Osx workflow guide (1)

Tools Workflow Guidefor Mac

Contents

About the Tools Workflow for Mac 6At a Glance 6

Manage Your Team 6Code Sign Your App 7Enable Sandboxing 7Use Push Notifications 7Enable iCloud Storage 7Configure In-App Purchase 8Submit an App to the Mac App Store 8Prepare for Gatekeeper 8

How to Use This Document 8See Also 9

Managing Your Team 10Technology-Specific Administrative Tasks 10Enrolling in the Mac Developer Program 15Inviting Team Members and Assigning Roles 13Registering an App ID 16Approving Signing Certificates 20Creating Signing Certificates 22Enabling iCloud Storage 25Enabling Push Notifications 25Registering Developer Systems 26Creating Provisioning Profiles 28

Using the Mac Team Provisioning Profile 30Creating Specialized Development Provisioning Profiles 30Creating a Production Provisioning Profile 33

Renewing Expired Provisioning Profiles 35

Configuring Apps 36Setting the App Icon 36Setting the Application Category 37Setting the Bundle ID 37Setting the Bundle Version and Copyright Keys 38

2012-09-19 | © 2012 Apple Inc. All Rights Reserved.

2

Specifying the Deployment Target 38Configuring Entitlements 39

Configuring iCloud Key-Value Storage 41Configuring iCloud Document Storage 41Configuring Sandboxing 42

Specifying Build Settings 44

Code Signing Your App 45How Code Signing Works 45Requesting a Signing Certificate 47Verifying Your Certificate in the Keychain 59Signing an App 54Exporting and Importing Signing Certificates 56Repairing Signing Certificates 59

Removing Certificates 59Revoking Certificates 60Creating New Certificates 61Repairing Another Development System 62

Provisioning Your System 63Adding Your System to the Mac Team Provisioning Profile 63Refreshing Provisioning Profiles 66Requesting a Specialized Development Provisioning Profile 68Installing Development Provisioning Profiles on Your System 69Setting Your Provisioning Profile in Xcode 70

Submitting to the Mac App Store 72Signing Using a Mac Submission Certificate 74Signing Using a Production Provisioning Profile 74Creating an Archive 76Testing the Installer Package 77Validating and Submitting Your App Using Xcode 82Submitting Your App Using Application Loader 83

Distributing Outside the Mac App Store 84Creating Developer ID-Signed Applications or Installer Packages 84

Enrolling in the Mac Developer Program 84Requesting Developer ID Certificates 85Code Signing Your Application 89Exporting a Developer ID-signed Application 90


3

Contents

Signing an Installer Package 92Testing Developer ID-signed Applications 93

Enabling and Disabling Gatekeeper 93Testing Gatekeeper Behavior 95

Document Revision History 98


4

Contents

Figures

Managing Your Team 10Figure 1-1 Provisioning profile components 29

Configuring Apps 36Figure 2-1 Setting iCloud entitlements 41Figure 2-2 Configuring sandbox entitlements 43

Code Signing Your App 45Figure 3-1 Developer certificates 46Figure 3-2 Team member development certificate 50Figure 3-3 Team agent or admin certificates 51

Provisioning Your System 63Figure 4-1 Code Signing Identity menu for a team admin 71

Submitting to the Mac App Store 72Figure 5-1 Code Signing Identity menu for a team agent 76


5

To submit your app to the Mac App Store, you use Xcode features and several web tools available only tomembers of the Mac Developer Program. Before using technologies such as iCloud storage and pushnotifications, you must join the Mac Developer Program. You should join the program even if you distributeyour application outside of the Mac App Store and sign it with a Developer ID certificate so that customersknow your application comes from an identified source.

Development Certificate

Provisioning Profile

Xcode Code Signing

Configure Profile

Develop Distribute

At a GlanceThis document covers the Mac Developer Program tasks and sequence of steps, using Xcode and other tools,you follow to develop your app and distribute it. The workflow includes tasks such as managing yourdevelopment team, enabling entitlements, requesting signing certificates, and creating provisioning profiles.The workflow also includes configuring technologies available only to apps submitted to the Mac App Store.

Manage Your TeamIf you join the Mac Developer Program as an individual, you are the team agent and only team member ofyour account. You can perform any tasks described in this book that a team agent can perform, such as creatingan app ID and creating specialized provisioning profiles. A team agent also code signs and submits an app tothe Mac App Store. However, if you join the program as a company, you are the team agent who has additionalresponsibilities such as adding and granting privileges to other team members. You are also responsible forapproving signing certificates and registering developer systems. Certificates are automatically approved forteam agents.


6

About the Tools Workflow for Mac

Related Chapters: “Managing Your Team” (page 10), “Submitting to the Mac App Store” (page 72)

Code Sign Your AppCode signing allows you to sign your app and thereby certify that the app is released by you. To submit an appto the Mac App Store, you have to sign both the app bundle and the installer package that you upload toiTunes Connect. To code sign your app, you need a Mac Submission certificate and Mac Installer certificate.

Related Chapters: “Code Signing Your App” (page 45)

Enable SandboxingA sandbox is a set of fine-grained controls that limit an app’s access to files, preferences, network resources,hardware, and so on. As part of the sandboxing process, the system also installs each app in its own sandboxdirectory, which acts as the home for the app and its data. To use sandboxing, you enable entitlements in yourXcode project and select the sandboxing entitlements your app is using. You don’t need a provisioning profileto use sandboxing.

Related Chapters: “Configuring Apps” (page 36)

Use Push NotificationsPush notifications allow an app that is not running in the foreground to notify the user that it has informationfor the user. The app that provides the push notifications must have an SSL certificate generated by Apple touse this feature. You need to register an app ID, enable push notification, and create a provisioning profile touse this technology.

Related Chapters: “Provisioning Your System” (page 63)

Enable iCloud StorageiCloud storage allows you to share the user’s data among multiple instances of your app running on differentiOS and OS X devices. Access to iCloud is controlled using entitlements, which your app configures throughXcode. If these entitlements are not present, your app is prevented from accessing files and other data iniCloud. You can test your iCloud app using the generic development provisioning profile that Xcode createsfor you, but you’ll need a production provisioning profile to submit an iCloud app.

About the Tools Workflow for MacAt a Glance


7

Related Chapters: “Configuring Apps” (page 36), “Provisioning Your System” (page 63)

Configure In-App PurchaseIn-App Purchase embeds a store directly into your app by allowing you to connect to the Mac App Store andsecurely process payments from the user. You can use In-App Purchase to collect payment for enhancedfunctionality or additional content usable by your app. You need an app ID to use In-App Purchase but not aprovisioning profile.

Related Chapters: “Managing Your Team” (page 10)

Submit an App to the Mac App StoreWhen your app is ready to be submitted to the Mac App Store, you need to create an iTunes Connect apprecord, code sign the app and the installer package, and pass validation tests. If you use certain technologies,you’ll need a production provisioning profile too.

Related Chapters: “Submitting to the Mac App Store” (page 72)

Prepare for GatekeeperUsing Security & Privacy system preferences in OS X Mountain Lion, users will be able to reduce the risk ofdownloading malware by prohibiting applications that do not come from an identified source from launchingon their Macs. If you distribute your application outside of the Mac App Store, sign your application using aDeveloper ID certificate so that users don’t block your application in future OS releases.

Related Chapters: “Distributing Outside the Mac App Store” (page 84)

How to Use This DocumentIf you are an individual developer, you should read this entire book for all the steps to develop and submityour app to the Mac App Store. You may skip a few tasks that are specific to larger teams. If you are a teamagent for a company, read “Managing Your Team” (page 10) and “Submitting to the Mac App Store” (page72) for specific tasks you are responsible for. If you are a team member who doesn’t have admin responsibilities,

About the Tools Workflow for MacHow to Use This Document


8

read “Code Signing Your App” (page 45) and “Provisioning Your System” (page 63) to learn how to manageyour digital identities and provision your systems for development. If you are not submitting your applicationto the Mac App Store, read “Distributing Outside the Mac App Store” (page 84).

See AlsoTo learn about the user interface guidelines and get your app approved, read:

● OS X Human Interface Guidelines

● App Store Review Guidelines for Mac Apps

For a description of the app development process and concepts, read Developing for the App Store .

If you want to learn more about programming your app and certain technologies, read:

● Mac App Programming Guide

● Code Signing Guide

● App Sandbox Design Guide

● Local and Push Notification Programming Guide

● In-App Purchase Programming Guide

To learn more about Xcode, read Xcode 4 User Guide .

For details on entitlements, read Entitlement Key Reference .

About the Tools Workflow for MacSee Also


9

http://developer.apple.com/appstore/mac/resources/approval/guidelines.html

If you want to submit an app to the Mac App Store, you need to enroll in the Mac Developer Program, set upa development team, and provide credentials to people on your team. You use Mac Developer Programtools—available to members only—to manage your team’s app IDs, developer systems, signing certificates,and provisioning profiles.

Before you can perform any other tasks in this chapter, you must become a registered Apple Developer andenroll in the Mac Developer Program as described in “Enrolling in the Mac Developer Program” (page 15). Theperson who enrolls in the developer program is the primary contact for the development team. If you are anindividual developer, you are the primary contact for your one person team. If you represent a company, youmanage a team of developers who also need signing certificates and may need provisioning profiles. You canadd developers to your team as described in “Inviting Team Members and Assigning Roles” (page 13).

This chapter covers the administrative tasks you need to follow to set up and configure certain technologies.Some of the tasks are mandatory and others are optional depending on the technologies you choose asdescribed in “Technology-Specific Administrative Tasks” (page 10).

Team members should read the other chapters in this book to learn how to configure these technologies andprovision their systems using Xcode.

Important: Developers on your team won’t be able to use certain technologies—such as iCloud and pushnotifications—until you complete some of the tasks in this chapter.

Technology-Specific Administrative TasksIf you use iCloud, In-App Purchase, or push notifications, you need a provisioning profile for Mac developmentand submission to the Mac App Store. Depending on which technologies you choose, you may need an explicitapp ID and specialized provisioning profile too.

A development provisioning profile contains the app ID, a list of development certificates, and a list ofdevelopment systems. Therefore, creating development certificates, as described in “Creating SigningCertificates” (page 22), and registering systems, as described in “Registering Developer Systems” (page 26),are mandatory steps that all team members need to perform. If you are a team agent for a company, read“Approving Signing Certificates” (page 20) to learn how to approve signing certificates requested by teammembers.


10

Managing Your Team

Additional administrative tasks you may need to perform for these technologies are:

● iCloud. Your team may use the wild card app ID and team provisioning profile that Xcode manages foryou. If you use another app ID, read “Enabling iCloud Storage” (page 25) to learn how to enable iCloud.To learn how to configure iCloud in your Xcode project, read “Configuring iCloud Key-Value Storage” (page41) and “Configuring iCloud Document Storage” (page 41).

● In-App Purchase. You need an explicit app ID (used to identify your app throughout the system) thatmatches your bundle ID and a specialized provisioning profile that contains the explicit app ID. Read“Registering an App ID” (page 16) to learn how to register your app ID and read “Creating ProvisioningProfiles” (page 28) to learn how to create your specialized provisioning profile.

● Push Notifications. You need an explicit app ID, the app ID needs to be enabled for push notifications,and you need a specialized provisioning profile that contains the explicit app ID. Read “Registering anApp ID” (page 16) to learn how to register your app ID, read “Enabling Push Notifications” (page 25) tolearn how to enable push notifications, and read “Creating Provisioning Profiles” (page 28) to learn howto create your specialized provisioning profile.

Enrolling in the Mac Developer ProgramYou cannot distribute an app on the Mac App Store without first joining the Mac Developer Program. Whenyou enroll in the Mac Developer Program, you have access to all the resources and tools you need to createan app, manage your account, and publish it on the Mac App Store.

The Mac Developer Program web tools you use to manage your account are:

● Member Center. The primary tool used to manage developer program accounts, invite team members,purchase technical support, and sign up for compatibility labs. The Member Center is also a gateway toother resources and tools you need to create an app for the Mac App Store.

● Developer Certificate Utility. A developer tool used to register your app ID, register developer systems,create signing certificates, and create provisioning profiles.

● iTunes Connect. The marketing and business tool used to check the status of your contracts, set up taxand banking information, obtain sales and finance reports, manage developers, and manage metadataabout your app.

To enroll in the Mac Developer Program, go to Apple Developer Program Enrollment, where a web assistantguides you through the entire process of enrolling. If you have not registered as an Apple Developer yet, youcan do so as part of enrolling in the Mac Developer Program. When you are prompted to select a program,select the Mac Developer Program. You can enroll as an individual or a company. If you enroll as an individual,you are the team agent for and only member of your team, who can perform all the team agent tasks describedin this book. If you enroll as a company, you are the team agent for your entire team.

Managing Your TeamEnrolling in the Mac Developer Program


11

https://developer.apple.com/programs/start/standard/

Note that during the enrollment process, you receive a series of emails from Apple containing further instructionsand links to various web tools. Read and follow the instructions carefully in the emails to complete the enrollmentprocess:

● After you submit your enrollment request on the website, you receive a confirmation email with aninvitation to visit the Member Center.

While waiting for your request to be processed further, you can visit the Member Center to explore theresources, including documentation, you use to develop your app.

● After your enrollment request is processed by Apple, you receive an email requesting that you sign thelicense agreement.

Follow the instructions in the email to sign the license agreement.

● After signing the license agreement and completing the enrollment process online, you receive an emailcontaining your activation code.

Click the activation code in the email to complete the purchase of your Mac Developer Program.

● After the enrollment is successful, you receive an email welcoming you to the Mac Developer Program.

Click the “Log in now” button in the email to go to the Member Center. The Member Center contains linksto all the web tools you’ll need to manage your team.

● Finally, you receive an email inviting you to use iTunes Connect to set up your app for purchase on theMac App Store.

After you successfully enroll in the Mac Developer Program, you can follow the rest of the steps in this chapter.All of these steps assume that you know how to launch the member tools. When you go to http://developer.ap-ple.com, click Member Center in the toolbar and log in. To open Developer Certificate Utility, click the Certificatebutton under Developer Program Resources.

If you manage a team of developers, read “Inviting Team Members and Assigning Roles” (page 13) first to addthe rest of the team to the Mac Developer Program. People on your team can’t use Xcode to requestdevelopment certificates or provisioning profiles without being registered as a team member first.

To learn how to use iTunes Connect to manage your product information that is not covered in this book, readiTunes Connect Developer Guide .

Managing Your TeamEnrolling in the Mac Developer Program


12

https://itunesconnect.apple.com

http://developer.apple.com

http://developer.apple.com

Note: It’s possible for you to belong to multiple teams and a team may be enrolled in multipledeveloper programs. When you log in using your Apple ID, you select the team from a pop-up menu.Be sure to select a team that is enrolled in the Mac Developer Program to follow the steps describedin this document.

Inviting Team Members and Assigning RolesIf you enroll as a company, you are the de facto team agent who has permission to add other developers,called team members, to your account. In general, team members have read access to view and downloadinformation managed by the web tools, but not write access. However, you can assign an admin role to a teammember, which allows that person to have some of the privileges of a team agent—for example, a team admincan create signing certificates and provisioning profiles but can’t accept agreements. Assigning roles helpsteam agents delegate some of their responsibilities.

If you are a team admin, add people to your development team through the Member Center. When you adda person to your team, you can grant them access to the developer programs that your team is enrolled in.

To add team admins and members1. After logging in to the Member Center, click People in the bar at the top.

2. Click Invitations in the sidebar.

3. Click Invite Person and provide the first name, last name, and email address.

4. Specify the person’s access and role for each program.

Managing Your TeamInviting Team Members and Assigning Roles


13

5. Click Send Invitation.

2

1

3

3

4

5

A development team can have as many people as necessary. Once you have added someone to your team,the Member Center generates and sends an email to the invitee. Team admins are notified by email whenyour invitation is accepted.



14

Alternative: If you want to send invitations to multiple people at once, you can click Bulk Inviteinstead of Invite Person and upload a .txt file. Add up to 100 people per file by listing their firstname, last name, and email address in a tab-delimited format. The first row of the file must containthe field labels, not contact information.

Important: When you send an invitation, the person you specify receives an email invitation to jointhe team. The person should click the invitation code in the email to accept the invitation. If theperson doesn’t have an Apple ID, they are asked to create an Apple ID first. Apple needs to verifythe person’s email address before creating an Apple ID so the person might receive another emailwith a request to verify the email address. The person needs to follow the instructions in this emailand complete the Apple ID creation process before accepting the invitation.

At the Member Center you can read more about the specific privileges of each type of member. After the teammember accepts the invitation, the team agent receives a confirmation email and the team member has accessto the Member Center and other web tools.

As your team grows, you may need to edit a team member’s privileges. By changing a person’s role in theMember Center, the team agent or a team admin can grant that person more or fewer privileges.

To edit a team member's privileges1. After logging in to the Member Center, click People in the bar at the top.

2. Click All People in the sidebar.

3. Click Details in the last column in the row of the person whose privileges you want to change.



15

https://developer.apple.com/membercenter

4. Specify the person’s access and role for each program and click Save.

1

2 3

4

A person’s membership level determines the level of access he or she has to Apple Developer Programwebpages and the team information stored there.

Important: Team members should belong to only one Mac Developer Program; otherwise, Xcode displaysinformation for multiple teams, which can be confusing.

Registering an App IDOS X and developer program tools use the app ID to uniquely identify your app throughout the system. Forexample, OS X uses the app ID to recognize any future updates to your app. The app ID is also used to identifyone or more apps for provisioning. If you are just starting development, you can use a generic app ID thatXcode provides for you. However, if you use certain technologies, you may need an explicit app ID.

Managing Your TeamRegistering an App ID


16

You use the Developer Certificate Utility tool to register your app ID. When you register the app ID, you entera human–readable text description of the app and a unique identifier string of your choice. In this case, theapp ID is usually the same as your bundle ID (called a bundle identifier in Xcode) which you set in the information

property list of your app or on the target’s Summary pane of the project navigator using Xcode. However, youcan also register a wildcard app ID that matches multiple apps your team is developing. Xcode automaticallycreates a wild card app ID for you as described in “Using the Mac Team Provisioning Profile” (page 30). Ineither case, the team ID followed by a dot (.) separator is automatically prefixed to your app ID to make it trulyunique.

Typically, the bundle ID in your Xcode project is string formatted as a reverse domain name, such ascom.MyCompany.MyProductName, where you replace MyCompany and MyProductNamewith your companyand product name. However, unlike domain names, app IDs and bundle IDs are case sensitive. If you are ateam agent or admin, make sure that team members set the bundle IDs in the Xcode project to match the appID, as described in “Setting the Bundle ID” (page 37). Otherwise, any specialized provisioning profiles youcreate based on an app ID won’t match the bundle ID.

Important: You cannot change an app ID after you register it. Developer Certificate Utility reserves it foryour use until you delete it.

To register an app ID

1. Go to Developer Certificate Utility and log in.

2. Click App IDs in the left column.

3. Click Create App ID in the upper-right corner.

4. Enter a name or description.

5. Enter the app ID in the Bundle Identifier text field.



17

http://developer.apple.com/certificates

Examples of wildcard app IDs are com.johndoeinc.* (to match every app in your domain) and * (tomatch every app developed by your team).



18

6. Click Continue.

To view the team ID


2. Select App IDs in the left column.

3. Click Configure in the last column in the row of the app ID you want to examine.

The team ID is the unique number at the beginning of the app ID under the Configure App ID title.



19


Approving Signing CertificatesIf you are a team agent for a company, it is your responsibility to approve team member requests for an MacDevelopment certificate. Team members need a type of signing certificate, called a development certificate,to sign apps, use the generic Mac Team Provisioning Profile, or be added to other provisioning profiles. Tolearn how to request development certificates using Xcode, read “Requesting a Signing Certificate” (page 47).Team agents and admins can also use Xcode to request their signing certificates, which are automaticallyapproved. When a request for a development certificate arrives from a team member, team agents and adminsreceive an email notification and use Developer Certificate Utility to approve the request.

To approve a certificate request


2. Click Approve in the last column in the row of the certificate you want to approve.

Managing Your TeamApproving Signing Certificates


20


The certificate appears in the Pending state.

Managing Your TeamApproving Signing Certificates


21

Creating Signing CertificatesTo submit an app to the Mac App Store, you have to sign the app bundle and the installer package that youupload to the Mac App Store. You can create both a Mac Submission certificate and Mac Installer certificateusing Xcode or Developer Certificate Utility. These distribution certificates are owned by the team, not by anindividual team member. For this reason, only one certificate of each type is allowed. All team members canuse Developer Certificate Utility to create their own development certificates as well. You can also use DeveloperCertificate Utility to create Developer ID certificates but the preferred method is to create them using Xcodeas described in “Requesting Developer ID Certificates” (page 85).

When a team agent or admin clicks the Refresh button in Xcode, as described in “Requesting a SigningCertificate” (page 47), Xcode offers to create distribution certificates when it creates a development certificate.If you are a team agent, Xcode offers to create Developer ID certificates too. It is your choice whether youcreate these distribution certificates using Xcode or follow the steps in this section to create the certificatesusing Developer Certificate Utility.

Note that team agents cannot create development certificates on behalf of other team members. Team membersmust request their own development certificates because the private key is stored locally and cannot be createdby someone else.

To create signing certificates using Developer Certificate Utility


2. Click Certificates in the left column.

3. Click Create Certificate in the upper-right corner of the page.

4. Select the type of certificate you want to create.

Managing Your TeamCreating Signing Certificates


22


You can have only one of each type of certificate. Therefore if you already have that certificate type,you will notice that some of the options are disabled. Only team agents can create Developer IDcertificates (see “Distributing Outside the Mac App Store” (page 84)).

5. Click Create.

6. Follow the instructions to create a Certificate Signing Request (CSR) using Keychain Access.

7. Follow the instructions in Developer Certificate Utility to select the CSR you just created.

8. Click Generate.

Generating the certificate may take a few minutes.

9. If successful, click Continue.

A panel appears showing the new certificate and its expiration date.

If you are a team member, a panel appears stating that your development certificate is pending approvalby your team agent or admin. Click Done, and wait for the team agent or admin to approve your requestbefore continuing.



23

If you are a team agent or admin and selected multiple certificates in step 4, repeat steps 6-8 until allthe certificates you selected are generated.

10. Click the Download button next to the expiration date to download the certificate now, or click Doneand download the certificate later.

11. Double-click the downloaded certificate file (extension .cer) to install it in your login keychain.

Keychain Access launches and puts the certificate in your login keychain.

The certificate should appear in the My Certificates category in Keychain Access. The name of the certificatebegins with the text “Mac Developer” for a Mac Development certificate, “3rd Party Mac DeveloperApplication” for a Mac Submission certificate, and “3rd Party Mac Developer Installer” for a Mac Installercertificate. If you click the disclosure triangle next to the name, you should see your private key. Verify thatthe certificate is valid and the expiration date is correct.

To create a Certificate Signing Request using Keychain Access

1. Launch Keychain Access.

2. Choose Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.

3. In the User Email Address field, enter your email address.

4. In the Common Name field, enter your name.

5. Leave the CA Email Address field blank.



24

6. In the “Request is” group, select the “Saved to disk” option.

7. Click Continue.

Read “Code Signing Your App” (page 45) for more on how to use signing certificates to sign your app. If youneed to revoke a signing certificate, read “Repairing Signing Certificates” (page 59).

Enabling iCloud StorageTo use iCloud storage, you must first enable it for your app using Developer Certificate Utility. You also needto have development and distribution certificates, and provisioning profiles containing these certificates touse this feature.

To enable iCloud storage


2. Click app IDs in the left column.

3. Click Configure in the right column of the row containing your app ID.

4. Select the option “Enable for iCloud” to enable iCloud storage for this specific app ID.

5. Click Done at the bottom of the page.

After you enable iCloud storage, create a new provisioning profile containing the app ID, as described in“Creating Provisioning Profiles” (page 28). This new provisioning profile is iCloud compatible and should beused to build your app.

For more details on configuring iCloud storage, read “Configuring Entitlements” (page 39).

Enabling Push NotificationsIf you use push notifications, you must enable push notifications for your app using Developer CertificateUtility. To use this feature, you also need to have development and distribution certificates, and provisioningprofiles containing these certificates.

To enable push notifications for your app ID, you need to create a client SSL certificate that allows yournotification server to connect to the Apple Push Notification Service. Each app ID requires its own client SSLcertificate to connect to the Apple Push Notification Service.

Managing Your TeamEnabling iCloud Storage


25


To enable push notifications


2. Click app IDs in the left column.

3. Click Configure in the right column of the row containing your app ID.

4. Select the option “Enable for Apple Push Notification service” to enable push notifications.

5. Click Generate next to the development or production SSL certificate you want to create.

After you generate the SSL certificate, create a new provisioning profile containing the app ID as described in“Creating Provisioning Profiles” (page 28). This new provisioning profile is Apple Push Notification Servicecompatible and should be used to build your app.

For more information on push notifications, read Local and Push Notification Programming Guide .

Registering Developer SystemsBefore creating development provisioning profiles, team members need to register their developer systemswith Apple. Each Mac Developer Program membership year, you are allowed to register a fixed number ofdeveloper systems that use push notifications and iCloud provisioning. The maximum number of systems youcan register is 100.

Team agents and admins can register a developer system using Xcode, as described in “Adding Your Systemto the Mac Team Provisioning Profile” (page 63). Team members need to send a request to their team agentor admin to register their system. In Xcode, a team member can select the computer in the Devices organizerto display the device identifier. The team member should send the device identifier to the team agent or adminto register it.

To locate your device identifier using System Information

1. Open the System Information app located in the /Applications/Utilities folder.

2. Select Hardware in the left column.

The device identifier, or hardware UUID, appears near the bottom of the Hardware Overview pane and isof the form 915A75DC-7BD9-50D7-987F-A19358828029.

To locate your device identifier using Xcode

1. Choose Window > Organizer.

Managing Your TeamRegistering Developer Systems


26


2. Select your Mac in the Devices section.

3. Select and copy the text in the Identifier field.

To register a developer system


2. Select Systems in the left column.

Managing Your TeamRegistering Developer Systems


27


3. Click Register System in the upper-right corner.

4. Enter a name or description.

5. Enter the device identifier, or hardware UUID.

6. Click Continue.

7. Verify the system information and click Submit.

Creating Provisioning ProfilesYou need two types of Mac provisioning profiles if you use certain technologies such as iCloud and pushnotifications. There are two types of provisioning profiles you create:

● Development Provisioning Profiles. For creating subteams to develop, debug, or test an app. Xcodecreates a simple development provisioning profile for you that you can use all your team’s apps.

Managing Your TeamCreating Provisioning Profiles


28

● Production Provisioning Profiles. For submitting an app to the Mac App Store. If you don’t use any ofthese specialized technologies, it is sufficient to just sign your app and submit it to the Mac App Store.

In order for a team to build and test an app that uses these technologies, you need to create a DevelopmentProvisioning Profile for that team that is then installed on the team member’s individual systems. TheDevelopment Provisioning Profile allows a team member to build an app on his or her system and share itwith other team members, who can then run that app on their systems. For small teams, you might have oneDevelopment Provisioning Profile that all team members belong to. Xcode creates this type of DevelopmentProvisioning Profile for you, which is called the Mac Team Provisioning Profile. For larger organizations, youcan create a Development Provisioning Profile for a specific purpose like testing or seeding your app.

A Development Provisioning Profile is a mapping between a single app ID, a number of signing certificates,and a number of developer systems, as shown in Figure 1-1. Before creating a provisioning profile, you registeryour app ID with Apple as described in “Registering an App ID” (page 16), create a development certificatefor each team member as described in “Creating Signing Certificates” (page 22), and register each of the teammember’s systems as described in “Registering Developer Systems” (page 26). If you use iCloud storage orpush notifications, you need to enable them as described in“Enabling iCloud Storage” (page 25) and “EnablingPush Notifications” (page 25) before creating a provisioning profile.

Figure 1-1 Provisioning profile components

Certificates

David Brown

public key

John Doe

public key

Jane Smith

public key

Provisioning Profile

Company X Team

Mac Dev Program

App ID

certificates

systems

App ID

CurrentApp

Systems

John’s work computer

John’s home computer

David’s work computer

Jane’s work computer

Jane’s laptop



29

You use a combination of web and native tools to create, download, and install Development ProvisioningProfiles. Provisioning profiles are installed on the system you use to run your app and added to the Xcodeproject you use to build the app. It’s your choice which tools you use to perform some of these tasks.

A Production Provisioning Profile is used for submitting your app to the Mac App Store as described in“Submitting to the Mac App Store” (page 72). You cannot install a Production Provisioning Profile on yoursystem—that is, install it in the Profiles pane in System Preferences.

Using the Mac Team Provisioning ProfileWhen a team agent or admin first refreshes provisioning profiles using Xcode, Xcode creates a wildcard appID (called Xcode: Mac Wildcard App ID). Xcode creates a Mac Team Provisioning Profile the first time a systemis added to the portal. The wildcard app ID is set to an asterisk (*) which matches any bundle ID used by yourteam. The Mac Team Provisioning Profile can be used as an all-inclusive, generic provisioning profile for appdevelopment. The Mac Team Provisioning Profile contains the wildcard app ID, all the team registered systems,and approved development certificates. You can also use the wildcard app ID to create other provisioningprofiles.

Xcode manages the Mac Team Provisioning Profile for you throughout the development process. Whenevera new system or development certificate is added to the team, they are added to the Mac Team ProvisioningProfile. The Mac Team Provisioning Profile is updated when you refresh the provisioning profiles in Xcode. Soif you add a system or development certificate using Developer Certificate Utility, you need to refresh theprovisioning profiles in Xcode to update the Mac Team Provisioning Profile automatically. If you accidentallydelete the Mac Team Provisioning Profile, Xcode recreates it the next time you add a system to the portal.

Because the Mac Team Provisioning Profile uses a wildcard app ID, you can use this same provisioning profilefor all your apps. The Mac Team Provisioning Profile is sufficient for iCloud development but needs to beenabled for iCloud storage, as described in “Enabling iCloud Storage” (page 25). If you want to test pushnotifications, you need to create a development provisioning profile that uses an explicit app ID (not a wildcardapp ID). The app ID needs to be enabled for push notification as described in “Enabling Push Notifications” (page25).

Read “Adding Your System to the Mac Team Provisioning Profile” (page 63) to learn how to add your systemto the portal and create the Mac Team Provisioning Profile.

Creating Specialized Development Provisioning ProfilesProvisioning profiles can be created only by team agents or admins using Developer Certificate Utility. Aftera provisioning profile is created, team members can either use Developer Certificate Utility or Xcode to downloadand install provisioning profiles on their system.



30

To create a development provisioning profile


2. Select Provisioning Profiles in the left column.

3. Click Create Profile in the upper-right corner of the page.

4. Select Development Provisioning Profile.



31


The window changes to show the Development Provisioning Profile options.



32

5. Enter a name or description of the provisioning profile.

6. Select the appropriate app ID.

7. Select the team members the provisioning profile applies to.

8. Select the systems the provisioning profile applies to.

9. Click Generate.

10. Click “Back to list” or Download.

If you want to install the development provisioning profile on your own system now, click the Downloadbutton; otherwise, click “Back to list.”

If you click Download, the file is placed in your Downloads folder and depending on your preferences,Finder might automatically install the profile in System Preferences. You need to have a systemadministrator user name and password to install a profile.

Other team members can use Xcode to download and install development provisioning profiles asdescribed in “Provisioning Your System” (page 63).

Creating a Production Provisioning ProfileIf you use iCloud storage or push notifications, you need to create a Production Provisioning Profile in orderto submit your app to the Mac App Store.

To create a Production Provisioning Profile


2. Select Provisioning Profiles in the left column.

3. Click Create Profile in the upper-right corner of the page.

4. Select Production Provisioning Profile.



33


The window changes to show the Production Provisioning Profile options.

5. Enter a name or description of the provisioning profile.

6. Select the appropriate app ID.

7. Select the certificate that begins with the text Mac App that you want to use in the profile (in Xcode,the type of certificate is called Mac Submission).

8. Click Generate.

Follow the instructions on the next page if you want to install the provisioning profile now.

9. Click “Back to list”.

Later, you can install the Production Provisioning Profile, as described in “Submitting to the Mac AppStore” (page 72).



34

If you click Download, the file is placed in your Downloads folder and depending on your preferences,Finder might attempt to install the profile in System Preferences. You cannot install a ProductionProvisioning Profile on our system, so if a dialog appears asking if you want to install it, Click Cancel.

Renewing Expired Provisioning ProfilesIf the expiration date of a provisioning profile passes, the provisioning profile appears expired in both Xcodeand Developer Certificate Utility. Using Xcode, a team agent or admin can renew an expiring or expiredprovisioning profile.

To renew an expiring or expired provisioning profile

1. In the Devices organizer, select Provisioning Profiles in the Library section.

2. In the provisioning profiles list, select the provisioning profile you want to renew.

3. Click Renew.

4. Enter your Apple ID user name and password, and click “Log in”.

If you installed the provisioning profile on your system, replace the expired provisioning profile with therenewed provisioning profile.

To replace a provisioning profile

1. In the Library section in the devices organizer, select Provisioning Profiles.

2. From the provisioning profiles list, drag the new provisioning profile to your device.

3. Delete the old provisioning profile from your device by selecting it and clicking Delete.

Managing Your TeamRenewing Expired Provisioning Profiles


35

Before you validate and submit an app on the Mac App Store, you need to configure it. You set the deploymenttarget, possibly enable entitlements to use iCloud storage or sandboxing, and change other settings requiredby the Mac App Store. Some of this configuration is done automatically when you create your Xcode projector sign your app, but you can always change these settings manually, too.

Most of the options, discussed in this chapter, including enabling entitlements, are located on the target’sSummary or Build Settings pane of the project editor.

All apps and their installer packages need to be signed to submit them to the Mac App Store. Refer to “CodeSigning Your App” (page 45) to learn how to do this. If you use a helper app, read Daemons and ServicesProgramming Guide to learn how to configure it.

Setting the App IconUnless your app has an app icon to represent it on the Mac App Store, it won't pass the iTunes validation test.The icon file needs to be in ICNS format and contain a 512 x 512 image. You can use the Icon Composer utilityto create your icon and then add it to your project. Choose Xcode > Other Developer Tool > Icon Composerto launch this app.

To add an app icon

1. If the project navigator is not displayed, choose View > Navigators > Show Project Navigator.

2. In the project navigator, select your project.

3. Select your target in the Targets section of the second sidebar to display the project editor.

4. Click the Summary tab.

5. Drag the icon file to the App Icon image well.

To learn how to validate your app before submission to the Mac App Store, read “Validating and SubmittingYour App Using Xcode” (page 82).


36

Configuring Apps

Setting the Application CategorySet the category under which your app will be listed on the Mac App Store. Note that the category you selectshould match the category defined in your iTunes Connect app record.

To set the application category

1. In the project navigator, select the project.

2. Select your target in the Targets section of the second sidebar.


4. Choose the category from the Application Category pop-up menu.

Read iTunes Connect Developer Guide for more details on app categories.

Setting the Bundle IDThe bundle ID (called a bundle identifier in Xcode) is used by Xcode, OS X, and the Mac App Store to uniquelyidentify an app. A Mac app and iOS app cannot share the same bundle ID either. The bundle ID is also used tomatch a team’s app ID and any associated provisioning profiles.

You can’t use a specialized provisioning profile if the bundle ID in your app’s Xcode project doesn’t match theapp ID used by the provisioning profile. App IDs can use an asterisk to match multiple bundle IDs (or in thecase of the wildcard app ID, match all team bundle IDs). However, the bundle ID needs to be absolute.

Typically, the bundle ID in your Xcode project is a string formatted as a reverse-domain name such ascom.MyCompany.MyProductName, where you replace MyCompany and MyProductName with your domainand product name. The Xcode project template uses the Product Name build setting, which defaults to yourapp name, as the product name in this string. For example, the bundle ID for the TrackMix app defaults tocom.MyCompany.TrackMix. So it is sufficient to just replace com.MyCompanyName in your informationproperty list with your domain name to set the bundle ID in your Xcode project. However, unlike domainnames, app IDs and bundle IDs are case sensitive. If the app ID is in lowercase, your bundle ID needs to belowercase, too.

To change your bundle ID

1. In Xcode, choose View > Navigators > Show Project Navigator to open the project navigator.


3. Select your target in the Targets section of the second sidebar to display the project editor.

4. Click the Info tab.

Configuring AppsSetting the Application Category


37


5. Enter the bundle ID in the Value column of the “Bundle identifier” row.

Ensure that every bundle ID is unique within your app bundle. For example, if your app bundle includes ahelper app, ensure that you do not include two copies of a framework that is used by both your app and thehelper app.

Read “Managing Your Team” (page 10) to learn how to register an app ID and create provisioning profiles andread “Provisioning Your System” (page 63) to learn how to use provisioning profiles for development.

Setting the Bundle Version and Copyright KeysMake sure that your information property list file contains valid values for the “Bundle version” and “Copyright”keys. You can also set the version at the top of the target’s Summary pane in Xcode. For details on possiblevalues, see “CFBundleShortVersionString” in Information Property List Key Reference and “NSHumanReadableCopyright”

in Information Property List Key Reference .

Specifying the Deployment TargetEach version of OS X includes features and capabilities not present in earlier versions. As new versions arepublished, some users may upgrade immediately while other users may wait before moving to the latestversion. There are several strategies to choosing the deployment target when developing your app. You cantarget the latest version taking full advantage of all the new features, but limiting the app to only users runningthe latest version. Or you can target an earlier version making your app available to more users, but limitingthe features you can use in the app. A better approach is to target an earlier version but use weak linking tocheck at run time if later version features are available before using them.

To set the target version


2. Select your target in the Targets section of the second sidebar to display the target editor.


4. Choose the version you want to target from the Deployment Target pop-up menu.

Xcode sets the Minimum System Version key in the app’s information property list to the deployment target youchoose. When you publish your app to the Mac App Store, the store uses this property value to indicate whichversions your app supports.

Configuring AppsSetting the Bundle Version and Copyright Keys


38

Note: The SDK version, not the deployment target, determines which features you can use in anapp. If the SDK you’re using to build the app is more recent than the app’s deployment target, Xcodedisplays build warnings when it detects that your app is using a feature that’s unavailable in thedeployment target.

You must also ensure that the symbols you use are available in the app’s runtime environment. Tocheck for their availability, use the techniques described in SDK Compatibility Guide .

For details on weak linking, read “Frameworks and Weak Linking”.

Configuring EntitlementsTo protect against your app being compromised by a hacker who might damage the user’s system, you givepermissions, known as entitlements , to your app to perform specific functions. An entitlement is a key-valuepair whose value you can set to specify a capability or security permission.

You configure entitlements for each target in the Xcode project. For example, if you have a main app andmultiple helper apps in one Xcode project, you need to configure entitlements for each target in the project.When you enable entitlements, Xcode adds a file with entitlement key-value pairs to your target. The nameof the file is your project name with the extension .entitlements. You can configure entitlements—forexample, for iCloud storage or sandboxing—using either the property list editor to edit this file or the projecteditor.

For entitlements to take effect, you need to code sign your app, as described in “Code Signing Your App” (page45). Therefore, when you enable entitlements, the Code Signing Identity build setting is automatically set tothe default Mac Developer certificate.

If you use iCloud storage, your team agent or admin may need to enable iCloud storage for your app ID beforeyou can use it, as described in “Enabling iCloud Storage” (page 25).

Turn on application entitlements to configure your application’s access and use of special resources andcapabilities.

To enable entitlements1. In the project editor, select the target that builds the application whose entitlements you want to

configure.

2. Click Summary at the top of the project editor.

Configuring AppsConfiguring Entitlements


39

3. In the Entitlements section, select the Enable Entitlements option.

After turning on entitlements, you can enter values for the entitlements listed under the Enable Entitlementsoption.

Refer to Entitlement Key Reference for a complete list of application entitlements.



40

Configuring iCloud Key-Value StorageiCloud key-value storage allows an app to share small amounts of data with other instances of itself runningon the user’s other devices. To configure iCloud key-value storage, set the iCloud Key-Value Store field to thebundle ID for example, com.johndoeinc.trackmix as shown in Figure 2-1. When you enable entitlements,Xcode automatically configures both iCloud key-value and document storage.

Figure 2-1 Setting iCloud entitlements

To learn how to use iCloud key-value storage for preferences, read “iCloud Storage” and “Storing Preferences in

iCloud”.

Configuring iCloud Document StorageiCloud document storage is used to store user documents and app data in the user’s iCloud account. Each apphas a container in the user’s iCloud account identified by its app ID. An app can access containers belongingto other apps created by your team as well.



41

To configure iCloud document storage, set the iCloud Containers field to one or more of your team’s app IDs.When you enable entitlements, Xcode adds the app’s bundle ID as the first container. Add additional app IDsto the container list or add a wildcard app ID to match a set of app IDs. Note that the first container identifiercannot be a wildcard app ID.

To add iCloud containers

1. Click the Add (+) button at the bottom of the iCloud Containers field.

The bundle ID is added to the list and appears highlighted.

2. Enter the app ID for the container you want to add.

To learn more about iCloud storage, read “iCloud Storage” in Mac App Programming Guide .

Configuring SandboxingSandboxing provides the last line of defense against stolen, corrupted, or deleted user data if malicious codeexploits your app. It also minimizes damage from coding errors in your app or in frameworks you link against.Simply enabling sandboxing provides the maximum level of restrictions on how an app can interact with therest of the system. You configure sandboxing by enabling this feature and then optionally granting permissionfor specific types of functions.



42

To enable sandboxing, select the Enable App Sandboxing option as shown in Figure 2-2. Xcode automaticallyselects the Enable App Sandboxing option when you enable entitlements.

Figure 2-2 Configuring sandbox entitlements

Use the remaining App Sandbox entitlements to describe the minimum set of capabilities the target needs todo its job. Refer to Entitlement Key Reference for a complete description of these entitlements. If you areenabling sandboxing for an existing app, read “Migrating an App to a Sandbox” in App Sandbox Design Guide tolearn the new locations a sandboxed app can access.



43

Specifying Build SettingsSet the Debug Information Format build setting to “DWARF with dSYM,” and ensure that the Architecturesbuild setting does not include PPC. To find the build setting quickly, type debug information in the searchfield in the Build Settings pane of the project editor. Click All if some build settings fail to appear.

Customize aspects of your product’s build process by editing its build settings.

To edit a build setting1. In the project editor, select the project or target whose build setting you want to edit.

2. Click Build Settings at the top of the project editor.

3. Locate the build setting in the left column.

4. Set the value for the build setting in the right column.

See the HTML version of this

document to view the video.



You set build settings at either the project level or the target level. To see all the levels of build settings,select Levels rather than Combined.

The lowest level at which a build setting is defined takes precedence. If you define a build setting at theproject level, the definition is set for the corresponding project, and it’s applied to all the targets that belongto that project. If you define a build setting at the target level, the definition applies only to the correspondingtarget.

Definitions applied at the target level override definitions set at the project level. The level at which thebuild setting is defined is highlighted in green. For example, at the beginning of the video, the Architecturebuild setting is highlighted in green at the default level. At the end of the video, after the setting has beenredefined at the target level, the Architecture build setting is highlighted in green at the target level.

If you have changed or customized a setting, it’s shown in boldface.

The video shows changing the compiler build setting for a target.

Configuring AppsSpecifying Build Settings


44

The bundle, installer package, and any other helper apps installed with your app need to be signed beforesubmitting them to the Mac App Store. You sign the entire Xcode project, containing the app and any helperapps, using a Mac Submission certificate, and the installer package using a Mac Installer certificate. If you usecertain technologies, such as push notifications and iCloud storage, you also need a development certificateand provisioning profile.

Only team agents and admins can create signing certificates and approve team member requests fordevelopment certificates using the Developer Certificate Utility. If you are an individual developer, certificatesare automatically approved. All team members can request signing certificates using Xcode as described in“Requesting a Signing Certificate” (page 47). However, only a team agent or admin can request distributioncertificates used to submit the app to the Mac App Store. Regular team members can request only developmentcertificates. All team members follow the instructions in this chapter to install these certificates in their loginkeychains and add them to their Xcode projects.

If you are a team agent or admin, read “Submitting to the Mac App Store” (page 72) when you are ready tosubmit an app to the Mac App Store.

In most cases, Xcode can handle your code signing needs for you. If you want to learn more about code signingor need to use the codesign command-line tool, read Code Signing Guide .

How Code Signing WorksCode signing works the same way regardless of the type of certificate. Code signing allows you and your teamto sign your app and thereby certify that the app is released by you. Because the app is signed with a privatekey that only you possess, OS X can distinguish between legitimate and modified copies of your app.


45

Code Signing Your App

A development certificate identifies you as a legitimate member of your team. The code signing process usesthe public and private key associated with your development certificate as your digital identity. The developmentcertificate in Developer Certificate Utility contains the public key, and the development certificate in your loginkeychain contains the private key. The development certificate in your login keychain begins with the text“Mac Developer:” followed by your name, as shown in Figure 3-1.

Figure 3-1 Developer certificates

Developer Certificate UtilityJane Smith’s Developer System

Keychains

SystemApple Worldwide...

login

Mac Developer: Jane Smith

private key

Team Account

CertificatesDavid Brown

public keyJohn Doe

public keyJane Smith

public key

Jane Smith

The development certificate is also signed by the certification authority who issued the certificate. A teamagent or admin approves your request using Developer Certificate Utility, but the certificate is issued andauthorized by Apple. Therefore, you must have the intermediate signing certificate provided by Apple installedin your system keychain to use your development certificate; otherwise, it is invalid. The name of the intermediatesigning certificate is Apple Worldwide Developer Relations Certification Authority.

You can use Developer Certificate Utility to view all the signing certificates issued by Apple and use KeychainAccess to view signing certificates installed on your system.

Code Signing Your AppHow Code Signing Works


46

Requesting a Signing CertificateIf you need a development or distribution certificate, you can request one using Xcode. Development certificatesare owned by individual team members, and distribution certificates are shared by the team. If you are a teammember and request a development certificate, the team agent is notified by email and approves your requestusing Developer Certificate Utility. You receive an email notification when your request is approved. If you area team agent or admin, your request is automatically approved.

To request a signing certificate

1. In Xcode, choose Window > Organizer to open the Organizer window.

2. Click Devices to display the Devices organizer.

3. Select Provisioning Profiles in the Library section and click Refresh.

4. Enter your Apple ID user name and password and click “Log in”.

If you don’t have a development certificate, Xcode offers to request a Mac Development certificate onyour behalf.

Code Signing Your AppRequesting a Signing Certificate


47

Warning: If instead Xcode offers to create iOS certificates, you are not enrolled in the Mac

Developer Program. Go to the Member Center and click Programs & Add-ons to add the Mac

Developer Program to your account.

5. Click Submit Request.

If you are a team agent or admin, a certificate named “Mac Developer:” followed by your name appearsin your login keychain.

6. If a dialog appears stating that a certificate request is pending, click OK.

7. If you are a team agent or admin and there are no distribution certificates for your team, Xcode offersto create distribution certificates. If you are a team agent, Xcode offers to create Developer ID certificatestoo. (Read “Distributing Outside the Mac App Store” (page 84) to learn how to use Developer IDcertificates.) Click Submit Request for each dialog that appears.

Xcode requests a development certificate for every team member but distribution certificates only forteam agents or admins and only if that type of certificate doesn’t exist. Development certificates arefor individuals, and distribution certificates are shared by the team agents and admins.

8. If you are a team member, wait for your team agent to approve your certificate request beforecontinuing.

9. If a dialog appears at the end of the refresh process, asking if you want to export your developer profile,click Export.

The private keys for your certificates are stored in your keychain and the public keys are stored byDeveloper Certificate Utility. For this reason, you can’t refresh your provisioning profiles and certificatesin Xcode to replace a missing private key in your keychain. Instead, you should backup your certificatesafter you create them and import them when you are missing a private key or move to another Mac.

To learn how to import your certificates later, read “Exporting and Importing Signing Certificates” (page56).

10. If you are a team member, once your request is approved, open the Devices organizer, select ProvisioningProfiles in the Library section, and click Refresh again.

11. Select your team in the Teams section in the Library section.

Code Signing Your AppRequesting a Signing Certificate


48

http://developer.apple.com/membercenter

Your new certificates are displayed. If you are a team agent or admin, your certificate requests areautomatically approved and appear in Xcode and your login keychain. Xcode adds a Teams section tothe Devices organizer that displays your team certificates.

Important: If you have other certificates in your login keychain from previous projects, you need to removethem before continuing. Team agents or admins should have only one certificate installed that begins withthe text “3rd Party Mac Developer Application” and another that begins with the text “3rd Party MacDeveloper Installer.”

Verifying Your Certificate in the KeychainWhen you request a development or distribution certificate using Xcode, the certificate is automatically installedin your login keychain.

Code Signing Your AppVerifying Your Certificate in the Keychain


49

The development certificate should appear in the My Certificates category in Keychain Access. The name ofthe certificate begins with the text “Mac Developer:” followed by your name for a development certificate asshown in Figure 3-2. It should have a disclosure triangle next to the name, which when clicked, shows yourprivate key.

Figure 3-2 Team member development certificate



50

If you are a team agent or admin and you requested a distribution certificate, both your distribution anddeveloper certificates appear in the My Certificates category in Keychain Access as shown in Figure 3-3. Thedistribution certificates begin with the text “3rd Party Mac Developer” followed by the type of certificate andyour team name.

Figure 3-3 Team agent or admin certificates

Verify that the certificates are valid and the expiration dates are correct. When you select the certificate, thepane above should display a green circle containing a checkmark, and the text next to the circle should read“This certificate is valid.” This means that the intermediate certificate authorized your certificate.

If you don’t have a private key for a certificate, you most likely did not request that certificate from this systemor you accidentally removed your key. To fix this problem, export your private key from the system you firstrequested the certificate from and import it into this system as described in “Exporting and Importing SigningCertificates” (page 56). If you don’t have a backup of your private key, read “Repairing Signing Certificates” (page59) for the steps to recreate your certificate.

If your certificates are not valid, you could be missing the intermediate certificate used to authenticate yourcertificate. The intermediate certificate is installed when you install Xcode. It is called Apple Worldwide DeveloperRelations Certification Authority and should appear in your System keychain. If you accidentally remove theintermediate certificate, you can retrieve it from Developer Certificate Utility and install it again.

To install the intermediate certificate

1. Go to Developer Certificate Utility.



51


2. Click the WWDR Intermediate Certificate link in the Certificates section of the Overview page.



52

The WWDR certificate is downloaded.



53

3. Double-click the certificate file to install it in your System keychain.

Do not change the trust settings from the default “Use System Defaults” for any of your certificates. If the trustsetting is not “Use System Defaults” you get a CSSMERR_TP_TRUSTED error message from the codesigncommand-line tool when you build and run your app.

If your certificate doesn’t appear in the login keychain, it may not be the default keychain as Xcode expects itto be. The default keychain appears in bold in the Keychains column in Keychain Access. If the default keychainis not login, select login in the Keychains column and choose File > Make Keychain “login” Default.

Signing an AppAfter you’ve added the signing certificate to your login keychain, you can use it to sign your app in Xcode. Todo this, set the Code Signing Identity build setting for your project to your development certificate. To quicklyfind the build setting, select the project and type code signing in the search field in the Build Settings paneof the project editor.

Important: You set the Code Signing Identity build setting for the project, not for any of the individualtargets.











Code Signing Your AppSigning an App


54





The possible values for the Code Signing Identity build setting are:

● Don’t Code Sign. Choose this option if you don’t want to sign your app. However, choosing this optiondisables entitlements, including sandboxing.

● Automatic Profile Selector. This selector selects an identity whose name starts with “Mac Developer” or“3rd Party Mac Developer.”

● Identities without Provisioning Profiles. A code signing identity that is not in a provisioning profile.

● Other... A specific code signing identity. The code signing identities in your default keychain are listed bythe name. Expired or otherwise invalid identities are dimmed and cannot be chosen.

You use this same pop-up menu to select your identity in a provisioning profile. So if your team has provisioningprofiles that you belong to, your Code Signing Identity menu might look different as described in “SettingYour Provisioning Profile in Xcode” (page 70). If you are not using a provisioning profile, select an identity inthe Automatic Profile Selector group.

If you are signing with a development certificate not shown, select Other, enter the text in the text field, andclick Done. If you are a team agent or admin and are signing using a distribution certificate, enter “3rd PartyMac Developer Application” in the text field.

The next time you build and run the app, a dialog appears asking if you want to allow the codesigncommand-line tool to sign your app using your private key in your login keychain. When this happens, clickAlways Allow. If you click Allow, the dialog appears every time you build and run your app.

If a dialog appears when you run the app asking for a Developer Tools Access login, enter an account nameand password of a user in this group—for example, a system administrator—and click Continue.

Code Signing Your AppSigning an App


55

Exporting and Importing Signing CertificatesAfter you create signing certificates and install them in your login keychain, you may need to move them toanother system that you use for development, or repair a certificate whose private key is missing. Because thesigning certificate public key is stored by Developer Certificate Utility and the private key is stored in your loginkeychain, you can’t refresh your provisioning profiles and certificates to replace a missing private key. However,you might be able to restore your signing certificates by exporting them from one system and importing theminto another. (When you create certificates in Xcode, a dialog automatically appears asking whether you wantto export your developer profile.)

Archive your code signing assets to keep them safe or to use them on another Mac.

To export your developer profile1. In the Devices organizer, select your team in the Teams section.

2. Click Export.

Code Signing Your AppExporting and Importing Signing Certificates


56

3. Specify a filename and a password, and click Save.

The file produced contains the items you need to code sign apps, including the provisioning profiles,certificates, and private keys needed to install apps in development on a device.

Because it contains sensitive information that can be used to sign apps in your name, the contents of thefile are stored in an encrypted format using the password you provide. That password is required later toimport the file to another system.

Place your code signing assets on a new Mac by importing the code signing assets exported from anotherMac.



57

To import your developer profile1. In the Devices organizer, select your team in the Teams section.

2. Click Import.

3. Select the file containing your code signing assets.

4. Enter the password for the file, and click Open.

The importation process installs the certificates, private keys, and provisioning profiles that are stored inthe developer-profile file.



58

Troubleshooting: If you don’t see the Team section in the devices organizer: ● Drag the password-protected file that contains your code signing assets to the Xcode icon

in the Dock.

If you use provisioning profiles, refresh the provisioning profiles after importing the signing certificates, asdescribed in “Refreshing Provisioning Profiles” (page 66). All your provisioning profiles should be valid.

Repairing Signing CertificatesThere are several reasons why you might need to repair signing certificates on your system. For example, asigning certificate on your system is missing the private key and you don’t have a backup to restore yourcertificate. Or you may have signing certificates from an old project, or your certificate may be invalid. If anyof these are true for you, you can replace them with new ones. If you or a team agent intentionally revoke asigning certificate, it becomes invalid and any provisioning profiles that include it become invalid. If a signingcertificate expires, you need to replace it too. The workflow to replace or revoke signing certificates is similarin all these cases: It uses a combination of steps you performed in other tasks.

Removing CertificatesFirst, remove the troublesome signing certificates from your keychain and any specialized provisioning profilesthat use them from your system.

If you are intentionally re-creating your certificates, revoke all your certificates immediately after removingthem from your login keychain. If you do not revoke your certificates using Developer Certificate Utility, Xcodeattempts to install them in your login keychain the next time you refresh your provisioning profiles. However,Xcode can install only the public key in your login keychain. Without the private key, the certificate is useless.

To remove development and distribution certificates from your keychain

1. Launch Keychain Access (located in /Applications/Utilities).

2. In the Category section, select Keys.

Code Signing Your AppRepairing Signing Certificates


59

3. Click the disclosure triangles for all the private keys to reveal the associated certificates.

4. Select all the private keys associated with a Mac Developer, 3rd Party Mac Developer Application, or3rd Party Mac Developer Installer certificate.

5. Select the corresponding public key for each private key.

6. Press Delete.

7. In the Category section, select Certificates, and delete any remaining developer or distribution certificates.

To remove a specialized provisioning profile

1. Select the invalid provisioning profile in Provisioning Profiles in the Library section of the Devicesorganizer and click Delete.

2. Click the disclosure triangle next to your Mac in the Devices organizer and select Provisioning Profilesunder your Mac. Select the invalid provisioning profile and click Delete.

Revoking CertificatesAll team members may revoke their own certificates and team agents can revoke any team member’s certificate.

To revoke a certificate




60


2. Select Certificates in the left column.

3. Click Revoke in the last column in the row of the certificate you want to revoke.

The certificate appears in the Pending state.

Creating New CertificatesThe steps to create new certificates were covered in earlier sections. These are the main things you need toknow.

Create new development or distribution certificates, as described in “Requesting a Signing Certificate” (page47), or if you have a backup and did not revoke the certificates, import the certificates, as described in “Exportingand Importing Signing Certificates” (page 56).

If you are using a specialized provisioning profile, do one of the following:

● If you are a team member, notify your team agent or admin to re-create the provisioning profile usingyour new certificate.

● If you are an individual developer or team agent, do this step yourself (see “Creating ProvisioningProfiles” (page 28)).

After you re-create the provisioning profile, refresh it (see “Refreshing Provisioning Profiles” (page 66)). Theninstall it on your system, as described in “Installing Development Provisioning Profiles on Your System” (page69).



61

Repairing Another Development SystemIf you use multiple development systems, you are not done. However, once you repair certificates on onedevelopment system, there are less steps to repair them on another.

Export your developer profile from the first development system, as described in “Exporting and ImportingSigning Certificates” (page 56), and move the file to a location you can access from the other developmentsystem.

To repair another development system:

1. Remove the invalid certificates from your keychain as described in “Removing Certificates” (page 59).

2. Import your signing certificates as described in “Exporting and Importing Signing Certificates” (page 56).

3. If you use a specialized provisioning profile, install the new provisioning profile on your system as describedin “Installing Development Provisioning Profiles on Your System” (page 69).



62

Team members need provisioning profiles to test technologies such as push notifications and iCloud storage.But Xcode creates a generic Mac Team Provisioning Profile so that you can test iCloud storage. But the teamagent or admin needs to create a specialized provisioning profile for push notifications or may need to enableiCloud storage before you can use it. This chapter covers the steps you follow to add provisioning profiles toyour system and Xcode project.

If you are a team agent or admin and need to create a provisioning profile for your team or distribution, read“Creating Provisioning Profiles” (page 28).

If you are a team member and your team is not using the wildcard app ID, set the Xcode project bundle ID, asdescribed in “Setting the Bundle ID” (page 37), to match the app ID created by your team agent or admin, asdescribed in “Registering an App ID” (page 16), before following the steps in this chapter.

Adding Your System to the Mac Team Provisioning ProfileThe Mac Team Provisioning Profile is the generic provisioning profile you can use to test your app. This profileuses the wildcard app ID, which matches all apps developed by your team. It also contains all the team’sregistered systems and approved development certificates. You can use the Mac Team Provisioning Profile foriCloud storage but not for push notifications, because push notifications require an explicit app ID. Team agentsand admins can add their systems to the Mac Team Provisioning Profile using Xcode. Team members need torequest that their system be added to the portal. The first time a team member adds a system to the portal,Xcode creates the Mac Team Provisioning Profile.

To add your system to the portal using Xcode

1. Choose Window > Organizer to open the Organizer window.



63

Provisioning Your System

3. Select your system in the Devices section.

4. Click the “Add to Portal” button at the bottom of the window.

Xcode adds your system to the Mac Team Provisioning Profile and refreshes your provisioning profiles.

To request that your system be added to the portal



Provisioning Your SystemAdding Your System to the Mac Team Provisioning Profile


64

3. Select your system in the Devices section.

4. Copy the device identifier from the Identifier text field.

5. Send a message containing your device identifier to your team agent or admin requesting that it beadded to the portal.

Team agents and admins should follow the instructions in “Registering Developer Systems” (page 26)to do so. Wait until the team agent or admin tells you that your device has been added beforecontinuing.

6. In the Devices organizer, select Provisioning Profiles in the Library section, and click Refresh.

Xcode updates your Mac Team Provisioning Profile and other team assets.

7. (Optional) If a dialog appears asking if Xcode should request a certificate on your behalf, click SubmitRequest.

Provisioning Your SystemAdding Your System to the Mac Team Provisioning Profile


65

Refreshing Provisioning ProfilesYou can download and install provisioning profiles using Developer Certificate Utility, but it is easier for teammembers to install provisioning profiles using Xcode. The steps are similar to using Xcode to request a signingcertificate, as described in “Requesting a Signing Certificate” (page 47). Installing a provisioning profile is atwo-part process. First, you refresh the provisioning profile in Xcode, and then you install the provisioningprofile in System Preferences, as described in “Installing Development Provisioning Profiles on YourSystem” (page 69).

If you plan to use the Mac Team Provisioning Profile and you already added your development system to it,you can skip this step because Xcode already refreshed your provisioning profiles.

To refresh your signing certificates and provisioning profiles



3. Select Provisioning Profiles in the Library section.

4. Click Refresh.

5. Enter your Apple ID user name and password and click “Log in”.

Provisioning Your SystemRefreshing Provisioning Profiles


66

All the provisioning profiles for your team appear in the Devices organizer. If you belong to multipleteams, you’ll see the provisioning profiles from those teams as well.

6. (Optional) If a dialog appears asking whether Xcode should request a certificate on your behalf, clickSubmit Request.

If you perform this operation without having a development certificate, Xcode offers to request a MacDevelopment certificate on your behalf. If this happens, you are automatically added to the Mac TeamProvisioning Profile. But you won’t be able to use any specialized provisioning profiles until the team adminor agent approves your request and adds you to these.

Xcode doesn’t automatically update provisioning profiles that you may already have installed on yoursystem. For example, a new team member may be added to the Mac Team Provisioning Profile or to anotherspecialized provisioning profile you use for development. Always update the provisioning profiles on yoursystem after you refresh your provisioning profiles using Xcode, as described in “Installing DevelopmentProvisioning Profiles on Your System” (page 69).

Provisioning Your SystemRefreshing Provisioning Profiles


67

Important: If you move to a different system and refresh your provisioning profiles or team assets, yourprivate key might be missing from your login keychain. To move your certificates or keys from one systemto another, you need to export and import these assets, as described in “Exporting and Importing SigningCertificates” (page 56).

Alternatively, you can download a provisioning profile from Developer Certificate Utility and add it in Xcodemanually.

To add a provisioning profile to Xcode

Do one of the following:

● Drag the provisioning profile file to the Xcode Organizer window

● Click the Import button in the Xcode Organizer window

Next you need to install the provisioning profile in System Preferences, as described in “Installing DevelopmentProvisioning Profiles on Your System” (page 69).

Requesting a Specialized Development Provisioning ProfileA specialized development provisioning profile is any profile other than the generic Mac Team ProvisioningProfile. There are many reasons your team might want to use a specialized development provisioning profile.If you use push notifications, you need to use a specific provisioning profile that uses an app ID enabled forpush notifications.

If you need a specialized development provisioning profile and Xcode displays only the Mac Team ProvisioningProfile, ask the team agent or admin to create one (see “Creating Provisioning Profiles” (page 28)).

Your developer system needs to be registered before a team agent can add it to a new provisioning profile.Follow the steps in “Adding Your System to the Mac Team Provisioning Profile” (page 63) to register yoursystem using Xcode. Otherwise, send your device identifier to your team agent or admin to register it for you.

If you use iCloud storage or push notifications, remind the team agent or admin to enable these technologiesfor your app ID, as described in “Enabling iCloud Storage” (page 25) and “Enabling Push Notifications” (page25).

After the provisioning profile is created, refresh your provisioning profiles in Xcode, as described in “RefreshingProvisioning Profiles” (page 66), and install it on your system.

Provisioning Your SystemRequesting a Specialized Development Provisioning Profile


68

Installing Development Provisioning Profiles on Your SystemWhen you refresh the provisioning profiles in Xcode, it downloads the team provisioning profiles on yoursystem but doesn’t install the development provisioning profile in System Preferences. In the same way thatyou provision an iOS device for development, you need to provision your system for development.

To provision your system for development




4. Drag the provisioning profile you want to install to your system icon in the Devices section.

5. Click the disclosure triangle next to your system icon and click Provisioning Profiles under the icon.

The provisioning profile you installed appears. The provisioning profile also appears in the Profilespane in System Preferences.

Provisioning Your SystemInstalling Development Provisioning Profiles on Your System


69

Note: A distribution provisioning profile is used to submit your app to the App Store. You cannotinstall a distribution provisioning profile on a Mac.

Setting Your Provisioning Profile in XcodeTo set your provisioning profile in Xcode, set the Code Signing Identity build setting to the developmentcertificate in the provisioning profile you want to use. To quickly find the build setting, type code signingin the search field.














Provisioning Your SystemSetting Your Provisioning Profile in Xcode


70


If you refresh your provisioning profiles as described in “Refreshing Provisioning Profiles” (page 66), a menuitem appears for each provisioning profile your development certificate belongs to in the Code Signing Identitypop-up menu. In Figure 4-1, Mac Team Provisioning Profile can be used for general development, but TrackMixCore Dev Team is a specialized provisioning file with push notifications enabled. If the team agent, John Doe,is working on push notifications, he needs to select his development certificate under TrackMix Core Dev Team,not under Mac Team Provisioning Profile.

Figure 4-1 Code Signing Identity menu for a team admin

Every team member should belong to the Mac Team Provisioning Profile and therefore Mac Team ProvisioningProfile should appear in this menu. If you are not in the Mac Team Provisioning Profile, you might need torequest a development certificate, as described in “Requesting a Signing Certificate” (page 47).

If your development certificate should match a provisioning profile but it doesn’t, make sure that the bundleID in your Xcode project matches the app ID in the provisioning profile. To learn how to view and change thebundle ID, read “Setting the Bundle ID” (page 37).

If you don’t need a provisioning profile for development or you are not included in a specialized provisioningprofile, the text “(no profiles currently match)” appended to a menu item is not an error.

To learn how to select a certificate when validating and submitting an app to the Mac App Store, read“Submitting to the Mac App Store” (page 72).

Provisioning Your SystemSetting Your Provisioning Profile in Xcode


71

The Mac App Store is the preferred way to deliver your app to users. It makes it easy for them to find andpurchase your app, and offers them the most streamlined installation experience. You can submit your app tothe Mac App Store using Xcode or Application Loader.

Before submitting your app to the Mac App Store, you need to enter information about it in iTunes Connect.Read OS X Human Interface Guidelines and App Store Review Guidelines for Mac Apps to make sure your appmeets the submission requirements and you have entered the appropriate information into iTunes Connect.Your iTunes Connect app record must be in the state of Waiting For Upload before you can validate or submityour app.

Add your app in iTunes Connect to start the process of submitting it to the App Store.

To create an app record in iTunes Connect1. Open iTunes Connect and select Manage Your Applications.

2. Click the Add New App button.

3. Select the appropriate platform.


72

Submitting to the Mac App Store


http://developer.apple.com/appstore/mac/resources/approval/guidelines.html

4. Fill out the forms with your app’s information.

The iTunes Connect web application prompts you for a variety of information about your app, includingthe app’s name, screenshots, pricing, SKU number, and bundle identifier. Some of these can be changedonly under certain circumstances:

● The SKU number and app type cannot be changed after you submit your app.

● The bundle identifier can be changed only before you submit any binaries for review, and only if yourapp does not use Game Center or iAd.

● The app name can be changed only when your app is in an editable state in iTunes connect. For a listof the editable states, see “App Information Table” on pages 184–186 of iTunes Connect DeveloperGuide .

Note: After adding an app in iTunes Connect, you must submit it for review within 90 days.Effectively, adding the app commits you to a ship date. Therefore, you may want to wait as longas possible before performing this task. However, some technologies such as Game Center andIn-App Purchase required you to add your app in iTunes Connect earlier in the developmentprocess.

For a detailed discussion, see “Adding New Apps” on pages 38–61 of iTunes Connect Developer Guide .

Submitting to the Mac App Store


73

You also need to configure your app for distribution on the Mac App Store. Your app may fail validation testsif it is not properly configured. Read the relevant sections of “Configuring Apps” (page 36) before attemptingto submit your app to the Mac App Store.

Only a team agent or admin can submit an app to the Mac App Store. Before doing so, you must have thenecessary distribution certificate and Production Provisioning Profile installed on your system. Then you needto sign your app using the distribution certificate and create an archive. Finally, you validate and submit theapp to the Mac App Store.

Signing Using a Mac Submission CertificateBefore you create an archive, sign your project using the Mac Submission certificate.

If you use helper apps or external frameworks, ensure that all executables in your app bundle are signed usingthe Mac Submission certificate. To do this, set the Code Signing Identity build setting for the project, not forthe individual targets in your project. If you import external frameworks, sign the frameworks using thecodesign command-line tool at the end of the build process, as described in Mac OS X Code Signing In Depth .

Only a team agent or admin can obtain and use distribution certificates for this purpose. If you haven’t alreadydone so, create your distribution certificates as described in “Creating Signing Certificates” (page 22) now.Later when you submit to the Mac App Store, you are asked to select the Mac Installer certificate to sign theinstaller package.

Next, set the Code Signing Identity build setting to the Mac Submission certificate that begins with the text“3rd Party Mac Developer Application” as described in “Signing an App” (page 54). Run your app to verify thatthis is the build you want to release.

Signing Using a Production Provisioning ProfileIf you use iCloud storage or push notifications, you must sign your app using a Production Provisioning Profileand enable your entitlements. You need to create and download a Production Provisioning Profile, as describedin “Creating a Production Provisioning Profile” (page 33). You cannot sign an app using any of the developmentprovisioning profiles that might appear in the menu when you set the Code Signing Identity build setting.

To import the Production Provisioning Profile

1. In Xcode, choose Window > Organizer to open the Organizer window.


Submitting to the Mac App StoreSigning Using a Mac Submission Certificate


74


4. Click Import at the bottom of the window.

5. Select the Production Provisioning Profile file that you downloaded and click Open.

You should see the Production Provisioning Profile listed in the Organizer window.

Submitting to the Mac App StoreSigning Using a Production Provisioning Profile


75

Now sign your app, as described in “Signing an App” (page 54), using the Production Provisioning Profileidentity as shown in Figure 5-1. Run your app to verify that this is the build you want to release.

Figure 5-1 Code Signing Identity menu for a team agent

Creating an ArchiveNo matter what method you chose to distribute your app, you need to archive it first.

Archive your product for submission to iTunes Connect or for sharing with others. Schemes have an Archiveaction with settings you use to customize the archive that Xcode creates when you choose Product > Archive.

To archive your app1. From the Scheme toolbar menu, choose a scheme.

2. From the same menu, choose Edit Scheme to display the scheme dialog.

3. In the left column, select Archive.

4. Choose a build configuration.

5. Specify a name for the archive and click OK.

Submitting to the Mac App StoreCreating an Archive


76

6. Choose Product > Archive.

An archive is a bundle that includes your product along with symbol information. You can build an archiveto seed an application for testing or to validate and submit an application to iTunes Connect.

Your new archive appears in the Archives list in the Organizer window, unless you turn off this option. Eacharchive is identified in the archives organizer with the date and time it was created. For more information,see the related article on the archives organizer.

Testing the Installer PackageBefore you submit to the Mac App Store, you should test the installation process to verify that your app installscorrectly. You can do this by saving the installer package to your disk and running a test using the installercommand before submitting it.

Submitting to the Mac App StoreTesting the Installer Package


77

You save an installer package to your disk by following the same steps for distributing your Mac app. Whendoing so, select Export as the distribution method, Mac Installer Package as the file format, and the Mac Installercertificate as the signing certificate. The name of the Mac Installer certificate is your team name, and it appearsunder “Identities without profiles” in the Code Signing Identity menu.

Distribute your Mac app to users or other members of your development team.

To distribute your app1. In the Archives organizer, select the application archive you want to distribute, and click Distribute.

2. Select the distribution method, and click Next.

3. Follow the instructions to complete the process.

Here’s how you select the distribution method:

● To submit the app for publication to the Mac App Store, select “Submit to the Mac App Store.”

Submitting to the Mac App StoreTesting the Installer Package


78

● To create an Xcode archive, an installation package, or a binary file of the app, select “Export as” andchoose the file format from the pop-up menu.

Do not test the installation process by opening the package with the Installer app. Only the installercommand verifies that your app will be installed correctly when it is purchased from the Mac App Store.

To test your installer package, execute the following command in a Terminal window:

sudo installer -store -pkg path-to-package -target /

If the installer finds a bundle with the same bundle ID as the one it is installing, it upgrades the existing appin place. Users can then install upgrades even if they have moved your app. If you have a copy of your appinstalled (for example, in your build products directory), you may want to remove it so that your app getsinstalled in /Applications. Other options include archiving the existing version in a ZIP file or moving it toanother volume and unmounting that volume.

Validating and Submitting Your App Using XcodeBefore submitting your app, you should validate it to ensure that is passes essential iTunes Connect validationtests. After you select your archive in the Archives organizer, click the Validate button and select Mac App Storeas the distribution method. During this step, you sign the installer package using the Mac Installer certificate.

Validate your app to find out whether it meets minimum submission requirements.

To validate your app1. In the Archives organizer, select the application archive you want to validate, and click Validate.

2. For Mac distribution, select the distribution method, and click Next.

Submitting to the Mac App StoreValidating and Submitting Your App Using Xcode


79



Before submitting your app for publication on the App Store, you should validate it to ensure that it passesstandard iTunes Connect checks.

The screenshot shows the validation-method pane that appears for Mac distribution. This pane doesn’tappear for iOS distribution.

Troubleshooting: If Xcode doesn’t find an iTunes Connect application record for your application,the dialog “No suitable application records were found” appears. This dialog also appears whenthe application record state is not at least “Waiting for Upload”.

● Ensure that an application record exists for your application in iTunes Connect.

● Ensure that the application record status is at least “Waiting to Upload.”

Distribute your Mac app to users or other members of your development team.



80

To submit your app1. In the Archives organizer, select the application archive you want to distribute, and click Distribute.

2. Select the distribution method, and click Next.


Here’s how you select the distribution method:

● To submit the app for publication to the Mac App Store, select “Submit to the Mac App Store.”

● To create an Xcode archive, an installation package, or a binary file of the app, select “Export as” andchoose the file format from the pop-up menu.

If you get the alert message "Unable to find registered user with username <username>," you are not registeredin iTunes Connect. Have your team agent register you in iTunes Connect.

Add a person to your team in iTunes Connect to allow them to submit and manage your apps for sale in theApp Store.



81

To manage your team in iTunes Connect1. Open iTunes Connect and select Manage Users.

2. Select iTunes Connect User.

3. Perform the appropriate management task.

You use the iTunes Connect interface to manage iTunes Connect user accounts for members of your team,as well as test-user accounts, which are used for testing In-App Purchase code in the sandbox.

iTunes Connect is distinct from the iOS Developer Provisioning Portal and the Developer Certificate Utility;adding someone to your team in either of those places does not give them access to iTunes Connect.

Note: To add, delete, or modify a user, your account’s role must be Admin.

For a detailed discussion including step-by-step instructions for adding, modifying, and deleting users, see“Managing Users” on pages 32–37 of iTunes Connect Developer Guide .

Read “Configuring Apps” (page 36) to configure your app correctly for submission to the Mac App Store.



82

Submitting Your App Using Application LoaderUsing Xcode to submit your app is recommended in most cases. Sometimes, though, it may be more appropriatefor your organization to use Application Loader and other command-line utilities for the build process. If yourapp needs to enforce minimum configuration requirements, you must use this method.

To submit your app using Application Loader:

1. Make sure your app is signed.

a. If you build and sign your app using Xcode, as described in “Signing Using a Mac SubmissionCertificate” (page 74), your app is already signed.

b. If you don’t, use codesign to sign your app with your Mac Submission certificate (begins with “3rdParty Mac Developer Application”).

2. Archive your app and create an installer package using the productbuild command. The followinglisting shows a typical usage:

productbuild \

--component build/Release/Sample.app /Applications \

--sign "3rd Party Mac Developer Installer: John Doe, Inc." \

--product product_definition.plist Sample.pkg

The productbuild command can build a variety of product types; it provides a number of options thatare not appropriate for submissions to the Mac App Store. You should specify a single component, asignature, and (optionally) a product definition file. The option to install into the user’s home directory isnot supported.

For more details about productbuild, see the productbuild man page.

Alternatively, use Xcode to archive your app by following the steps in “Creating an Archive” (page 76),select the archive in the Archives organizer, click Distribute, select Export distribution method, and XcodeArchive file format.

Note: Using the PackageMaker app to archive your app is not supported.

3. Test the installation process, as described in “Testing the Installer Package” (page 77).

4. Submit the package to the Mac App Store using Application Loader. Choose Xcode > Other DeveloperTool > Application Loader to launch it. The filename of the package must not have spaces in it, and thefile extension must be pkg.

Submitting to the Mac App StoreSubmitting Your App Using Application Loader


83

In some cases, you may want to distribute an application outside the Mac App Store. In that situation, use aDeveloper ID certificate to give your users assurance that you are an Apple identified developer.

OS X Mountain Lion users will have the option of turning on Gatekeeper, a security feature that gives usersthe ability to choose to install software only from the Mac App Store and identified developers. If your applicationis not signed with a Developer ID certificate issued by Apple, it will not launch on systems that have this securityoption selected. To avoid this situation, sign your applications and installer packages using a Developer IDcertificate and thoroughly test the end-user experience using a Gatekeeper enabled system before you distributeyour application outside of the Mac App Store.

This document describes the Xcode workflow to create and test Developer ID-signed applications for distributionand provides links to more information for developers who use the command line for signing their applicationsor installer packages.

Creating Developer ID-Signed Applications or Installer PackagesCreating a Developer ID-signed application or installer package is a multistep process. For most developers,the entire Developer ID workflow takes place within Xcode. First you request Developer ID certificates. Thereare two types of Developer ID certificates: Developer ID Application is used to sign applications and DeveloperID Installer is used to sign installer packages. Using Xcode, you export and sign an archive of your applicationusing the Developer ID Application certificate. You can also use command line utilities to sign an installerpackage using the Developer ID Installer certificate.

But before you can get started, you must be a member of the Mac Developer Program.

Enrolling in the Mac Developer ProgramOnly Mac Developer Program members are eligible to request Developer ID certificates and sign applicationsor installer packages using them.


84

Distributing Outside the Mac App Store

When you enroll in the Mac Developer Program, you become the primary contact for Apple and are asked tosign legal agreements. Regardless whether you enroll as an individual or company, you are the team agentand responsible for creating Developer ID certificates. If you enroll as a company, you can add individuals toyour team, but only the team agent has permission to create Developer ID certificates. Developer ID certificatesare owned by the team not an individual.

To enroll in the Mac Developer Program, go to Apple Developer Program Enrollment where a web assistantguides you through the entire process of enrolling. If you have not registered as an Apple Developer yet, youcan do so as part of enrolling in the Mac Developer Program. When you are prompted to select a program,select the Mac Developer Program.

Requesting Developer ID CertificatesUse the Xcode Organizer window to obtain the Developer ID Application and Developer ID Installer certificates,as well as the Developer ID Certification Authority intermediate certificate.

When you refresh your provisioning profiles for the first time, Xcode asks whether it should create signingcertificates on your behalf. Signing certificates that begin with the text “Developer ID” are used to distributeyour application outside of the Mac App Store.

Note: Only a team agent can request Developer ID certificates. If you are an individual developer,you are the team agent and can request these certificates.

To request your Developer ID certificates


2. In the Organizer window, select Devices.

3. In the Library section of the Devices organizer, select Provisioning Profiles.

Distributing Outside the Mac App StoreCreating Developer ID-Signed Applications or Installer Packages


85

https://developer.apple.com/programs/start/standard/

4. Click the Refresh button at the bottom of the window.

5. In the dialog that appears, enter your Apple ID user name and password and click “Log in.”



86

After you log in to your account, multiple dialogs appear, asking whether Xcode should request certaintypes of signing certificates on your behalf. If you just joined the Mac Developer Program, the firstdialog asks whether Xcode should request your Mac Development certificate. The last two dialogs askwhether Xcode should request your Developer ID certificates.

6. Click the Submit Request button each time a certificate request dialog appears.

After you submit the last certificate request, allow the refresh process to complete. Your Developer IDApplication and Developer ID Installer certificates are added to your keychain. The Developer IDCertification Authority intermediate certificate is also added to your keychain.

7. If a dialog appears asking whether you want to export your developer profile, click Export.



87

You should always back up your certificates after you create them. The private keys for your certificatesare stored in your keychain, and the public keys are stored by Developer Certificate Utility. For thisreason, you can’t refresh your provisioning profiles and certificates in Xcode to replace a missing privatekey in your keychain.

8. Enter a filename and password, and click Save.

Because the file contains your developer profile, which can be used to sign applications in your name,it is encrypted and password protected. (You will need the password later to import your developerprofile to another system.)

Important: Your Developer ID private keys are valuable, and you should back them up. Exportingyour developer profile lets you create a password-protected backup. Save that backup as you wouldany essential backup; for example, save it to a different disk. Later, if you need to replace a privatekey, import it from your backup.

Your Developer ID Certification Authority intermediate certificate, which is required for DeveloperID code signing, is not exported. If you need to obtain another copy, retrieve it from Apple athttps://developer.apple.com/certificationauthority/DeveloperIDCA.cer.



88

https://developer.apple.com/certificationauthority/DeveloperIDCA.cer

You can view your Developer ID certificates in your Team folder in the Devices organizer.

Code Signing Your ApplicationOptionally, code sign your application during development and testing using the Developer ID Applicationcertificate. Later, you resign the application with this certificate when you export it.

To code sign an application with your Developer ID Application certificate

1. In Xcode, select the project in the project navigator.

Xcode displays the project editor.

2. Click Build Settings at the top of the window.

3. Click All.

4. Type code signing into the project editor search field.

The list of build settings now shows only the Code Signing settings.

5. From the Code Signing Identity pop-up menu, choose your Developer ID Application certificate.

6. Click Run.



89

Exporting a Developer ID-signed ApplicationTo export your application for distribution outside of the Mac App Store, use the Archives organizer.

To create a Developer ID-signed application

1. Choose Product > Archive.

Xcode constructs an archive containing your code-signed application and opens the Organizer window,showing the archive.

Note: You can set the Code Signing Identity build setting to any valid signing certificate duringthis step because the archive is resigned with the Developer ID certificate in a later step.

2. Select the newly created archive in the Organizer window, then click Distribute.



90

A dialog appears, offering a choice of distribution methods.

3. Select “Export Developer ID-signed Application” and click Next.



91

4. Choose your Developer ID name from the Developer ID pop-up menu and click Next.

5. Enter a filename and location for the signed application and click Save.

Signing an Installer PackageIf you want to distribute your application outside of the Mac App Store as part of an installer package, createthe package as you normally do, perhaps by using the packagemaker(1) command. Code sign the resultingpackage with your Developer ID Installer certificate by using the productsign command. Then test yourinstaller package using this command by replacing MyPackageName.pkg with your package file name:

spctl -a -v --type install MyPackageName.pkg

Warning: Make sure you sign the installer package using your Developer ID Installer certificate. The

productsign command might allow you to sign an installer package using your Developer ID

Application certificate. It may appear to work, but the resulting installer archive will fail on the destination

system.



92

If your development workflow includes code signing from the command line, read Code Signing Guide .

Testing Developer ID-signed ApplicationsBefore you distribute your application, test the end-user experience launching your application with Gatekeeperenabled and disabled. You can enable and disable Gatekeeper using System Preferences or a command-lineutility. The command-line utility is also useful for testing. To simulate the end-user experience, you need toquarantine your application and test it again with Gatekeeper enabled.

Enabling and Disabling GatekeeperYou can turn on Gatekeeper by using the Security & Privacy system preferences or system policy controlcommand-line utility, spctl(8). Gatekeeper system preferences are hidden by default but you can showthem using a Terminal command.

To enable or disable Gatekeeper using the Security & Privacy system preferences

1. To show Gatekeeper system preferences, enter this command in Terminal:

defaults write com.apple.systempreferencesShowGatekeeperOptionsInSecurityPreferences -bool YES

2. Launch System Preferences and select Security & Privacy.

3. Click the lock button if it appears locked, and enter the administrator password.

Distributing Outside the Mac App StoreTesting Developer ID-signed Applications


93

4. To enable Gatekeeper, select “Mac App Store and identified developers.”

5. To disable Gatekeeper, select Anywhere.

6. (Optional) To hide Gatekeeper system preferences, enter this command in Terminal:

defaults write com.apple.systempreferencesShowGatekeeperOptionsInSecurityPreferences -bool NO

To enable Gatekeeper using the spctl command

1. In Terminal, enter the following command:

$ sudo spctl --master-enable

When prompted, enter your login password.

2. Confirm that Gatekeeper is successfully enabled by entering the following command:



94

$ spctl --status

With Gatekeeper enabled, the previous command prints the following text in Terminal:

assessments enabled

To disable Gatekeeper using the spctl command

1. In Terminal, enter the following command:

$ sudo spctl --master-disable

When prompted, enter your login password.

2. Confirm that Gatekeeper is successfully disabled by entering the following command:

$ spctl --status

With Gatekeeper disabled, the previous command prints the following text in Terminal:

assessments disabled

Testing Gatekeeper BehaviorAfter you sign your application with a Developer ID certificate, you can test whether it was signed correctlyand simulate the launch behavior of your application when Gatekeeper is enabled. On a system with Gatekeeperturned on, a quarantined copy of your application launches only if it is Developer ID–signed. (Learn aboutquarantine in this Knowledge Base article.) You can also test the behavior of Gatekeeper for an applicationthat is not Developer ID–signed.

Testing a Developer ID–Signed ApplicationYou can use the spctl command-line utility to test if your application is signed correctly using a DeveloperID certificate.

To test your Developer ID–signed application using spctl

1. Enable Gatekeeper on your test machine by entering the following command in Terminal:



95

http://support.apple.com/kb/HT3662

$ sudo spctl --master-enable

2. Enter the following command in Terminal by replacing TrackMix.appwith the path to your application.

$ sudo spctl -a -v TrackMix.app

If the application is correctly signed, text similar to the following appears in Terminal:

./TrackMix.app: accepted

source=Developer ID

Testing the Launch BehaviorTo thoroughly test your Developer ID–signed application, simulate launching the application on an end-usersystem.

To prepare for testing Gatekeeper behavior

1. Enable Gatekeeper on your test machine (as described in “Enabling and Disabling Gatekeeper” (page93)).

2. Quarantine a copy of your Developer ID–signed application. You can do this in either of the followingways:

● Email your Developer ID–signed application to yourself and use the copy that Mail.appdownloads;or

● Host your Developer ID–signed application on your own local or remote server and use the copythat Safari downloads.

You are ready to test Gatekeeper behavior.

To test Gatekeeper behavior for your Developer ID–signed application

● In the Finder, locate the quarantined copy of your Developer ID–signed application and double-clickits icon.



96

The system displays an alert asking whether you are sure you want to open the application.

This alert, that allows you to open the quarantined application with Gatekeeper turned on, confirmsthat your Developer ID workflow is correct.

Tip: If you do not see an alert at this point, it is likely that you have opened a nonquarantined copy ofyour application. Review the steps in “To prepare for testing Gatekeeper behavior” (page 96).

To test Gatekeeper behavior for blocking applications that are not Developer ID–signed

1. Enable Gatekeeper on your test machine (as described in “Enabling and Disabling Gatekeeper” (page93)).

2. Quarantine a copy of your application that is not Developer ID–signed.

As before, you can invoke quarantine on this copy of your application in either of the following ways:

● Email your application to yourself and use the copy that Mail.app downloads; or

● Host your Developer ID–signed application on your own local or remote server and use the copythat Safari downloads.

3. In the Finder, locate the quarantined copy of your non-Developer ID–signed application and double-clickits icon.

The system displays an alert that blocks you from opening the application. By way of this alert, theGatekeeper feature protects a system by preventing first-time opening of applications from unidentifieddevelopers. Applications previously opened by a user are no longer quarantined, and Gatekeeper doesnot prevent them from opening.



97

This table describes the changes to Tools Workflow Guide for Mac .

NotesDate

Made available in PDF.2012-09-19

Updated for Xcode 4.3.1 and OS X v10.7.4. Added the "Distributing Outsidethe Mac App Store" chapter.

2012-05-14

Updated for Xcode 4.3.2012-02-16

Applied minor edits.2012-01-09

Added details on configuring entitlements.2011-11-03

New document that describes how to build and submit your app to theMac App Store.

2011-10-12


98

Document Revision History

Apple Inc.© 2012 Apple Inc.All rights reserved.

No part of this publication may be reproduced,stored in a retrieval system, or transmitted, in anyform or by any means, mechanical, electronic,photocopying, recording, or otherwise, withoutprior written permission of Apple Inc., with thefollowing exceptions: Any person is herebyauthorized to store documentation on a singlecomputer for personal use only and to printcopies of documentation for personal useprovided that the documentation containsApple’s copyright notice.

No licenses, express or implied, are granted withrespect to any of the technology described in thisdocument. Apple retains all intellectual propertyrights associated with the technology describedin this document. This document is intended toassist application developers to developapplications only for Apple-labeled computers.

Apple Inc.1 Infinite LoopCupertino, CA 95014408-996-1010

Apple, the Apple logo, Finder, iTunes, Keychain,Mac, Mac OS, OS X, Safari, Sand, and Xcode aretrademarks of Apple Inc., registered in the U.S.and other countries.

iAd and iCloud are service marks of Apple Inc.,registered in the U.S. and other countries.

App Store and Mac App Store are service marksof Apple Inc.

iOS is a trademark or registered trademark ofCisco in the U.S. and other countries and is usedunder license.

Even though Apple has reviewed this document,APPLE MAKES NO WARRANTY OR REPRESENTATION,EITHER EXPRESS OR IMPLIED, WITH RESPECT TO THISDOCUMENT, ITS QUALITY, ACCURACY,MERCHANTABILITY, OR FITNESS FOR A PARTICULARPURPOSE. AS A RESULT, THIS DOCUMENT IS PROVIDED“AS IS,” AND YOU, THE READER, ARE ASSUMING THEENTIRE RISK AS TO ITS QUALITY AND ACCURACY.

IN NO EVENT WILL APPLE BE LIABLE FOR DIRECT,INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIALDAMAGES RESULTING FROM ANY DEFECT ORINACCURACY IN THIS DOCUMENT, even if advised ofthe possibility of such damages.

THE WARRANTY AND REMEDIES SET FORTH ABOVEARE EXCLUSIVE AND IN LIEU OF ALL OTHERS, ORALOR WRITTEN, EXPRESS OR IMPLIED. No Apple dealer,agent, or employee is authorized to make anymodification, extension, or addition to this warranty.

Some states do not allow the exclusion or limitationof implied warranties or liability for incidental orconsequential damages, so the above limitation orexclusion may not apply to you. This warranty givesyou specific legal rights, and you may also have otherrights which vary from state to state.

Osx workflow guide (1)

Education

Transcript of Osx workflow guide (1)