Renew Apple Push Services certificate - apple-push-notifications

The Apple Push Services certifcate is about to expire in a few days.
To renew the certificate a new certificate has to be requested, and then the current certificate can be rewoked (or left to expire..). The new certificate then has to be uploaded to the service used to handle the notifications (in my case Firebase Messaging).
I have a hard time wrapping my head around who can update the certificates, without breaking the push-notifications and causing the app to be updated.
Does the new certificate has to be requested by the same APPLE-ID as the current? Or can anyone else of the mantainers with role "Admin" or "App Manager" (https://appstoreconnect.apple.com/access/users) update it with their account?
The .CSR file from Apple Keychain can be created by any APPLE-ID, or only by the APPLE-ID who created the original? Do I need the original .CSR from the current certificate?

The Apple ID of the requester does not really matter. As long as they belong to the same team on App Store Connect and have the necessary rights, they can do that. The fastest way is probably using a tool like https://docs.fastlane.tools/actions/pem/ or kind of the "web version" of that https://onesignal.com/provisionator

Related

App Store Connect Notary Service Agreements Error

I'm signing my macOS application with a Developer ID Application Certificate and sending it to Apple's notary service. When I'm uploading the build from XCode I'm getting the following error:
Failed retrieving request UUID for upload. You may have outstanding
agreements to sign on App Store Connect.
I've checked the following URLs and I don't have any new prompts for new agreements:
https://developer.apple.com/account/
https://appstoreconnect.apple.com/
https://appstoreconnect.apple.com/agreements/#/
Is this a bug from Xcode/App Store Connect or does the message refer to other agreements that must be signed?
After failing to solve this with an Apple Support person, I removed an admin who did not have a current individual Apple Development account from the Team. Solved the issue instantly.
Had the same issue and also no outstanding agreements to sign.
In the end, the problem was, that the user who wanted to upload the build for notarization didn't have "Access to Cloud Managed Developer ID Certificate" in the Users and Access section on App Store Connect. It worked before for that user, so something in the backend must have changed in the meanwhile.
I had the same problem, no agreements to sign, I had Access to Cloud Managed Developer ID Certificate and still got the error.
To fix it I went to Xcode->Preferences-> removed my developer account from Xcode the re-added my developer account to Xcode and it worked.
Update from November 2022: I no longer receive the error from the question, it was probably fixed by Apple on their side.

Is it possible for a user on Google Play Store to upload an application instead of the owner?

Lets say A is the owner. I want B, C and D users from our team to be able to upload the new versions of our application. Is this possible?
From this it is not very clear to me what kind of permission has a user.
If somebody has any experience to this part is welcome.
You need the google account details to sign in to the Developer Console.
Any application uploaded to the play store must be signed.
From Google documentation
Android requires that all apps be digitally signed with a certificate before they can be installed. Android uses this certificate to identify the author of an app, and the certificate does not need to be signed by a certificate authority. Android apps often use self-signed certificates. The app developer holds the certificate's private key.
Signed apk file have a binary file it build and signed with.
Only the developer have this file on his own computer . Once an application first signed and was uploaded to the store all the other versions of the app must build and be signed against the same binary file.
If a developer looses this file he will no longer be able to publish updates to his own app .
Warning: Keep your keystore and private key in a safe and secure place, and ensure that you have secure backups of them. If you publish an app to Google Play and then lose the key with which you signed your app, you will not be able to publish any updates to your app, since you must always sign all versions of your app with the same key.
(from the same link)
It is possible to add another user permission to your Developer console.
Here list of permissions you can choose to share:
Create & edit draft apps
Edit store listing, pricing & distribution
Manage Production APKs
Manage Alpha & Beta APKs
Manage Alpha & Beta users
View financial reports
Reply to reviews
Edit games
Publish games
View AdWords campaigns
Create AdWords campaigns
These permissions can be Global to all apps on account or only for particular apps.
Anyway if you share Manage Production APKs permission you'll have to share the signature file as well.

Unable to revoke Mac Certificates

I was having some code signing problems and in a rash decision I decided to delete all my certificates and private keys and to start over. I read and understood that this would mean a lot of work to set things up again, but I didn't think this would create an irreversible situation:
I have 10 un-revokable Developer ID certificates: 5 Developer ID Application certificates and 5 Developer ID Installer certificates, with different expiration dates (2017 to 2019).
If I click the + button to add a certificate the radio button for Developer ID is unselectable (grayed out).
So, my problem is that I don't have the private key for these certificates, I can't revoke them, and I can't create new Developer ID certificates. One other thing: I'm the only member of the team.
I called Apple Developer Support and they weren't sure how to fix this. They said they'd have to get back to me.
Anyone else have any suggestions?
Thanks
Philip
Okay, in case anyone else missed this in the App Distribution Guide here's what I found:
You can’t revoke Developer ID or Passbook certificates using Member
Center. Instead, send a request to Apple at product-security#apple.com
to revoke these types of certificates. If Apple revokes your
Developer ID certificate, users can no longer install applications
that have been signed with that certificate. Instead of revoking a
Developer ID certificate, you can create additional Developer ID
certificates using Member Center as described in “Requesting
Additional Developer ID Certificates.
I didn't realize 5 Developer ID Application and 5 Developer ID Installer certificates were the limit. Hopefully, Apple will revoke them for me.
I got some extra certificates also (5). It took about two weeks and various emails to and back from Apple support, but I got them in the end.
Its very important when creating your new certificate using KeyChain to immediately backup the private and public keys that are created with your name when you do the "Request a Certificate from a Certificate Authority" stage within the KeyChain app. This will enable you (hopefully anyways) to re-use your developer id certificates when you change machine.
I deleted all private and public keys in my name (again using the KeyChain app) prior to doing this step so to reduce confusion but that may not be necessary and might even be unadvisable.

Re-enrollment after upgrading Apple Push Certificate

Can anyone confirm that after changing the Apple Push Certificate to follow the new steps, you have to re-enroll all the devices?
I have tried creating the CSR based on the existing P12 key store, and afterwards creating a new P12 key store with the Apple signed public key. When using this new key store I am able to enroll devices, but all devices already enrolled needs to be re-enrolled.
After much search I found the answer at McAfee.
If you obtained your previous MDM certificate using an Apple Developer's Account your old certificate has been migrated to the new Apple Push Certificates Portal...
This explains everything. A my work we have one idep user that created the old certificate for me. When I signed in using my own Apple ID, naturally I was not able to see the migrated certificate.

About aps_developer_identity.cer related

I downloaded my push notification certificate "aps_developer_identity.cer" from apple developer portal, and installed it. This certificate shows up only in the "certificates" filter and not in "My Certificates" filter in my keychain. Where am I going wrong? I need to export the ".p12" of "aps_developer_identity.cer" and upload it to UrbanAirship for testing purpose. Please help
Make sure that you have the private key signing the certificate in your Keychain. If that's not the case, revoke the old certificate and generate a new one with one of your private keys.

Resources