Provisioning for Xamarin iOS - profiles existing but not recognized by VS2019 - xamarin

This is a copy of the question i asked on Xamarin forums with no luck yet, so here it is here too.
I have:
VS2019 paired to Mac (in cloud, no physical access)
Apple developer account
Followed manual and automatic provisioning guides on Microsoft's web site
Set up several development and distributions certificates, identity, app id, etc., with matching bundle id (info.plist, develeoper portal etc)
I have two scenarios:
1) With automatic provisioning in bundle signing the process completed successfully, but when i try to archive i get the error "codesign exited with code 1
2) With manual provisioning I can select various signing identities but either get:
a) no provisioning profile if i select distribution identity, or
b) unknown - and then in brackets various profiles i tried to create during the course of the nightmare
When i check options->xamarin->apple accounts i can see several distribution and development profiles and certificates.
Profiles and certificates
Can anyone help me get to the bottom of this? I have probably not included everything that people might think it's relevant so just ask away what else should i post. I can also live chat or talk on skype or whatsapp, or call someone internationally, or whatever other method you find most suitable.

Related

How to Create a Provisioning Profile for Mac App Distribution

After completing all MAC development, only the deployment stage remains.
I'm a complete beginner developer on MAC.
But when I was deploying, the gatekeeper blocked me, and when I deployed I knew I had to build with a new provisioning file.
So I tried to make it on the Apple Developer site but all failed )-:
Please see below for the steps I followed
Generate a certificate on the MAC PC (.CSR)
Create a Developer ID Application certificate in the Certificates, Identifiers & Profiles screen (using the .CSR created in step 1)
After that, I went to Profile and selected the option to deploy using Developer ID and proceeded, but only the message that there is no certificate is displayed as shown below.
Does anyone know how to solve this problem?
Failure to create a provisioning profile using Developer ID when there is an actual certificate is an Apple problem, and the problem has been resolved in Apple Korea.
It took Apple about 3 weeks to solve the problem, and when I got a response and checked, it worked normally.

Xcode: "Your account does not have permission to create iOS Distribution Certificates" as Team Member

Forward: There are many similar SO questions with regard to this error. I've visited dozens of them over the past days, but none seem to have a solution to my problem. They mostly are from developers with full admin rights, unlike myself. Most solutions are also hacks or unclear.
I am a member of a developer team at Apple's developer.apple.com site. I've been charged with uploaded an iOS application I've developed to iTunesConnect, in order to be able to deploy it with TestFlight.
In order to successfully accomplish this. I asked for the following to be done.
That I be added as a member developer. See certificates here.
A matching App with the same bundle-ID be created for me on iTunesConnect.
A Distribution provisioning profile be added at developer.apple.com for my specific App.
Despite all of this. When I try to validate the app, I'm met with the following message.
It would appear from a manual signing attempt that because the provisioning profile was created by a team administrator, that I cannot sign it without their private key. Assuming this is correct, then how can any developer ever distribute apps if:
A distribution provisioning profile requires you be the creator in order to be validated.
Only a team admin can create a distribution provisioning profile.
This appears to be a paradox.
What can be done to resolve this conflict? I am only a member of this development team temporarily, and would like to formulate a clear solution to this problem so that I do not test their patience with repeated troubleshooting questions. To make it easier to answer this question, I've attached some extra images that might be useful.
My app's general panel in Xcode when using automatic signing. It shows I am signing on behalf of the team.
Solving this problem required two steps.
A certificate signing request (CSR) was created and sent to the developer who had created the distribution provisioning profile. You can create a CSR by going to: Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority. Once I received this CSR back from the developer, I double clicked it to install it in my keychain. It then appeared as so:
Next, the developer had to add the certificate they sent me to the provisioning profile for the app on developer.apple.com. I then downloaded this provisioning profile again and selected it in within Xcode as seen below.
Once this is completed, you should be able to validate the application.
I got this error when my ExportOptions.plist file had the wrong value for the method. I had "enterprise" rather than "ad-hoc". (This is the file passed to xcodebuild via the -exportOptionsPlist option.)

Enterprise account expired - all certificates deleted

I have a client who forgot to pay for their enterprise account and therefore their apps stopped working, as expected.
However, one would think that it should be sufficient to just start paying again to be able to use the apps as before. But as it seems, all certificates in the apple developer portal are now deleted?!
Is this expected behaviour or will they show up after some time again?
As it is now, we will have to rebuild all apps again with new distribution certificates. Is this the solution?
Short answer to your question:
I wouldn't expect the certs to automatically reappear. I recommend opening a support incident with Apple. Since the account was recently renewed, you should have two incidents available.
There's this section of the App Distribution Guide which talks about re-creating deleted certificates but I'm guessing it's more geared toward iTunes distributed apps and circumstances where certificates (private keys) are deleted but not revoked at Apple's CA.
Instead of recompiling your apps, you might be able to instead push out updated Provisioning Profiles and Certs. See below for more details.
Additional info:
It makes sense that Apple would revoke Enterprise certs upon membership expiration since that's the only way they could force apps to stop working. Since Enterprise apps stop working when either the Provisioning Profile or the Certificate expire, Appple can't push out an expired Provisioning Profile, and there's no in-app check for a Profile either (which is why if you delete your Profile in the developer portal, it won't affect any already downloaded/installed apps), which leaves the only other option: revoke the certs. The affected apps stop working once they sync with Apple's CA. Devices without connectivity will continue working until the Profile expires.
It may be possible to remove your certs from the Certificate Revocation List (CRL) but Apple support would be your only likely resource to help with this.
If you're out of options for re-enabling your old certs, you can update the Provisioning Profiles (and I think Certs) and push that out without recompiling all your apps. Also, if you use wildcard App IDs, an update to one app Provisioning Profile will apply to all installed apps that share that App ID.
If your users' devices are managed via MDM, it's possible to push updated provisioning profiles via MDM, and according to this post, via Device Enrollment Program (DEP). I thought I read a while back that you could also update provisioning profiles from a desktop/laptop to a connected device using iTunes - not sure where that is now. I don't know if it's possible to direct users to a link to update the Profile OTA like they would install an app.
I hope this helps in some way. Please let us know what happens - I fear the same could happen to me, whether a cert is deleted by Apple or a haphazard developer.

How to avoid "unidentified developer" error by gatekeeper

As a developer of an app it could be quite a turn off if half of your users cannot open your app because they get following error.
[i know there is a workaround by going to sys preferences->security-> allow apps from "anywhere" but users of our apps are kids, they may not be in the best position to know how to do that]
What things I need to take care of in oder to avoid this warning, or to get apple developer identity?
This app has been published on App Store, so all the provisioning profiles and certificates are there. Now we want to put the app on our website, but before doing that we want to eliminate this gatekeeper hurdle.
In the screenshot above you can see that the right developer is selected while archiving.
The signing identity used for App Store submissions and for independent publishing are different. The latter requires a Developer ID identity be used. See Distributing Applications Outside the Mac App Store for more information about the process.

Cannot renew an Ad Hoc profile before it expires because no certificate matches the certificate ID

My Ad Hoc profile is about to expire in 14 days. There is a a "renew" button for my ad hoc profile in the organizer but when I click it I get...
There are no current certificates on this team matching the provided certificate IDs.
The profile in the provisioning portal shows active, expiring on the 30th. I also see a distribution certificate with the same expiration date. I must assume that this certificate is the one that was used to sign the profile. Is there any way to fix this without revoking and creating a new ad hoc profile and certificate?
If I have to start over, what is the best way to proceed without messing up my testors.
There are a lot of posts and answers on this subject but I can't find any that address this particular problem with the certificate not matching the certificat ID of the profile.
Ad-Hoc Provisioning Profiles are composed of three main elements:
Exactly 1 AppID
The Public Key of your Distribution Certificate
One or more Registered Test Device IDs
When you first generated this Provisioning Profile (about a year ago if your current one is expiring soon!), you instructed it to use your then current Distribution Certificate when constructing that provisioning profile -- the resulting Ad-Hoc Profile's expiration date is set to match the expiration of the Distribution Certificate as you can't launch an app signed with an expired certificate (Aside: This doesn't necessarily apply in Jailbroken scenarios...)
Your main question of 'Can it be fixed without revoking?' is a solid 'No' -- Even if you could make adjustments, the soon-expiring Distribution Certificate would cause the newly reissued Ad-Hoc Profile to have an expiry matching that of the Distribution Certificate. You'll be back in this same situation in 14 days when both your certificate and Provisioning Profile have both expired. Unfortunately at that time you'll also have a new problem, any existing builds you have out to your testers will no longer launch as the signing certificate and provisioning profile will have lapsed.
Instead, these last two weeks are your opportunity to be proactive and get your users migrated to a new build with a new Certificate and Provisioning Profile. With my own testers, I treat the last few weeks of my current Distribution Certificate as a migration window to get builds switched over and get my testers to download and install the latest test build so that they can keep going with their testing. The great news is that you caught your certificates expiring with more than enough time to get things straightened out and get your testers migrated -- some aren't so lucky and have to play catchup after things have expired and have testers shouting about your app crashing/no longer launching...definitely an undesirable outcome for any developer, especially if you are a one-person shop and having to coordinate both development and beta tester communications yourself.
So what do I have to do?
At a high level, doing the migration is nearly identical to getting this Ad-Hoc profile setup the first time -- It just requires cleaning up the old data from your Keychain and Provisioning Profiles as well as sending out some tester emails encouraging your team to upgrade once you make a new build available to them. At a high level this process looks like this:
Revoke your existing Distribution Certificate and reissue a new Distribution Certificate.
Delete the existing Distribution Certificate from your Keychain and install the new one.
Update and install the now 'Invalid' Ad-Hoc profile to use your newly created Distribution Certificate
Update Code Sign Build Settings if necessary.
Construct and issue your Ad-Hoc build to your testers.
Wait -- Won't revoking my existing certificate disrupt my testers?
Nope, not in the least bit! Your existing Ad-Hoc builds will continue to work perfectly well until after the expiration date because they have all the information they need to verify code signatures right inside the Ad-Hoc build you've already sent them. Once the certificate expires, however then things will fail to launch and you'll have screaming testers on your hands.
I'm going to assume that you are using an Individual account, so certificates will appear in the format "iPhone Developer: FirstName LastName" and "iPhone Distribution: FirstName LastName". If you are using a Company Account, then the format will be slightly different. I'm also going to assume that you only have your one account; if you are enrolled in multiple developer accounts, take extra care when searching for and deleting your existing certificates and profiles from Keychain as there may be multiple similar entries.
To begin, quit out of Xcode and then head over to developer.apple.com/ios login to the "Certificates, Identifiers & Profiles" area. This is formerly known as the "Provisioning Center".
Revoking and Reissuing the Distribution Certificate
Navigate to the Distribution Certificates Area.
Locate your soon-to-expire Distribution Certificate and revoke it. You'll likely encounter a message informing you that revoking this certificate will invalidate any linked provisioning profiles -- that is entirely expected and OK. In fact, that is exactly what we want it to do so that you can get things updated!
Click the 'Add' button in the upper right corner and walk through the steps to make a new "App Store and Ad Hoc" Distribution Certificate. Download the file to your machine, but don't install it just yet -- we should clean up the old certificate from your Development Machine first.
Deleting the Revoked Certificate and Installing the New Certificate
Open Keychain Access and search for 'iPhone Distribution'.
Delete any blue certificates that match 'iPhone Distribution'. The certificate icon may also show a red 'X' indicating that it is either expired or revoked. These may be cleaned up as well as they are no longer of use.
Double-click the newly downloaded certificate and install it.
Edit the Ad-Hoc Provisioning Profiles
Navigate to the Distribution Provisioning Profiles section and locate your Ad-Hoc Profile.
Edit that profile updating the test device list if necessary.
Click Generate and download the newly created Provisioning Profile. If the Generate button is disabled check that there are no special characters in the Provisioning Profile's name and that you've selected at least one test device.
Drag and drop the newly downloaded provisioning profile on to Xcode. Any old versions of the profile may be deleted from Organizer.
At this point you should be back in business and ready to update Code Sign settings if necessary (that is, if you set them to match a specific profile instead of using the Automatic Profile Selector option you'll need to update that setting to point to the now current version of your Provisioning Profile).
Again, you are fortunate in that you are taking steps to get this issue fixed while you testers are still able to use your app and not having to rush or hurry to get this done. Take your time and make sure to cleanup the older certificates and expiring provisioning profiles to make it easier for Xcode to figure out that you want it to use the newest profile.

Resources