Disclaimer, I am a Java developer not an Apple developer and therefore only use Apple specific tools very rarely.
I develop a Java application, and as part of my build from the command line I sign it with an Apple Developer Id certificate as follows
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --sign "Developer ID Application: P Taylor" --force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign --verify --deep --verbose /Applications/SongKong.app
Unfortunately when I tried to build today there was an error because the certificate had expired a few days ago, it was originally created 5 years previously.
So I renewed an Apple Developer membership (which had also expired) and eventually found a way using KeyChain to create a CertificateSigningRequest.certSigningRequest file which I then uploaded to Apple and it generated a developerID_application.cer file. I opened this and it was added to KeyChain
I then rerun my build, but it failed because it now found two certificates
I then deleted the old expired one and reran, this time it seemed I had to give access to use the certificate by entering my KeyChain password. Unfortunately this does not seem to be the same as my main Mac password and hence I eventually had to ForceQuit and reboot.
In order to reset KeyChain password I followed steps online to
Open KeyChain Access
From the KeyChain Access menu, choose Preferences.
Click General, then click Reset My Default KeyChain.
I then reran my build but although the certificate seems to be there it reports 'no identity found'. I think because having created a new KeyChain I have removed my personal identity(is this Certificate Authority ?).
So now I only have a the Developer Id certificate but the not the other parts and don't know what to do.
Question 1:When I selected Reset My Default Keychain it said the old keychain was kept somewhere, so my first question is can i make that the default again and then possibly there is a way to actually reset the password or perhaps I will be able to guess it.
Question 2:If I cannot do Qu.1 what do I need to do to recreate the personal certificate part that I am now missing. Remember the whole point of this is simply that users can install my software on their Macs without getting warnings about untrusted developers.
Well I resolved it, I followed these instructions in order to restore my previous keychain, basically
In KeyChain Access select Delete Keychain "login", and ensure choose Delete References when prompted, not Delete References & Files.
Open Finder, and go to Folder ~/Library/Keychains
Rename login.keychain to login.keychain.old
Rename login-renamed-1.keychain to login.keychain
In KeyChain Access select Add Keychain and select the login.keychain file
Restart KeyChain Access to see the correct results
But then I still had the problem that when i tried to sign I was prompted for KeyChain password and I didn't know it.....
However in KeyChain Access I went to Edit:Change settings for keychain "login"
and entered what I thought was old password and new password, and it accepted the change even though when I used the password to sign it failed
I then ran sign and entered the new password when prompted and it was accepted.
I verified signature, uploaded build, downloaded, installed and ran to ensure there was no problem with the build and it was fine. So I hope this answer helps other non Apple developers struggling with their tools
I've downloaded the .cer file from developer A/c. Double clicking on it, is adding that file in Certificate section but when am going to key section to export key am not able to see that key. So that I can export it as .p12 file.
this is a common issue, The solution is simple:
Who ever created the developer credentials originally needs to go to the keychain on their computer and right click on the key(s) for private and public and export the key to a file. Then you just download that file on your computer and open it, and it will be added to your keychain.
You need to have both the private key (.pem file) and the certificate for your provisioning profiles.
From :
https://stackoverflow.com/a/12867936/3901620
Actually we are using two MAC machines to develop a Package in mac using xcode. Only one mac is having a certificate and that is in different country. we exported that certificate for local mac.but when i try to do codesigning using that certificate i am getting error as "Could not find appropriate signing identity for “Developer ID Installer: ID
” I am not able to add the codesign. what are the steps to import a certificate properly.
That message is usually indicative that you don't have the private key necessary for signing, just the certificate, which is insufficient.
For exporting signing identities, your best bet is to use the Accounts preference panel in Xcode.
Launch Xcode on the machine you are sending the signing information from
Choose Xcode > Preferences
Select the Accounts tab
From the gear menu, choose Export Accounts and select the file you want to place the information in and enter a password
Transport the exported identity file to the receiving machine
Follow steps 1-3 on the Receiving machine
From the gear menu, choose Import Accounts and select the file you have just brought over, entering the password when asked.
This should import the entire signing identity, including the certificates, provisioning profiles, and private keys.
Via Keychain Access
If, for some reason, your Xcode on the machine that you are sending the signing information from does not have any accounts listed, you may be signing with a script or from the command line and using the identity information without loading the accounts directly into Xcode's UI. If possible, I would encourage adding your account to Xcode using the Accounts tab in order to get the automatic behaviors that Xcode provides, but it may not be absolutely necessary, especially if you are doing Developer ID only (non AppStore) distribution.
To export from Keychain Access, you will need to export both the Signing Certificate and the Key. The Signing Certificate is also available from Apple's Developer portal, but the key never leaves your machine directly (only a fingerprint of it is sent in the CSR), so if the original key does not exist on a machine that your organization has access to, you may need to Revoke your existing key and create a new one.
To locate your key in Keychain Access do the following:
Launch Keychain Access
Click on My Certificates
Look through the list or use the search box to find your certificate (Searching on Developer ID should yield any Developer ID-related certificates)
Each certificate which has an associated private Key will have a disclosure triangle to the left, click on that to expose the keys
This Key may be exported by selecting the key and certificate (make sure they're both selected, or export them one at a time) and using File > Export Items
Provide a password when prompted to protect the export file
Copy the exported file(s) to your other machine
Use Keychain Access and File > Import Items to import the certificate/key to the new machine
NOTE: If you lose your private key, you will need to revoke your certificate, generate a new key, and create a new signing certificate. Don't do this without first making sure you have no available copies of the key. The specific implications depend on what kind of certificates are signed with the key, but you will need to regenerate all of the certificates that used the previous key.
I've looked through already existing questions, but none has solved my problems (like recreating certificates). I've built an app where inside the app I have few executables and folders and frameworks. Whenever I try to do codesign -s "our identity" my.app always gives no identity found. Can someone give a step by step process of this.
codesign -s "Developer ID Application: Sai***** (123123123J)" out/Release/Sai.app
Error
Developer ID Application: Sai****** (123123123J): no identity found,
I tried removing "Developer ID Application" and the serial number, but everything gives the same error
Looking for help in these lines
I had some trouble with this as well. Double-check that your code-signing identity is in your keychain, and you might consider using the SHA-1 fingerprint instead of the name after the -s.
You can find the SHA-1 fingerprint by opening up Keychain Access and selecting your Developer ID Application: FOO certificate, and then choosing Get Info. From here, scroll to the bottom of the information until you reach Fingerprints. The SHA-1 fingerprint here can be copied and you will have to remove all of the spaces, but after that you will have a 40-character identifier which will be appropriate for placing after the -s in your codesign statement.
If you are still having problems locating the key, try the following from Terminal:
certtool y | grep Developer\ ID
and look for anything with Developer ID Application in the Common Name to verify that the certificate is actually in a keychain that is accessible from Terminal. If you don't see anything in response, that would indicate that the keychain containing your credentials is unavailable to your Terminal session. Reasons for this would include things like the keychain being locked, the shell running as another user, executing the command with different permissions (such as sudo).
After executing the command above, you should have at a minimum the following:
Developer ID Application: <your company name>
Developer ID Installer: <your company name>
Developer ID Certification Authority
If you don't have all three, you should go and download the missing elements. Although you may not currently need to build an Installer, there's no harm in having it around. The Application and Installer elements can be downloaded from the Mac Certificates section of the Certificates, Identifiers, & Profiles tab on Apple's Developer site. You should have listings there that are not expired. You may have listings there as well that have expired. To install the certificates in your keychain:
Access the Apple Developer Site
Access the Mac Dev Center
Access Certificates, Identifiers, & Profiles link
Download the Certificates from the portal
Double-click on the Certificates and Keychain Access should open
Allow Keychain Access to add the Certificates to your Keychain
The Developer ID Certification Authority should have been installed by Xcode, but if it wasn't, you can install it yourself. You will need to download that separately from Developer ID Authority or by clicking on the + link in Certificates tab and use the link at the bottom to download the Certificate.
This would also be a good time to make sure that you have the Apple Worldwide Developer Relations Certification Authority, which is the basis for some of the signing tools. It should be installed in your System keychain, by the Xcode installer and can be downloaded directly from the + link in the Certificates tab above or from Apple WWDR CA.
According to Apple's App Distribution Guide, there are specific keychains that are appropriate for each of the Certificates and keys:
Your private Keys and your signing certificates (Developer ID Installer,Developer ID Application, and the App Store Certificates) should be in your login keychain
The Apple Worldwide Developer Relations Certification Authority and Developer ID Certification Authority belong in the System keychain
Your developer certificates also belong in your login keychain
Keychain Maintenance
Because Xcode automatically manipulates the keychains, and because some certificates are re-issued regularly when profiles change (although not for Developer ID, since it has multi-year certificates and doesn't require profiles), you can end up with a propagation of unnecessary and potentially confusing certificates in your keychain. It is a good idea to clean these out when they have expired, as they can create some confusion for Xcode.
WARNINGS
Before performing any maintenance on your Keychains, make sure you have a backup of your keychains
This process is intended for removing unnecessary Certificates relating to development, If the certificates don't start with Mac Developer, 3rd Party Mac Developer, iPhone Developer or Developer ID, do not mess with them at this time. If you accidentally delete the Certificate you received with an email (for example), even if it has expired, you may not be able to read the email that you received.
Things to do:
Quit Xcode
Run Keychain First Aid (from Keychain Access) and verify that your keychains are OK
Click on the Certificates Category on the left sidebar
Locate any expired developer certificates of the kinds mentioned above. They will show up with a small X in the lower right corner.
Select the Certificates you will be removing and back them up by using File > Export Items...
Put this file in a safe place and give it a good password
Delete the Certificates which you have backed up
Look through your remaining certificates and verify that you have the certificates mentioned in the preceding section. If you don't, you'll need to download, and possibly renew them.
Verify that the certificates are in the keychains that are indicated above (all your signing certs should be in your login keychain, for example)
while I did not do this for apple development code signing, I still think I have some valuable inside that could help you debug such a problem. The difference is that I created my own certificate while you got one from apple.
Check the trust of the cert, it must be trusted for code signing (on yosemite that is the third last in the trust section of the cert view in the keychain access). Be aware that for your code signing the cert should be in the login keychain, I needed it in the System keychain.
At first the cert was not known for codesigning to the keychain, because there was the Extension purpose "Code Signing" missing, you can find this if you look into the keychain and double click on the certificate:
I fixed that (you can not fix it as Apple provides the cert to you. The extension should just be there):
Then I added the certificate to the trusted signing certificates, after I had drag&dropped the certificate from the keychain to my desktop, which created the ~/Desktop/gdb-cert.cer (be aware you can omit -d and -r trustRoot:
$ sudo security add-trusted-cert -d -r trustRoot -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/gdb-cert.cer
This was a bit tricky because I was mislead by some internet posts and did not look at the man page. Some said you should use add-trust (https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt). The terrible bit was that the command succeeded, but did not do what it should.
After that I found the new cert in the trusted certs like so:
$ security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) E7419032D4..... "Mac Developer: FirstName LastName (K2Q869SWUE)" (CSSMERR_TP_CERT_EXPIRED)
2) ACD43B6... "gdb-cert"
2 identities found
Valid identities only
1) ACD43... "gdb-cert"
1 valid identities found
In my case the apple cert is expired, but the one I was using to sign gdb was not (well, I just created it myself). Also be aware that the policy is named differently for the "security add-trusted-cert"(-p codeSign) and the "security find-identity" command (-p codesigning). I then went on to sign gdb and I also always got:
$ codesign --sign gdb-cert.cer --keychain ~/Library/Keychains/login.keychain `which gdb`
gdb-cert.cer: no identity found
because I was under the impression that I had to give the file name of the cert file to the --sign option, but that in fact was the CN of the certificate that I should have provided and should be in the trust store. You can find the CN here when double clicking on the cert in the keychain:
or in the above output of "security find-identity -p codesigning". Then I went on to sign and I had to give it the right keychain. In your case this would have to be the ~/Library/Keychains/login.keychain, in my case the System.keychain:
codesign -s gdb-cert --keychain /Library/Keychains/System.keychain `which gdb`
That then gave me a working gdb and it should give you a signed application.
The Answer finally was very simple. My Private Key was missing.
For this I revoked the certificate and followed its steps in developer program (Especially creating CSR certificate during the process, which I did not get several times, unless I revoked the certificate).
As even
certtool y | grep "Developer ID Application: xxxx"
could not display any results, I guessed it was an issue of accessing the desired keychain. So first I verified, the private key could be accessed by any applications in the keychain itself and then I started to use the k=/Users/myUser/Library/Keychains/login.keychain option in the certtool command and as this succeeded I did the same with
codesign --keychain /Users/myUser/Library/Keychains/login.keychain --force --verbose -s "Developer ID Application: xxxx"
As even
certtool y | grep "Developer ID Application: xxxx"
could not display any results, I guessed it was an issue of accessing the desired keychain. So first I verified, the private key could be accessed by any applications in the keychain itself and then I started to use the k=/Users/myUser/Library/Keychains/login.keychain option in the certtool command and as this succeeded I did the same with
codesign --keychain /Users/myUser/Library/Keychains/login.keychain --force --verbose -s "Developer ID Application: xxxx
I want to create a safari extension on my Windows 7 pc. I have created a safari developer certificate properly but I couldn't really install it. After some googling, I tried importing it into Personal and Trusted Root Certification authorities. But Extension Builder keeps showing "No Safari Developer Certificate." I even revoked the certificate and created a new one. Still no luck. Can anybody help me?
When you enter something like certmgr.msc in the run command in Windows, you will get to see something like this:
So using the certificate consists of the following steps:
Save the file and run the command in cmd.exe as directed in the developer certificate generator in extension certificate developer.
When you are done, check the certmgr (shown in the image above) and see a certificate named "Safari Developer" installed somewhere near Certificate Enrollment Requests. Cut the certificate and paste one copy inside trusted root certification Authorities and another inside Personal.
Generate the csr file and install the file inside Personal folder and trusted root certification Authorities folder.
Extension builder will now recognize the certificate.