Manual macOS code signing




From the documentation, I see that it’s possible to sign xcode/iOS projects using Fastlane. However, I intend to distribute a pkg installer, which needs to be signed with the productbuild command-line utility. The problem is, productbuild requires that both the certificate and private key be available on the keychain, and as far as I can tell, the only files circleCI will handle in the code signing section are the private keys (.p12) and mobileprovision files (which don’t help me in this case).

So the question is: is it at all possible to manually sign code? If not, are there any suggested workarounds?


I don’t know Xcode, but are you able to do this operation locally? If so, it should be possible to do it. What binary would one use?


I’m not sure what you mean-- I’m not using Xcode.

macOS has a set of command-line tools for building pkg installers for things that are meant to be distributed without going through the app store, namely pkgbuild and productbuild. The output of productbuild is a .pkg file that users are able to run in the same way a windows user might run an installer. By default though, macOS blocks users from running unsigned installers.

To sign the installer, it seems is necessary that both a certificate (presumably .cer file) and a corresponding private key (.p12 file) are accessible in a keychain (see this page). My problem is that I believe circleci handles the files uploaded on the code signing page in a special way, assuming that most people are going to be developing for iOS (which I’m not). Am I misunderstanding that? Can I just upload my cert there as well and have everything Just Work™?


Another way to phrase the question might be to ask how people sign .app bundles using circleci, given that the process is fairly similar (as far as I can tell)


I can’t shed any light on this, as I don’t use this technology. However, since CI really is just a VPS, it should Just Work. I would therefore reiterate my earlier question, which is: are you able to do this operation locally? If so, what command do you issue?


the command is productsign, as I mentioned in my post above. running the command is not the issue- the issue lies in identity storage, as Apple expects certain files to be stored in certain places. my question is really only about how I can store the proper files in the proper keychain with circleCI (or whether this is possible)


I don’t know anything about building Mac apps, but it seems like you could still use fastlane match to manage your signing/keychain requirements

There’s a handy helper action called setup_circle_ci which automatically builds an empty keychain for you that match can then populate


I’ll admit, I was a little skeptical, but now that I’ve looked into it more, match seems like a viable option (though I still have to do a little more research). Thanks for the tip!

That said, it looks like circle CI does not support uploading anything other than p12 files (and we need to have both the cer and the p12 for signing third-party installers), so I guess I’ll leave this here as a sort of feature request.


Check out too.