If you’ve decided that your app does need to be signed, and are now equipped with any certificate(s) which you might need, how do you go about signing it?

Ad hoc signing

For all my misgivings over the (lack of) benefits of ad hoc signing, it is very easy to do. If you’ve decided that this is the way ahead, then all you have to do is build the app and type the following into Terminal:
codesign --force --deep -s - MyApp.app

codesign is the command tool which you use to sign code bundles and apps;
--force ensures that any existing signature is completely replaced with the ad hoc one;
--deep ensures that this is performed throughout its enclosures, and can be omitted if there aren’t any;
-s asks for signing to be performed
- (a single hyphen on its own) makes it ad hoc, i.e. without any certificate
MyApp.app is the path and name of the app.

Signing with a personal certificate

If you have created your own personal certificate and want to use that to sign your app, you’ll need to know the ‘common name’ of your certificate. Check this in Keychain Access, and you’ll find that it’s the name that you gave to your certificate when you created it. The required command becomes:
codesign --force --deep -s "Personal Code Signing Certificate" MyApp.app

Instead of the hyphen - to indicate that no certificate is to be used, you simply give the common name of your certificate.

Signing in Xcode

Xcode is designed to work with Developer IDs and certificates supplied by Apple. Although you can create your own identity and add your personal certificate to it, if you’re using Xcode to manage signing you should really sign up as a developer.

When you do that, you’ll need to add your Developer ID to the list of Apple IDs in the Accounts tab of Xcode’s preferences. For some reason, I have ended up with a ‘personal team’ with the role of user, and my own team as an Agent. My signatures are associated with the latter. When I select it in the list of ‘teams’ and click on the Manage Certificates… button, I can obtain and view all my certificates.

For basic macOS development, there are three different certificates which you’re likely to use:

• Development Certificates or ‘Mac Developer‘, which are supposed to be used during testing and debugging;
• Developer ID Application, which is the main certificate type for apps and other code (except for kernel extensions, which require a special certificate);
• Developer ID Installer, which are used to sign Installer packages, such as those used to install command tools.

You can obtain these directly from the + tool at the foot of this dialog, which is simplest, or online through your developer account.

When you create a new project in Xcode, by default its signing should be set to automatic management, which should in theory work fine. For some reason, mine seems to set the wrong account, and I end up building apps with broken signatures. So I set mine to manual management, selecting the Team and Signing Certificate to use.

Then, during the last part of each build and prior to uploading for notarization, Xcode will automatically ensure all my apps and builds are correctly signed using the selected certificate.

If you are only building the occasional one-off app using Xcode, particularly if you’re using a personal certificate, it is usually simplest to sign it yourself using codesign, rather than get befuddled in Xcode’s signing options. If you have a developer ID, then you’ll usually find it better to manage your signing within Xcode. However, you can’t always do that: when I build installer packages, I use Stéphane Sudre’s excellent Packages, and sign the resulting Installer package from the command line using codesign.

References

Apple’s Code Signing Guide
TN2206 Code Signing in Depth