System Preferences / Manage Certificates
The above is a picture of the System Preferences/Manage Certificates area of Xcode (rev 11).
I know this is quite messy, but I'd like to ask the community for help in cleaning up my signing certificates for Xcode.
I am to the point where I cannot Archive any app in Xcode, even a "Hello World" app, due to the state of my signing certificates. I am a paid up developer on Apple Developer.
Below is a picture of the Key Chain Access of my system.
Thanks in advance.
LeonW53
[Key Chain Access Image][1]
I am a little the wiser now.
In order to submit to the Apple App Store, you need a Distribution Certificate and an IOS Distribution Certificate. Both must have the Public and Private key.
The Private Key refers to the computer from which the app will be submitted. The Private Key is password to the Mac that will archive the app and submit.
To start, you need to go onto your distribution Mac and open the Keychain Access app (Applications/Utilities/Keychain Access). Once in, at the top of the screen, go to Keychain Access/Certificate Assistant/Request a Certificate from a Certificate Authority.
Note 1The Request requires a user email address. Use the email address that you use to log into the Apple Developer Site. You do not need a common name. Select Request is Saved to Disk and Continue. You will be allowed to pick the name and Save Folder for the Certificate. Click Save.
You can create All of your Certificates from this one Certificate Signing Request.
Go into the Apple Developer Website and sign in (you need to be paid up to do this). Use the Apple ID that you used to save the Certificate.
Go to Certificates, Identifiers and Profiles.
Click Certificates in the left column. Click the + next to Certificates to add a new Certificate.
You will be asked to what kind of Certificate to Create.
You need to select Apple Development to develop an app on your mac. You may need an iOS App Development to develop iOS apps, but I haven't found this necessary
To Upload and Distribute your app, you need Apple Distribution and iOS Distribution.
Whichever one you pick, click Continue and you will be asked to Upload a Signing Certificate Request. Here you browse to the Certificate Signing Request that you saved (Note 1 above). Click Generate and the Certificate will be created. Click Download and the Certificate will be downloaded to the Downloads folder on your Mac.
You can create several different kind of certificates and you do NOT need to re-create the CSR -- use the same one over and over.
On your Mac, you can just double click the Certificates downloaded and they will be added to your Keychain.
In XCode, select the App root of the App Folder Tree and open "Signing and Capabilities". Select the Team that you have in the Apple Developer Site from the drop down list. Also select Automatically manage signings.
Also in XCode, you go to XCode/Preferences/Accounts. You should selected the Apple ID on the left which is the same as you log into the Apple Developer Account. On the right, you can select the Team which will do the Uploading and click Manage Certificates. You need valid iOS Development, Apple Development and Apple Distribution Certificates.
Note 2 If there are any Certificates that are missing the Private Key, this is because either the CSR was generated on a different PC to your current PC or that you were not logged in as the same developer on the Apple Developer Site. This happened to me, and it was because I wasn't logged into the Developer Site the same as I have logged on my PC in System Preferences.
If you Archive, and you have missing Private Keys, the Archive will ask you to log into Keychain using the password which unlocks the PC for EACH and every missing key. Once done, the archive will be created.
Note 3Make any mistake on this, and you will generate a failed archive with a non-zero exit code. Apple provide no clue as to how to solve this.
My current situation is that I have valid Apple Development, iOS Development and Apple Distribution Certificates and I can archive. In addition to the valid Apple Distribution Certificate, I have two Apple Distribution Certificates which are missing private keys. But, I can archive the app.
Be kind and be safe all.
Related
I created a Mac file upload client application that implements a high-performance reliable data transfer over UDP protocol, based on the UDT library.
My setup:
MacOS Mojave
Xcode 10.3
Deployment Target: 10.10 (minimum for storyboard-based forms)
Now I'm trying to figure out how to sign it properly so end users can run it without doing a Gatekeeper override.
Here's where I'm at:
I have a paid Apple Developer account, delegated to me from an organization paid Developer account
I have roles assigned to me allowing me to manage apps, certificates, provisioning, etc.
I am signed into this account under Xcode accounts under Preferences.
I have created a bundle registration under the account, copied exactly from Xcode
I have created a Mac Distribution certificate, starting with a CSR from my development machine.
I have downloaded and imported the certificate into my machine's keychain (listed as "3rd Party Mac Developer Application:...")
I have created a provisioning profile for this app, with above certificate assigned, the profile type is App Store, but I will be distributing the app myself (is there a more correct provisioning type?)
Under Entitlements I chose "Custom Network Protocol", which sounds like an accurate description of my application.
I have imported the provisioning profile into Xcode and chose it under Signing (Debug) and Signing (Release) of my project's target, it automatically populated Team (the parent organization) and the above certificate.
I changed the scheme in the project to "Release" and built it for "Running", I get a keychain access prompt during build, and signing step completes successfully
codesign -vvv -d xyz.app returns the registered bundle, certificate, team, etc, all matching the above choices.
I placed the produced .app into a .dmg image and emailed it to myself
I downloaded the .dmg on another Mac and mounted it
I tried running the .app but got the following Gatekeeper message:
"XYZ" can't be opened because it is from an unindentified developer.
Your security preferences allow installation of only apps from the App Store and identified developers.
How do I get around this so a downloaded application will have an "Open" button in the Gatekeeper prompt by default. Some applications, GIMP for example, are correctly identified, even though they did not originate from the App Store.
What do I need to to resolve this?
I kept digging at it and I found my answer:
https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution?language=objc
The type if certificate I needed was Developer ID and the type of provision Developer ID Application, which is what is intended for self-distribution of a signed Mac application.
After that it needs to be submitted to Apple for notarization to satisfy the requirement for 10.14.5+. After notarization had completed I was able to send the exported app to myself and it offered me an "Open" option for the app downloaded from Internet. This is the desired behavior.
It required me to request the account holder to issue me the Developer ID certificate by sending them a CSR, as Developer ID certificate option is greyed out for delegated users that are not the original developer account holder (admin role may satisfy, but I am not one so can't say).
Yay.
By mistake I pressed the Revoke button.:
I went to developer.apple > Certificates I downloaded the new Development Certificate that was created from pressing the Revoke button. Afterwards one of the errors I got is
The second part of the error says the certificate needs a private key (in orange).
In Xcode > Preferences > Accounts > App ID > Team > plus sign it says the expiration of that Development Certificate is 10/30/20, 12:04 AM:
When I look in keychain the certificate with that expiration date is there but there isn't an arrow on the left of it to toggle the nested private key:
How do add a private key to the Development Certificate that was created using the Revoke button?
Btw the Distribution Certificate that was created after pressing the Revoke button did have a private key attached to it.
When you press the Revoke button you get issued a new iPhone Distribution certificate and a new iPhone Developer certificate. You can view these certificates inside the developer portal at developer.apple > certificates. Those certificates will also be inside your keychain. You use the certificate expiration dates to see which certificates correspond to what.
The problem with pressing the Revoke button is you will get a iPhone Distribution certificate with a private key but as far as the iPhone Developer certificate it won't have a private key.
If you look into your keychain you will see this pic below. Notice the iPhone Distribution certificate has a gray arrow next to it but the iPhone Developer certificate doesn't:
That will cause the following 2 errors:
It causes a cycle where you press the Revoke button again and you wind up with the same 2 errors. I'm not sure why Apple did it this way but someone definitely made a mistake.
When you go to Keychain > login > My Certificates you will only see certificates that have a private key (the gray arrow indicates that). Since the iPhone Developer certificate from pressing the Revoke button doesn't have a key it won't be in there. According to this you need that key otherwise you'll get the errors:
If your iOS developer and distribution certificates do not appear in
"My Certificates", then they are not correctly configured for use on
your Mac. Please note that "Certificates" is a repository of all
certificates your Mac holds, whereas "My Certificates" is the subset
of certificates valid for your Mac to actually use - a certificate
appearing in "Certificates" only is not enough.
If the certificate is not in My Certificates then this is most likely
because you do not have the correct key for that certificate also on
that Mac. You will need to locate the private key made for that
certificate (i.e., from the original Mac which requested the
certificate or a backup server).
As long as they do appear in My Certificates, then they key is there.
Since the iPhone Developer certificate won't appear in My Certificates the fix is after you press the Revoke button, delete the iPhone Developer certificate that it generates from BOTH the developer portal at developer.apple > certificates AND keychain. It's VERY important you delete it from keychain! Use the expiration date to locate it. Please keep the iPhone Distribution Certificate because that should work fine and have a key (indicated by the gray arrow).
After it's deletes from both BOTH places you can manually generate a developer certificate yourself following these directions:
Generate a Code Signing Certificate manually
1- Open your Keychain Access.
2- In the upper left hand corner next to the Apple sign select Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority...
3- Fill in User Email Address(just use yours) and the Common Name (just use your name) and select Saved to Disk. I selected Let me specify key pair information (maybe it's not necessary) but on the next screen just use the Key Size: 2048 bits and algorithm: RSA. Click on Continue and save the generated certSigningRequest file to your desktop.
4- Go to https://developer.apple.com and log in to your account.
5- Select Certificates, IDs & Profiles from the left sidebar.
6- Go to Certificates and click on the + button on the top right corner.
7- Select iOS App Development and click Continue.
8- On the next page you see the instructions for creating the certSigningRequest file. Click continue.
9- Upload the created certSigningRequest (from the 3rd step, the one saved to your desktop) to the form and click continue. It will generate your code signing certificate for you.
10- Download the certificate and double click to install it. Once installed it will be added to your Keychain Access app. Assuming it saves to your download folder you can just go in there and double click it.
Once you do those steps both errors should go away.
If you continue to have errors look at the certificates in both the portal at developer.apple > certificates and keychain > My Certificates. If anything is in the portal but isn't in My Certificates then you need to find it keychain access (look in keychain > Certificates), delete it, and delete it from the portal.
It took me a while to figure this out but the expiration date is the key to locating messed up certificates.
Unfortunately there is no way to make it working. I am on Mojave so:
I Installed Big Sur on external hard drive and booted it from there.
Installex Xcode 12.
Created empty project
I am member also in paid team but this is unnecessary.
Signing and creating certificate went smoothly without errors
I selected keychain access in system preferences in iCloud.
I exported my certificates and keys to external drive partition that is visible from Mojave.
restart and boot mojave
Imported certificates
and THIS IS NOT WORKING neither for paid account nor not-paid one. My certificates are marked as not trusted and Xcode 11.2 still has problems with repair and fix things. I got 8 emails that my certificates are revoked in the process.
So this probably is a Mojave think as Apple think system is not secure. Which is funny because yesterday I installed latest security update for Mojave (after which I lost my Mac Mini built-in speakers :( )
This looks like serious bug on Apple side I reported it through Feedback assistant but I doubt they will ever fix it so for now I have to say good bye to coding for Apple platforms.
I generated a mac installer certificate for use with code signing and am getting an error that is preventing me from using certificate to sign installer
When evaluating certificate in keychain access, I got an error: Invalid Extended Key Usage.
Here is the sequence of errors when trying to evaluate an installer certificate for code signing.
I find this process works better when generating code signing keys with Xcode rather than through the Keychain access app directly. This will help you create your code signing certificate with the correct provisioning and signing parameters for the type of app you are developing. If you don't yet have a paid developer account with Apple, you can still create a self signed certificate for code signing to generate signed apps without uploading them to app store.
First you have to add your Apple ID to Accounts preferences in Xcode.
Start Xcode
Select Xcode > Preferences from the navigation bar.
At the top of the window select Accounts.
Click on the + on the lower left corner and select Add Apple ID...
A dialog will appear. Add your Apple ID and your password, then select Sign in. If you don't have an account you can create your Apple ID by selecting Create Apple ID.
Select your Apple ID and your team from the right side bar, then click on View Details....
A dialog will appear where you will see your code signing identities and the provisioning profiles.
For iOS development, under the signing identities locate the iOS Development and iOS Distribution profiles.
If you have not created them you will see a Create button next to
them.
Simply select it and Xcode will issue and download your code signing
identities for you with the correct developer certificate params for
iOS app development.
Note: If you already have Code Signing Identities issued to your developer account: you will see a Reset button next to them. You can issue new certificates with it, that Xcode will generate and download, however note that this will invalidate your previous certificate, so only do this if you've lost those files or if you know what you are doing!
In future, once you have it all working I also suggest clicking the option in Xcode to allow it to automatically manage code signing. This will automatically renew your certification whenever it expires, so there won't be extra steps to renew. This option should be available in the general project settings of your app, it can also be reached by selecting project > Targets > General > Signing
Hope that helps you, best of luck!
There are some possible reasons for certificate evaluation failure:
The certificate may be not for code signing (similar to this). In this case, you should obtain a new certificate that supports code signing.
The certificate may be for code signing but damaged (similar to this). In this case, you should delete this certificate and install it again.
Note that you can create a self-signed code signing certificate in keychain app for test purpose, following this and this tutorials. Make sure to enable it in "Get Info" > "Trust" set as "Always Trust".
The last couple of days I've struggled with code signing my cocoa app in Xcode. I've read through all similar topic that looked to be related, but nothing has helped.
Whenever I try to export my archive I get this error message:
I've tried to delete everything in my keychain and all profiles/certificates that I'm allowed to delete/revoke in the member center. However, I still get the same error with no "Fix" or "Reset" button. How should I proceed in order to get my application signed for distribution outside of store?
Go to Preferences -> Accounts, choose your account, click "View Details" in the bottom right corner and in the dialog click Download all in the bottom left corner.
Also, take a look at fastlane.tools. It is a great set of tools, which is, among other things, capable of dealing with code signing issues. Calling cert and sigh is sometimes enough to deal with many code signing-related problems.
I had installed my Developer ID Application Certificate on a different Mac and was getting the same error as in the question when I tried to use that certificate on a "new" Mac.
This fixed it for me:
I still have the other Mac so I exported the Developer Accounts from that one again:
Go to XCode | Preferences | Accounts
Click the "cog" in the bottom-left-hand-corner next the the plus and minus signs
Click "Export Developer Accounts"
Save the exported file somewhere accessible to your other Mac
Then, on my "new" Mac:
Go to XCode | Preferences | Accounts
Select the Apple ID that represents my dev certs
Click the minus sign in the bottom left hand corner to delete that account
Quit XCode
Open Key Chain Access
Delete all Developer Certificates
Close Keychain Access
Go to XCode | Preferences | Accounts
Click the "cog" in the bottom-left-hand-corner next the the plus and minus signs
Click "Import Developer Accounts"
Select the file exported on the "old" Mac above and import
I'm hitting this same issue.
The error appears to be telling you that valid Developer ID Certs have been created under your developer account, but they are not currently on your Mac, so they cannot be used.
The solution would be to download the Developer ID Cert(s) from the web. However, you likely do not have the Private Key used to sign these certs. So at this point they are rather useless.
In my case, the further problem is that I already have 5 Developer ID Certificates in my account. I'm not quite sure where these came from. They were created years ago, perhaps when I was attempting to create Mac App Store certs? Or perhaps by clicking that damn Fix Issue button...
There appears to be a limit of 5 Developer ID Certificates per developer account, by default.
Developer ID Certificates are created, now, through Xcode rather than via the Members Center:
However, in Xcode, there is no longer a button to "Create" a new cert. The only button is "Reset". This button simply links me back to the Members Center in my web browser, so is completely useless...
Via the Members Center, Developer ID Certificates cannot be revoked, as you would an iOS or Mac App Store certificate. The "Revoke" button is Grayed out.
You can’t revoke Developer ID or Pass Type ID certificates using Member Center. Instead, send a request to Apple at product-security#apple.com to revoke these types of certificates.
Apple will only revoke these certificates in cases of security, to disable installation of the app on all client machines. I've tried emailing the above address, and they told me they could not revoke the cert.
The solution, then, is to have additional Developer ID Certificate slots added to your account, past the limit of 5.
Product Security told me, rather than revoking the certs,
We encourage you to contact Apple Developer Connection at https://developer.apple.com/support/ to resolve the issue you’re experiencing.
I've now contacted developer support. I recommend calling. They are currently, hopefully, setting up new Developer ID slots on my dev account.
When you create a new Developer ID Certificate that you will actually use, be sure to back up the Certificate and Private Key so that you do not hit this issue in the future.
EDIT:
I waited for over a month, I believe, with no response. I happened to have a ticket to an Apple TV Tech Talk and talked to an Apple representative at their lab. He was able to reset my Developer ID Certificate limit in about 5 minutes. So this is possible, but to expedite the process I would attempt to talk with a Developer Evangelist at Apple either in person or over the phone.
One issue could be the private key is missing for your developer cert. With Keychain Access find your developer cert and verify it has a little triangle beside it. Click on the triangle to reveal the private key.
If it's not there you'll need to restore this private key from the Mac you created your certificate.
Otherwise, delete the cert from the Apple Developer website and then create a new one.
Same issue here but i was using "automatically manage settings" on Xcode 8. And for a particular reason there were two distribution certificates in my developer account.
Xcode seems to choose the most recent automatically and I didn't have it installed on my mac. So I switch to the old way by creating manually my app ID and my provisioning profile (which use the appropriate certificate) and it works :)
I had similar issue. I've discovered that my provisioning profile was invalid since I've updated iOS Developer certificate. After PP regeneration everything works as expected.
I ran into this same issue, and I fixed it at last. There are some tips:
in Xcode -> Preferences -> Accounts, click button View Details, then
click button Download All Profiles
in Keychain Access, check if the certificate exists. if not, choose
File->Import items, then choose the .cer file you download
from developer website
Hope it helps.
On Xcode Version 8.3.3 go to Preferences ->Accounts -> Manage Certificates -> then click (+) ->on dropdown menu click iOS Development. Do the same for iOS App Store -> Done -> Download All Profiles.
If you have changed the machine Exporting the developer account from old mac and then importing into new mac solves the problem
I have several questions about signing Mac App with Developer ID:
First of all, I'm working on a project utilizing GateKeeper. So I have to(?) sign my App with Developer ID.
Do I need a provisioning profile to sign with Developer ID?
In the build settings tab, the Developer ID certification is marked as Identities without Provisioning Profiles. Looking around in Mac Provision Portal, I found no place to generate provisioning profile to match Developer ID cert rather than submission certs.
So do I need a provisioning profile to sign with Developer ID?
After archiving my app, when I chose Export Developer ID-signed Application in the organizer, my Developer ID certification is marked with a yellow warning icon. But I can still chose the cert and sign it. Is it OK?
After signing my app, I used sudo spctl -a -v MyApp.app to test my app with sudo spctl --master-enable runed before that. The result is as followed:
EIM.app: rejected
source=Developer ID
Is this rejection related to the warning in question 2?
It's my first time distributing Mac App with Developer ID, thanks for any help.
Re: Provisioning profiles and DeveloperID— they are unnecessary. You should be able to accept your DeveloperID in the automatic section of the Code Signing Identity portion of the Build Settings. If you cannot, your key may be missing or there may be something else wrong with the database that contains the information.
First, go into Keychain Access and verify that your DeveloperID certificate has an accompanying private key associated with it (this will be visible under a disclosure triangle). If it does not, then you should go check around to see if you saved off the key related to that certificate anywhere, because if you can't find and reimport it (from, for example, a Developer Profile exported from Xcode), you will need to revoke and reissue the certificate, since there's no way to sign it.
Second, there is a known bug in 4.6.1 that can corrupt a cached database containing information from the developer portal. There's no specific indication that this behavior can be caused by this problem, but before following the next step, you might want to give it a try. Basically, you will need to quit Xcode, move aside (or delete) ~/Library/Developer/Xcode/connect1.apple.com 4.6.1.db (yes, there's a space in that file name), restart Xcode, go to the Organizer and Refresh your profiles and certificates.
If this doesn't work, you may want to consider revoking your Developer ID.
WARNING If you have successfully distributed code with the certificate, do not revoke it until you have visited Apple's web site (https://developer.apple.com/support/technical/certificates/) and thoroughly understand the implications to shipped code for revoking a developer id. Specifically that installed software will continue to work, but users will not be able to install/reinstall binaries signed with the original certificate.
If you have never successfully distributed code with the certificate (or if your key is irrecoverably lost), you may want to go to the portal and revoke and then reissue your Developer ID certificate. Once you have revoked it, you can create a new certificate by requesting a new certificate.