I'm trying to export a Developer-ID-signed app bundle from a post-build trigger in a bot on Xcode 9.1, but I can't get it to pass through Gatekeeper without having to use the right-click-in-Finder workaround.
As suggested by this answer, I tried running codesign -dvv /path/to/my.app and I get this output (server and team IDs have been *'d out):
Executable=/path/to/my.app/Contents/MacOS/myapp
Identifier=com.abbey-code.myapp
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=29403 flags=0x0(none) hashes=911+5 location=embedded
Signature size=4630
Authority=Mac Developer: OS X Server (**********)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Nov 20, 2017, 5:48:21 PM
Info.plist entries=35
TeamIdentifier=**********
Sealed Resources version=2 rules=13 files=141
Internal requirements count=1 size=184
The answer above suggests I should see Developer ID Certification Authority, but I only see "Mac Developer" as teh root authority. I'm invoking xcodebuild with these arguments:
xcodebuild -verbose -exportArchive -exportOptionsPlist exportOptions.plist -archivePath, /path/to/xcarchive, -exportPath, /path/to/place/exported/appbundle
My exportOptions.plist looks like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>method</key>
<string>mac-application</string>
<key>signingCertificate</key>
<string>Developer ID Application</string>
<key>signingStyle</key>
<string>automatic</string>
</dict>
</plist>
My bot is signed into my developer account, and is set to manage certificates automatically. I have also tried launching Xcode on the server, signing into my account, downloading a Developer ID certificate, and clicking the "Add to Server" button from the Edit Bot sheet.
What am I doing wrong?
