I'm facing weird situation. For Apple Push Notification I can't export .p12 file from Keychain access. I can highlight both items and click on Export 2 items but after that nothing happens. All steps are correct as I've been doing it all the time. It seems something is wrong with keychain access or my Mac? I did it successfully few days back for another key and it worked, exporting for this old one doesn't work now. I don't think there is any error or problem in generating certificate otherwise it should work for older keys.
Login is selected in left pane. Any suggestions?
This problem also happens when you happen to have selected the wrong keychain (like if you accidentally had single clicked on the System keychain rather than Login keychain). If the cert signing request came from that machine, it would associate the private key with the Login keychain. So if you somehow then downloaded and imported the certificate into the System keychain, Keychain Access would not find the matching private key and would not put the cert under "My certificates", and cannot export a p12. You might as well have tried importing to the keychain on a different Mac.
So, make sure the import is into the keychain associated with the private key. Often this would be the Login keychain.
Rebooting machine worked in my case.
Related
Disclaimer, I am a Java developer not an Apple developer and therefore only use Apple specific tools very rarely.
I develop a Java application, and as part of my build from the command line I sign it with an Apple Developer Id certificate as follows
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --sign "Developer ID Application: P Taylor" --force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign --verify --deep --verbose /Applications/SongKong.app
Unfortunately when I tried to build today there was an error because the certificate had expired a few days ago, it was originally created 5 years previously.
So I renewed an Apple Developer membership (which had also expired) and eventually found a way using KeyChain to create a CertificateSigningRequest.certSigningRequest file which I then uploaded to Apple and it generated a developerID_application.cer file. I opened this and it was added to KeyChain
I then rerun my build, but it failed because it now found two certificates
I then deleted the old expired one and reran, this time it seemed I had to give access to use the certificate by entering my KeyChain password. Unfortunately this does not seem to be the same as my main Mac password and hence I eventually had to ForceQuit and reboot.
In order to reset KeyChain password I followed steps online to
Open KeyChain Access
From the KeyChain Access menu, choose Preferences.
Click General, then click Reset My Default KeyChain.
I then reran my build but although the certificate seems to be there it reports 'no identity found'. I think because having created a new KeyChain I have removed my personal identity(is this Certificate Authority ?).
So now I only have a the Developer Id certificate but the not the other parts and don't know what to do.
Question 1:When I selected Reset My Default Keychain it said the old keychain was kept somewhere, so my first question is can i make that the default again and then possibly there is a way to actually reset the password or perhaps I will be able to guess it.
Question 2:If I cannot do Qu.1 what do I need to do to recreate the personal certificate part that I am now missing. Remember the whole point of this is simply that users can install my software on their Macs without getting warnings about untrusted developers.
Well I resolved it, I followed these instructions in order to restore my previous keychain, basically
In KeyChain Access select Delete Keychain "login", and ensure choose Delete References when prompted, not Delete References & Files.
Open Finder, and go to Folder ~/Library/Keychains
Rename login.keychain to login.keychain.old
Rename login-renamed-1.keychain to login.keychain
In KeyChain Access select Add Keychain and select the login.keychain file
Restart KeyChain Access to see the correct results
But then I still had the problem that when i tried to sign I was prompted for KeyChain password and I didn't know it.....
However in KeyChain Access I went to Edit:Change settings for keychain "login"
and entered what I thought was old password and new password, and it accepted the change even though when I used the password to sign it failed
I then ran sign and entered the new password when prompted and it was accepted.
I verified signature, uploaded build, downloaded, installed and ran to ensure there was no problem with the build and it was fine. So I hope this answer helps other non Apple developers struggling with their tools
To change whether a root certificate is trusted, open it in Keychain Access and modify its Trust Settings. New root certificates should be added to the login keychain for the current user, or to the System keychain if they are to be shared by all users of this machine.
I have tried removing all certificates and adding them again, but I am still getting this error. I also tried dragging and dropping the certificate on the "Certificates" section, and it added successfully, but it was not displayed in Xcode
I also tried This link
I'm trying to export the APNs certificate as a .p12 file.
but, after I double click on the .cer file, I can't find it under "My Certificates", and I'm not allowed to export it as .p12 file (but .cer, .pem, p7b).
why? I created this certificate on the same computer.
Issue seems to be with you private key. If private key associated with certificate is missing then it will not get displayed in keychain under "My certificates" sections. You can still see under all certificates.
Create a new certificate with new certificate signing request file and try to install it on mac. This may solve your problem.
I ran into this issue and decided I'd just let fastlane do the work: https://docs.fastlane.tools/actions/pem/
It generated the correct files and I was on my way in less than 30 seconds!
Thanks Fastlane!
I just ran into this myself. It seems that if in Keychain Access you try to export the Certificate from the All Items tab, it just tries to export the certificate without the key. When trying to export from the My Certificates tab, it worked as expected and I could export as .p12
I've downloaded the .cer file from developer A/c. Double clicking on it, is adding that file in Certificate section but when am going to key section to export key am not able to see that key. So that I can export it as .p12 file.
this is a common issue, The solution is simple:
Who ever created the developer credentials originally needs to go to the keychain on their computer and right click on the key(s) for private and public and export the key to a file. Then you just download that file on your computer and open it, and it will be added to your keychain.
You need to have both the private key (.pem file) and the certificate for your provisioning profiles.
From :
https://stackoverflow.com/a/12867936/3901620
Actually we are using two MAC machines to develop a Package in mac using xcode. Only one mac is having a certificate and that is in different country. we exported that certificate for local mac.but when i try to do codesigning using that certificate i am getting error as "Could not find appropriate signing identity for “Developer ID Installer: ID
” I am not able to add the codesign. what are the steps to import a certificate properly.
That message is usually indicative that you don't have the private key necessary for signing, just the certificate, which is insufficient.
For exporting signing identities, your best bet is to use the Accounts preference panel in Xcode.
Launch Xcode on the machine you are sending the signing information from
Choose Xcode > Preferences
Select the Accounts tab
From the gear menu, choose Export Accounts and select the file you want to place the information in and enter a password
Transport the exported identity file to the receiving machine
Follow steps 1-3 on the Receiving machine
From the gear menu, choose Import Accounts and select the file you have just brought over, entering the password when asked.
This should import the entire signing identity, including the certificates, provisioning profiles, and private keys.
Via Keychain Access
If, for some reason, your Xcode on the machine that you are sending the signing information from does not have any accounts listed, you may be signing with a script or from the command line and using the identity information without loading the accounts directly into Xcode's UI. If possible, I would encourage adding your account to Xcode using the Accounts tab in order to get the automatic behaviors that Xcode provides, but it may not be absolutely necessary, especially if you are doing Developer ID only (non AppStore) distribution.
To export from Keychain Access, you will need to export both the Signing Certificate and the Key. The Signing Certificate is also available from Apple's Developer portal, but the key never leaves your machine directly (only a fingerprint of it is sent in the CSR), so if the original key does not exist on a machine that your organization has access to, you may need to Revoke your existing key and create a new one.
To locate your key in Keychain Access do the following:
Launch Keychain Access
Click on My Certificates
Look through the list or use the search box to find your certificate (Searching on Developer ID should yield any Developer ID-related certificates)
Each certificate which has an associated private Key will have a disclosure triangle to the left, click on that to expose the keys
This Key may be exported by selecting the key and certificate (make sure they're both selected, or export them one at a time) and using File > Export Items
Provide a password when prompted to protect the export file
Copy the exported file(s) to your other machine
Use Keychain Access and File > Import Items to import the certificate/key to the new machine
NOTE: If you lose your private key, you will need to revoke your certificate, generate a new key, and create a new signing certificate. Don't do this without first making sure you have no available copies of the key. The specific implications depend on what kind of certificates are signed with the key, but you will need to regenerate all of the certificates that used the previous key.