Xcode 11: Revoked certificate, now can't submit app - xcode

I revoked a certificate because I couldn't get access to the original private key, and now in Xcode 11 I can't submit an app. I've tried to generate a new certificate but with no success so far. This is both manual and using an Xcode Managed Profile. Any advice on what to do here?
It seems that the old revoked certificate is somehow cached within Xcode.
App Store Connect Operation Error
ERROR ITMS-90721: "Certificate Revoked. The signing certificate "C=GB, O=NAME, OU=QY8KYJQS8T, CN=Apple Distribution: NAME (QY8KYJQS8T), UID=QY8KYJQS8T" with serial number 7115865899670450192 used to sign APP_NAME.app/Contents/MacOS/AOO_NAME has been revoked. Learn more (https://help.apple.com/xcode/mac/current/#/dev154b28f09)."

Related

Developer ID Application Certificate missing a child key in Keychain Access

I am trying to recreate a Developer ID Application certificate, so I can sign my application. I had an existing certificate, but it's about to expire, so I am trying to regenerate a new one.
However, when I download a newly generated certificate from developer.apple.com, the imported certificate has no key as its child node in Keychain Access. The old certificate had this. When I attempt to use the certificate for code signing I receive something like:
/tmp/myapp.app/Contents/app/bin/myapp.exe: errSecInternalComponent
I am following the instructions to obtain a signed certificate using Certificate Assistant:
Ensuring nothing is selected in Keychain Access, click Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
I enter my email, accept the default Common Name and click Saved to disk.
In developer.apple.com I click the "+" to Create a New Certificate
I choose Developer ID Application
I upload the CSR I saved above
I download the .cer file that is generated
I open the .cer file. This adds the certificate.
As you can see, the certificate does not have a private key inside it, like the old one:
Unfortunately I don't have the old certificate now having deleted it in a fit of pique but it looked like this:
... although in my case it had my private key.
I've noticed reference to the claim that creating a CSR also creates a public/private key pair, but I cannot see these anywhere in Keychain Access.
Later, I did manage to import the certificate and it show the private key. I think this was when I imported it into the same keychain as that which contains a private key "Dan Gravell" - login. However, I have since tried replicating that and now the certificate is being imported without a key again.
Xcode appearance
I've discovered there's a little more information in Xcode. The certificate shows "Missing Private Key" next to it:
When I look this error up, the suggestions seem to be that the certificate has been given to a developer by some third party that didn't include the private key. However, in my case I am that third party who has created the CSR and received the certificate originally and I thought I had the private key, otherwise I wouldn't have been able to create the CSR in the first place. All these items appear to be in my keychain.
I (eventually) got a reply from Developer Program Support. They issued a new certificate which I installed via XCode this time. I documented my other steps here: https://stackoverflow.com/a/74210449/28190

Unable to revoke Mac Certificates

I was having some code signing problems and in a rash decision I decided to delete all my certificates and private keys and to start over. I read and understood that this would mean a lot of work to set things up again, but I didn't think this would create an irreversible situation:
I have 10 un-revokable Developer ID certificates: 5 Developer ID Application certificates and 5 Developer ID Installer certificates, with different expiration dates (2017 to 2019).
If I click the + button to add a certificate the radio button for Developer ID is unselectable (grayed out).
So, my problem is that I don't have the private key for these certificates, I can't revoke them, and I can't create new Developer ID certificates. One other thing: I'm the only member of the team.
I called Apple Developer Support and they weren't sure how to fix this. They said they'd have to get back to me.
Anyone else have any suggestions?
Thanks
Philip
Okay, in case anyone else missed this in the App Distribution Guide here's what I found:
You can’t revoke Developer ID or Passbook certificates using Member
Center. Instead, send a request to Apple at product-security#apple.com
to revoke these types of certificates. If Apple revokes your
Developer ID certificate, users can no longer install applications
that have been signed with that certificate. Instead of revoking a
Developer ID certificate, you can create additional Developer ID
certificates using Member Center as described in “Requesting
Additional Developer ID Certificates.
I didn't realize 5 Developer ID Application and 5 Developer ID Installer certificates were the limit. Hopefully, Apple will revoke them for me.
I got some extra certificates also (5). It took about two weeks and various emails to and back from Apple support, but I got them in the end.
Its very important when creating your new certificate using KeyChain to immediately backup the private and public keys that are created with your name when you do the "Request a Certificate from a Certificate Authority" stage within the KeyChain app. This will enable you (hopefully anyways) to re-use your developer id certificates when you change machine.
I deleted all private and public keys in my name (again using the KeyChain app) prior to doing this step so to reduce confusion but that may not be necessary and might even be unadvisable.

Re-enrollment after upgrading Apple Push Certificate

Can anyone confirm that after changing the Apple Push Certificate to follow the new steps, you have to re-enroll all the devices?
I have tried creating the CSR based on the existing P12 key store, and afterwards creating a new P12 key store with the Apple signed public key. When using this new key store I am able to enroll devices, but all devices already enrolled needs to be re-enrolled.
After much search I found the answer at McAfee.
If you obtained your previous MDM certificate using an Apple Developer's Account your old certificate has been migrated to the new Apple Push Certificates Portal...
This explains everything. A my work we have one idep user that created the old certificate for me. When I signed in using my own Apple ID, naturally I was not able to see the migrated certificate.

About aps_developer_identity.cer related

I downloaded my push notification certificate "aps_developer_identity.cer" from apple developer portal, and installed it. This certificate shows up only in the "certificates" filter and not in "My Certificates" filter in my keychain. Where am I going wrong? I need to export the ".p12" of "aps_developer_identity.cer" and upload it to UrbanAirship for testing purpose. Please help
Make sure that you have the private key signing the certificate in your Keychain. If that's not the case, revoke the old certificate and generate a new one with one of your private keys.

Apple keychain private/public key issue

I accidentally deleted the private and public key pair of my certificate, but I can't find anything helpful to undo or add those to my certificate again.
Actually the developement certificate has expired, so i redownloaded the new one.
Than I wanted to add the private/public key to my new certificate. And there it happend, i deleted it.
How can I get these and set them to my actual certificate again.
I had this issue two days ago.
Open Keychain Access
What you have to do is make backups of all your certificates and then go and delete all the private and public keys and certificates on your machine relevant to apple.
Then in Keychain Access click on Keychain Access(Menu Bar) and in the menu select Certificate Assistant -> Request a certificate from a certificate authority.
Enter your details and make sure Saved to disk and Let me specify key chain pair is selected.
Save it.
On the next screen: These values must be:
Key Size: 2048 bits
Algorithm: RSA
You then need to log into the Provisioning Portal on apple's website and revoke all certificates there.
Then click distribution and say Add Certificate and select the file you created earlier.
You can then request all certificates again. Re-download all certificates, once you start opening the downloaded certificates your new key pair and certificate will be in Keychain Access.
If you have any questions check out http://developer.apple.com/ios/manage/distribution/index.action

Resources