manual signing from the command line.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Fixing the Keychain access popups, and a couple of typos in the scripts, I get further, but not quite working yet. Now the pkgbuild is failing to sign.

     [exec]   Valid identities only
  ...
     [exec]   3) ... "Apple Development: John Lussmyer (9W4G27WAV9)"
     [exec]   4) ... "Developer ID Application: Eps Us, LLC (F3YTHMJYQ9)"
     [exec]      4 valid identities found
     [exec] /usr/bin/pkgbuild --root /Users/jenkins/MetrixSetup/Metrix/MetrixApplication/ --component-plist /Users/jenkins/MetrixSetup/build/temp/component.plist --identifier com.efi.MetrixApplication --version 202220050 --scripts /Users/jenkins/MetrixSetup/build/temp/Scripts --sign F3YTHMJYQ9 --timestamp /Users/jenkins/MetrixSetup/build/MetrixApplication.pkg
     [exec] pkgbuild: Reading components from /Users/jenkins/MetrixSetup/build/temp/component.plist
  ...
     [exec] pkgbuild: error: Could not find appropriate signing identity for “F3YTHMJYQ9”.
  ...
     [exec] pkgbuild returned  1

The signing ID is there, and (as far as I can tell) is the correct type. "security find-identity" just before the call did show it as a valid identity.

The signing ID is there, and (as far as I can tell) is the correct type.

Au contraire. To sign an installer package for independent distribution you need a Developer ID Installer signing identity, that is, Developer ID Installer: TTT, where TTT identifies your team. There’s more about this in companion post to Creating Distribution-Signed Code for Mac, namely, Packaging Mac Software for Distribution.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Ok, now I'm confused. Reading "Creating Distribution-Signed Code for Mac" mentioned in your earlier reply, I found "If you’re distributing a product independently, use a Developer ID Application code signing identity. This is named Developer ID Application: TTT, where TTT identifies your team.".

So, we created a "Developer ID Application" cert.

Now you are saying we need a "Developer ID Installer" cert. The only problem with that, is the web page to create certs doesn't HAVE a way to create one of that type.

So, how do we create one?

After doing more Google searches, I see that this is due to a bug on the create cert web page that won't show that kind of cert even exists if you aren't the account holder. I'll have to get the product manager to create that one as well. (Note: He doesn't have a Mac, and knows nothing about Macs, so this is a royal PITA.)

Ok, now I'm confused.

Yeah, this is subtle.

Creating Distribution-Signed Code for Mac is, as the title suggests, about signing code. Its platonic life partner, Packaging Mac Software for Distribution, is about packaging that code into a distribution product. Which is why the former says you need a “Developer ID Application code signing identity” whereas the latter says (in the Build an Installer Package section) that you need a “Developer ID Installer signing identity”. Note that I omitted “code” in that second quote, because an installer signing identity isn’t a code signing identity.

Weirdly, if you distribute a disk image you need to sign it with a code signing identity. Don’t ask me why that is or I’ll start to whimper.

I see that this is due to a bug on the create cert web page that won't show that kind of cert even exists if you aren't the account holder.

Yeah, I was just made aware of this in another thread here on DevForums. I agree that it should show up disabled with a note about the requirements, just like Developer ID Application. Please file a bug about that, then post the bug number here so that I reference your bug number when I update my post to discuss this gotcha.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

FB11342355 ("Create New Certificate" page does not show the "Developer ID Installer" choice)

Now that I have the correct certs, I have gotten through the first level of getting our new Apple ID to work. Next comes the headache of having to build a whole new script for doing the Notarization step for our DMG. (that was handled by another group, and we don't have the scripts they used.)