Context: large platform-agnostic CLI tool built as a handcrafted bundle (not via an Xcode project) that has been successfully codesigned, stapled, and zipped; macOS 14.7.5 syspolicy_check reports App passed all pre-distribution checks and is ready for distribution. However, running the executable in the Terminal produces a "cannot be opened because the developer cannot be verified" popup. The executable does succeed after manually clearing its quarantine attribute. Having worked through Resolving Gatekeeper Problems, the only detail logged in the Console is Adding Gatekeeper denial breadcrumb (direct): ... bundle_id: NOT_A_BUNDLE. Experimental observations: a minimized trivial CLI executable with a similar bundle layout and name successfully executes without being rejected, and oddly, renaming the original bundle from "name" to "name.suffix" allows it to be successfully executed. It's unclear why the bundle name would affect Gatekeeper only in some circumstances, and we'd greatly prefer not to rename the bundle for compatibility reasons, so it would be good if there were some way to get further diagnostic detail leading to a workaround - thank you.

Command failed: codesign --sign 142DA07B8371F5C9BCE0FFEC6B23CDEB84F48E52 --force --timestamp --options runtime --entitlements /Users/mymac/Desktop/ElectronApp/node_modules/app-builder-lib/node_modules/@electron/osx-sign/entitlements/default.darwin.plist /Users/mymac/Desktop/ElectronApp/dist/mas-arm64/electron.app/Contents/Library/LoginItems/electron Login Helper.app/Contents/MacOS/electron Login Helper /Users/mymac/Desktop/ElectronApp/dist/mas-arm64/electron.app/Contents/Library/LoginItems/electron Login Helper.app/Contents/MacOS/electron Login Helper: replacing existing signature /Users/mymac/Desktop/ElectronApp/dist/mas-arm64/electron.app/Contents/Library/LoginItems/electron Login Helper.app/Contents/MacOS/electron Login Helper: resource fork, Finder information, or similar detritus not allowed failedTask=build stackTrace=Error: Command failed: codesign --sign 142DA07B8371F5C9BCE0FFEC6B23CDEB84F48E52 --force --timestamp --options runtime --entitlements /Users/mymac/Desktop/ElectronApp/node_modules/app-builder-lib/node_modules/@electron/osx-sign/entitlements/default.darwin.plist /Users/mymac/Desktop/ElectronApp/dist/mas-arm64/electron.app/ I'm not entirely sure what's causing this issue. Has anyone else encountered this error while signing their macOS app? I’d really appreciate any guidance or solutions you can share.

How do I replace an Apple Developer ID Certificate that indicates it is not trusted? When I look at my Certificate Expiring 02-20-2025, I see a valid status displayed. (See annotation #1.) However, when I look at my Apple Developer ID Certificate renewal, I see the words not trusted. (See annotation #2.) I downloaded the renewal certificate and double double-clicked the downloaded item to place it in my KeyChain. This certificate period is from 01-21-2025 to 01-22-2030. QUESTIONS Why does the renewal certificate say "certificate is not trusted"? (Its period is 01-21-2025 to 01-22-2030. Today is 01-27-2025.) How did the renewal certificate get damaged? What must I do to get the damaged certificate replaced with a valid one?

I am trying to resign a package using a script from Docebo. But I got an error when running the script error: The specified item could not be found in the keychain. So I ran security find-identity and I got a 0 Valid identity message. But I can see these certificates installed in my keychain and downloaded a brand new mobile provissioning profile. No dice... any ideas?

Hi everyone, I applied for CarPlay Entitlements on [Date 4. 26, 2025] using. (*CarPlay Entitlements Case-ID : 13045151) I haven't received any updates or responses regarding my application yet. It's been 7 days since the application. My service requires CarPlay integration with a Black Box device. The primary purpose of this integration is to allow users to configure device settings through CarPlay. Furthermore, we plan to utilize the "Communication" category of Entitlements to notify users of parking incidents detected by the Black Box device while parked. This functionality is crucial for alerting drivers to potential issues affecting their vehicles. Could anyone share their experience with the typical turnaround time for CarPlay Entitlements, especially for applications involving device integration and the "Communication" category? Is this delay normal? Is there any way to check the application status or contact the appropriate team to inquire about its progress? Thank you for any insights or advice you can provide! Sincerely,

I use the 'notarytool' to notarize applications and .pkg installers for Developer ID distribution. When using the notary tool with a fresh Apple Developer account, the notarization process remains stuck in the 'In progress' state. However, if I try the same app with an older developer account (one that has notarized at least one app in the past), the notarization works. All agreements are accepted in developer portal and Appstore Connect.

Hi, For the purposes of iteration speed in development builds, on an iPhone in development mode, I am attempting to use hot reloaded dylibs. The goal is that the app is rarely fully restarted and small code changes can be applied quickly, drastically reducing iteration speed. For this purpose I have a socket server on my Mac that sends changed dylibs to my app on my iPhone. This works great on Mac, however on iOS i am running into codesigning problems. I am using the following to codesign the dylib: codesign -f -s XXX --timestamp=none testlibrary-ios.dylib I am placing the downloaded dylib in this folder: const char* cachedirectoryPath = [NSSearchPathForDirectoriesInDomains(NSCachesDirectory, NSUserDomainMask, YES)[0] UTF8String]; dlopen gives me the following error: dlopen(/var/mobile/Containers/Data/Application/67A3D31B-6F72-4939-9E7F-665FC78CDC61/Library/Caches/testlibrary-ios.dylib, 0x000A): tried: '/usr/lib/system/introspection/testlibrary-ios.dylib' (no such file, not in dyld cache), '/var/mobile/Containers/Data/Application/67A3D31B-6F72-4939-9E7F-665FC78CDC61/Library/Caches/testlibrary-ios.dylib' (code signature invalid in <78A101AD-D756-3526-8754-8B7F4925DE90> '/private/var/mobile/Containers/Data/Application/67A3D31B-6F72-4939-9E7F-665FC78CDC61/Library/Caches/testlibrary-ios.dylib' (errno=1) sliceOffset=0x00000000, codeBlobOffset=0x0000C2E0, codeBlobSize=0x00004990), .... Is loading a dylib like this on iPhones in development mode possible? Any idea what is going wrong with codesigning or installing the dylib? (Obviously this code is never deployed in an app that goes on the AppStore)

I have a misterous problem with checking DMG notarization. It fails: bash-3.2$ spctl -a -t open --context context:primary-signature -v MyApp.dmg MyApp: rejected source=no usable signature However this DMG installs fine on Big Sur 11.2.2, macOS allows to run this app, and checking of notarization for installed app was passed: bash-3.2$ spctl -a -v '/Applications/MyApp.app' /Applications/MyApp.app: accepted source=Notarized Developer ID I checked other downloaded apps (Intel or Universal). Some DMG files pass DMG notarization (for example, Audacity), and some fails (PerfectTablePlan). Why? For my app (Universal) I use the following code to codesign and notarize: codesign --timestamp --options runtime --force --deep -s "Developer ID Application: MYCOMPANY" "My.app" // Creating DMG with EULA license xcrun altool --notarize-app --primary-bundle-id MyApp -u "my@email.com" -p "abc123" --file MyApp.dmg xcrun stapler staple MyApp.dmg

Having reviewed every document, this has been going on for nearly two months. Originally, it was thought that the problem might be related to the fact I had created the developer ID signing certificate on an intel mac, and trying to import and use it on an M1 Mac-Mini. That turned out to not be the case. Completely started over with a new account (the company changed names), requested and was granted the entitlements we needed. Create a new CSR from this new m1 machine, created a Developer ID certificate, installed the certificate on this machine. But no matter what, the codesign fails. Troubleshooting Environment: Brand new Apple Developer account and Developer ID Application certificate (generated CSR on this Mac, installed cert and private key in login keychain) macOS build/signing machine, not running codesign as root Working from Terminal app in GUI session, not via SSH/cron Keychain & Certificate Chain: Verified Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ) certificate and private key are present in login keychain Verified certificate is marked as trusted and has a private key attached Developer ID Certification Authority present and trusted in System keychain (removed any extra from login) Evaluate certificate assistant shows everything is good Apple Root CA present and trusted in System keychain Set all trust settings back to System Defaults after testing with “Always Trust” No expired or duplicate Developer ID intermediates present codesign Troubleshooting: Ran: codesign --force --timestamp --options runtime --sign "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)" ./fidelisevents Consistently received: Warning: unable to build chain to self-signed root for signer ... errSecInternalComponent Confirmed correct identity using: security find-identity -v -p codesigning (Shows my Developer ID Application cert as valid) Keychain order confirmed with security list-keychains Tried explicit --keychain argument in codesign (no change) Additional Steps Attempted: Downloaded and re-installed all relevant Apple intermediates/root certificates from https://www.apple.com/certificateauthority/ Rebooted the Mac and killed/restarted the securityd daemon Confirmed no use of sudo or root for codesigning Verified keychain is unlocked Checked that partition list grants access to codesign (set with security set-key-partition-list -S "apple:codesign:" -s -k "" ~/Library/Keychains/login.keychain-db) Attempted to codesign a copy of /usr/bin/true (same error) Ran codesign both with and without --timestamp, both on app bundle and binary Keychain Access showing: Certificate and private key present and linked Correct trust chain System keychain containing all Apple intermediates/roots No trust warnings or red Xs Downloaded the latest Apple CA and Developer ID Root certificates and installed those. None of the forum searches have helped. AI is likewise confused.

Hi Team, I have created multiple certificates for macOS application. Below are the certificates created- Apple Development Certificate DeveloperID Installer Certificate Apple Distribution Certificate others certificates Later, I have imported the all these above certificates in keychain-access. Now, I tried to compile the code through Xcode. I am getting error for code signing certificate. Warning: unable to build chain to self-signed root for signer "Apple Development: Amit (M2WMF2YERI)” .... Command CodeSign failed with a nonzero exit code When I checked the TeamID of User(Amit) I can see that his current TeamID is [P8ZW3W9R2Q]. There is mismatch of teamID in apple development certificate generation. Note- All certificates are generated with current TeamID[P8ZW3W9R2Q] of user (Amit) except Apple Development certificate which has been generated with TeamID [M2WMF2YERI] which is generated with old TeamID of user (Amit). I attempted to generate the apple development certificate multiple times but it is getting generated with old TeamID TeamID[M2WMF2YERI] of user(Amit)
 Summary- While creating a developer certificate using apple developer account and mapping it in keychain, the certificate is being generated with old apple account details (Inactive) instead of the current one. This is causing issues when using the certificate in keychain. If anyone has encountered this issue, how it was resolved?
 Thanks

Hi, Out app is approved on app store, however we want to distribute outside apps tore as well. But notarization always fails with error: Team is not yet configured for notarization. Please contact Developer Programs Support at developer.apple.com under the topic Development and Technical / Other Development or Technical Questions.", "statusCode": 7000, Any help to address this issue is highly appreciated.

We are facing issue with resigning the app which is developed by 3rd party. In this app we have Sharing functionality feature for which we have enabled Associated Domains capability. When we are signing the app with our certificate and profile this functionality is not working i.e when we are clicking on shared link in the app it is redirecting to app store page instead of content link. However, when 3rd party is directly using our certificate & profile then that functionality is working as expected. Could you please help us with the above issue why it is not working when we are resigning with our certificate and profile?

Doing it multiple times (even hours apart) doesn't help. createdDate: 2025-03-14T13:58:40.397Z id: eb49f8a4-bee6-432b-87de-6b11ca9d392a name: panda-app-1.0.0-arm64.dmg status: In Progress -------------------------------------------------- createdDate: 2025-03-14T13:23:31.444Z id: f6f3c938-5356-434c-aba1-c425f18cb4a7 name: panda-app-1.0.0-arm64.dmg status: In Progress

I’ve been wrestling with this for nearly a week now and none of the proposed fixes have worked. I’m trying to resign an app via Jenkins and have done the following: Created a custom keychain Imported the required .p12 certificates Installed the Apple WWDR certificate in the System keychain Made the login keychain my default Added my development keychain, the login keychain and the System keychain to the user keychain list Unlocked my development keychain Confirmed my signing identity is present Granted the appropriate partition list access to the keychain "security set-key-partition-list -S apple-tool:,codesign: -k pwd /Users/ec2-user/Library/Keychains/development.keychain-db" Yet when I invoke Fastlane’s resign action, I still see: _floatsignTemp/Payload/EverMerge.app/Frameworks/AppLovinSDK.framework: replacing existing signature _floatsignTemp/Payload/EverMerge.app/Frameworks/AppLovinSDK.framework: errSecInternalComponent Encountered an error, aborting! Any guidance on what might be causing this errSecInternalComponent failure or how to get the resign step to succeed would be highly appreciated.

I am experiencing an issue when publishing my .NET MAUI application for iOS using Visual Studio Code. During the publishing process, I encountered a codesign error. Hope someone can help me. This is the error: Warning: unable to build chain to self-signed root for signer "Apple Distribution: SOFTBUILDER SDN. BHD. (********)" /Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/bin/Release/net8.0-ios/ios-arm64/MLBusinessCafe_Maui.app: errSecInternalComponent /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : /usr/bin/codesign exited with code 1: [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : Warning: unable to build chain to self-signed root for signer "Apple Distribution: SOFTBUILDER SDN. BHD. (U44UY7DYY7)" [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : /Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/bin/Release/net8.0-ios/ios-arm64/MLBusinessCafe_Maui.app: errSecInternalComponent [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : Failed to codesign '/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/bin/Release/net8.0-ios/ios-arm64/MLBusinessCafe_Maui.app': Warning: unable to build chain to self-signed root for signer "Apple Distribution: SOFTBUILDER SDN. BHD. (U44UY7DYY7)" [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : /Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/bin/Release/net8.0-ios/ios-arm64/MLBusinessCafe_Maui.app: errSecInternalComponent [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios] /usr/local/share/dotnet/packs/Microsoft.iOS.Sdk.net8.0_18.0/18.0.8316/tools/msbuild/iOS/Xamarin.Shared.targets(2335,3): error : [/Users/frankongthuanhong/Desktop/App/MLBusinessCafe_Maui/MLBusinessCafe_Maui/MLBusinessCafe_Maui.csproj::TargetFramework=net8.0-ios]

Hello I have a qt, CMAKE app, non-xcode one till xcode start supporting cmake. I have 3 apps, 2 basic ones and 1 very complex ones. My complex one build/links/notarises/validates/deploys beautifly. I have tear in my eye when I see it build. The other 2 apps explode and torment me for past 5 days. The build proves is 99% the same, the only thing that a little changes are info.plist and app name+ some minor changes. Its absolutely bananas and I can't fix it, I'm running out of ideas so if any1 could sugged anything, I'll buy &amp; ship you a beer. Anyway, errors: Log: Using otool: Log: inspecting "/Users/dariusz/Qt/6.9.1/macos/lib/QtCore.framework/Versions/A/QtCore" Log: Could not parse otool output line: "/Users/dariusz/Qt/6.9.1/macos/lib/QtCore.framework/Versions/A/QtCore (architecture arm64):" Log: Adding framework: Log: Framework name "QtCore.framework" Framework directory "/Users/dariusz/Qt/6.9.1/macos/lib/" Framework path "/Users/dariusz/Qt/6.9.1/macos/lib/QtCore.framework" Binary directory "Versions/A" Binary name "QtCore" Binary path "/Versions/A/QtCore" Version "A" Install name "@rpath/QtCore.framework/Versions/A/QtCore" Deployed install name "@rpath/QtCore.framework/Versions/A/QtCore" Source file Path "/Users/dariusz/Qt/6.9.1/macos/lib/QtCore.framework/Versions/A/QtCore" Framework Destination Directory (relative to bundle) "Contents/Frameworks/QtCore.framework" Binary Destination Directory (relative to bundle) "Contents/Frameworks/QtCore.framework/Versions/A" Log: copied: "/Users/dariusz/Qt/6.9.1/macos/lib/QtWebSockets.framework/Versions/A/QtWebSockets" Log: to "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Versions/A/QtWebSockets" Log: copy: "/Users/dariusz/Qt/6.9.1/macos/lib/QtWebSockets.framework/Resources" "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Versions/A/Resources" Log: copied: "/Users/dariusz/Qt/6.9.1/macos/lib/QtWebSockets.framework/Resources/Info.plist" Log: to "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Versions/A/Resources/Info.plist" Log: copied: "/Users/dariusz/Qt/6.9.1/macos/lib/QtWebSockets.framework/Resources/PrivacyInfo.xcprivacy" Log: to "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Versions/A/Resources/PrivacyInfo.xcprivacy" Log: symlink "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/QtWebSockets" Log: points to "Versions/Current/QtWebSockets" Log: symlink "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Resources" Log: points to "Versions/Current/Resources" Log: symlink "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/Frameworks/QtWebSockets.framework/Versions/Current" Log: points to "A" Log: Using install_name_tool: Log: in "/AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/MacOS/Agameri_Toolbox" Log: change reference "@rpath/QtWebSockets.framework/Versions/A/QtWebSockets" Log: to "@rpath/QtWebSockets.framework/Versions/A/QtWebSockets" ERROR: "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/install_name_tool: fatal error: file not in an order that can be processed (link edit information does not fill the __LINKEDIT segment): /AppBuild/Agameri_Toolbox/Agameri_Toolbox.app/Contents/MacOS/Agameri_Toolbox\n" ERROR: "" Even tho I get that error, it will "Notarize" and "greenlight by gatekeeper. So my automatic build app if he sees error with the __LINKEDIT it will stop deployment. But even tho he "stops" release of app to public I can still go check binary and when I try to run that I get: Library not loaded: @rpath/QtConcurrent.framework/Versions/A/QtConcurrent Referenced from: &lt;69A296DB-8C7D-3BC9-A8AE-947B8D6ED224&gt; /Volumes/VOLUME/*/Agameri_Toolbox.app/Contents/MacOS/Agameri_Toolbox Reason: tried: '/Users/dariusz/Qt/6.9.1/macos/lib/QtConcurrent.framework/Versions/A/QtConcurrent' (code signature in &lt;192D5FAC-FE8C-31AB-86A7-6C2CE5D3E864&gt; '/Users/dariusz/Qt/6.9.1/macos/lib/QtConcurrent.framework/Versions/A/QtConcurrent' not valid for use in process: mapping process and mapped file (non-platform) have different Team IDs), '/System/Volumes/Preboot/Cryptexes/OS/Users/dariusz/Qt/6.9.1/macos/lib/QtConcurrent.framework/Versions/A/QtConcurrent' (no such file), '/Volumes/DEV_MAC/02_CODE/Dev/Icarus.nosync/Icarus_Singleton/codeSingleton/libOutput/Release/QtConcurrent.framework/Versions/A/QtConcurrent' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/Volumes/DEV_MAC/02_CODE/Dev/Icarus.nosync/Icarus_Singleton/codeSingleton/libOu (terminated at launch; ignore backtrace) And here is my build script, its QT based application, I'm using macdeployqt + my own custom signing as the one from macdeployqt breaks on the complex app. (I will post it in next post as apparently there is 7k limit O.O) I've tried to replace the @rpath/ to @executable_path but that has made a million new issues and I'm just lost.

Hi at all, we started a notarization process and after 3 hours is still in progress.

Hi Team, I have created multiple certificates for macOS application. Below are the certificates created- Apple Development Certificate DeveloperID Installer Certificate Apple Distribution Certificate others certificates Later, I have imported the all these above certificates in keychain-access. Now, I tried to compile the code through Xcode. I am getting error for code signing certificate. Warning: unable to build chain to self-signed root for signer "Apple Development: Amit (M2WMF2YERI)” .... Command CodeSign failed with a nonzero exit code When I checked the TeamID of User(Amit) I can see that his current TeamID is [P8ZW3W9R2Q]. There is mismatch of teamID in apple development certificate generation. Note- All certificates are generated with current TeamID[P8ZW3W9R2Q] of user (Amit) except Apple Development certificate which has been generated with TeamID [M2WMF2YERI] which is generated with old TeamID of user (Amit). I attempted to generate the apple development certificate multiple times but it is getting generated with old TeamID TeamID[M2WMF2YERI] of user(Amit)
 Summary- While creating a developer certificate using apple developer account and mapping it in keychain, the certificate is being generated with old apple account details (Inactive) instead of the current one. This is causing issues when using the certificate in keychain. If anyone has encountered this issue, how it was resolved?

I am running into this error with productbuild in github actions where the program hangs with a specific developer id. I have verified that my certification files are properly uploaded etc. and i am able to run this without the --sign command online and with --sign offline. if i sign with a "3rd party mac developer installer: ***" it will run but then crash on stapling because this isn't the actual org i want to staple and don't really need to verify that i could staple with this other license since it is my personal license and i will be leaving this job soon so setting up all my other certs is a waste of time since it doesn't solve the problem. When i use my bosses/org "Developer ID Installer: ***" productbuild just hangs. I am at a loss here... the acutal command running is productbuild --resources ./resources --distribution distribution.xml --sign "${{ secrets.DEVELOPER_ID_INSTALLER }}" --timestamp "${{ env.ARTIFACT_NAME }}.pkg" I have confirmed that my distribution file is fine etc. because I can productbuild without signing fine. Any suggestions on where to go?

I’m having issues trying to codesign a .app file. We generated the Developer ID Application certificate using the organization owner’s account. I downloaded the certificate to my Mac and imported it into my keychain, but when I run the codesign command below, I get the following error. Could you help me? What am I doing wrong? Is there any other way to sign the .app executable? From what I’ve seen in other posts, it looks like the certificate needs to have a private key, but the certificate I download from the developer portal doesn’t include the key. Also, about exporting it as a .p12 — I couldn’t quite understand if that’s considered a safe practice, since the organization owner’s private key would be included in this certificate that we plan to use in our pipeline.