I'm attempting to sign an iOS Enterprise application via 3rd party app creation tool, FlipLet.
From my keychain, I export the distribution certificate to obtain a p12 for signing. When it prompts for password I hit OK to leave it blank then enter admin password to allow the export. After it's done, I open the p12 file and it prompts for password, which I wouldn't expect because there was none set. I can just hit enter to bypass as if it recognizes there isn't one.
Any idea how to get it to not prompt as the signing tool is gettin hung on it. I've tried the app iReSign and it fails as well, I assume from the same issue.
Related
Disclaimer, I am a Java developer not an Apple developer and therefore only use Apple specific tools very rarely.
I develop a Java application, and as part of my build from the command line I sign it with an Apple Developer Id certificate as follows
export CODESIGN_ALLOCATE="/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate"
/usr/bin/codesign --sign "Developer ID Application: P Taylor" --force --deep --verbose /Applications/SongKong.app
/usr/bin/codesign --verify --deep --verbose /Applications/SongKong.app
Unfortunately when I tried to build today there was an error because the certificate had expired a few days ago, it was originally created 5 years previously.
So I renewed an Apple Developer membership (which had also expired) and eventually found a way using KeyChain to create a CertificateSigningRequest.certSigningRequest file which I then uploaded to Apple and it generated a developerID_application.cer file. I opened this and it was added to KeyChain
I then rerun my build, but it failed because it now found two certificates
I then deleted the old expired one and reran, this time it seemed I had to give access to use the certificate by entering my KeyChain password. Unfortunately this does not seem to be the same as my main Mac password and hence I eventually had to ForceQuit and reboot.
In order to reset KeyChain password I followed steps online to
Open KeyChain Access
From the KeyChain Access menu, choose Preferences.
Click General, then click Reset My Default KeyChain.
I then reran my build but although the certificate seems to be there it reports 'no identity found'. I think because having created a new KeyChain I have removed my personal identity(is this Certificate Authority ?).
So now I only have a the Developer Id certificate but the not the other parts and don't know what to do.
Question 1:When I selected Reset My Default Keychain it said the old keychain was kept somewhere, so my first question is can i make that the default again and then possibly there is a way to actually reset the password or perhaps I will be able to guess it.
Question 2:If I cannot do Qu.1 what do I need to do to recreate the personal certificate part that I am now missing. Remember the whole point of this is simply that users can install my software on their Macs without getting warnings about untrusted developers.
Well I resolved it, I followed these instructions in order to restore my previous keychain, basically
In KeyChain Access select Delete Keychain "login", and ensure choose Delete References when prompted, not Delete References & Files.
Open Finder, and go to Folder ~/Library/Keychains
Rename login.keychain to login.keychain.old
Rename login-renamed-1.keychain to login.keychain
In KeyChain Access select Add Keychain and select the login.keychain file
Restart KeyChain Access to see the correct results
But then I still had the problem that when i tried to sign I was prompted for KeyChain password and I didn't know it.....
However in KeyChain Access I went to Edit:Change settings for keychain "login"
and entered what I thought was old password and new password, and it accepted the change even though when I used the password to sign it failed
I then ran sign and entered the new password when prompted and it was accepted.
I verified signature, uploaded build, downloaded, installed and ran to ensure there was no problem with the build and it was fine. So I hope this answer helps other non Apple developers struggling with their tools
I have two machines, one PC, one Mac. Both have Xamarin Studio. On my PC, I've configured an Android Signing Key, and have published an app to Google Play using this key. I made some app changes to the code - on my Mac - and attempted to sign using a different key and upload, and of course, I got the "you must sign with the same key" error.
I can't find a way to export the Android Signing Key from the Xamarin Studio installation on my PC. I can see where to import a new key, but not how to export an existing key. I also checked Certificate Manager for both local system and my user account on Windows, no luck.
Any idea how to export?
In my installation every release keystore is stored at X:\Users\username\AppData\Local\Xamarin\Mono for Android\Keystore\AppName
Check also here
If you are looking for self generated Keystore path,
Right click on Keystore Name -> Show Alias Info -> at bottom you will see path of self generated Keystore
To locate the key to export, find the file first in this path:
On Windows (apparently):
X:\Users\username\AppData\Local\Xamarin\Mono for Android\Keystore
On macOS:
/Users/username/Library/Developer/Xamarin/Keystore/alias/alias.keystore
(Note, depending on how you signed the last time, alias may be the same as username, as it was in my case.)
So I simply copied the keystore file from that location over to the other OS. When importing it in Visual Studio (clicking the "Import..." button in the "Distribute" dialog), it asks you three things:
Password:
Alias:
Key password:
You cannot leave any field as blank! The password is the key password that you used in macOS to sign. The Alias is the name of the file without the .keystore extension, and the "Key password" is the new password that you may want to use for Windows (I left it as the same as in my macOS, myself).
Actually we are using two MAC machines to develop a Package in mac using xcode. Only one mac is having a certificate and that is in different country. we exported that certificate for local mac.but when i try to do codesigning using that certificate i am getting error as "Could not find appropriate signing identity for “Developer ID Installer: ID
” I am not able to add the codesign. what are the steps to import a certificate properly.
That message is usually indicative that you don't have the private key necessary for signing, just the certificate, which is insufficient.
For exporting signing identities, your best bet is to use the Accounts preference panel in Xcode.
Launch Xcode on the machine you are sending the signing information from
Choose Xcode > Preferences
Select the Accounts tab
From the gear menu, choose Export Accounts and select the file you want to place the information in and enter a password
Transport the exported identity file to the receiving machine
Follow steps 1-3 on the Receiving machine
From the gear menu, choose Import Accounts and select the file you have just brought over, entering the password when asked.
This should import the entire signing identity, including the certificates, provisioning profiles, and private keys.
Via Keychain Access
If, for some reason, your Xcode on the machine that you are sending the signing information from does not have any accounts listed, you may be signing with a script or from the command line and using the identity information without loading the accounts directly into Xcode's UI. If possible, I would encourage adding your account to Xcode using the Accounts tab in order to get the automatic behaviors that Xcode provides, but it may not be absolutely necessary, especially if you are doing Developer ID only (non AppStore) distribution.
To export from Keychain Access, you will need to export both the Signing Certificate and the Key. The Signing Certificate is also available from Apple's Developer portal, but the key never leaves your machine directly (only a fingerprint of it is sent in the CSR), so if the original key does not exist on a machine that your organization has access to, you may need to Revoke your existing key and create a new one.
To locate your key in Keychain Access do the following:
Launch Keychain Access
Click on My Certificates
Look through the list or use the search box to find your certificate (Searching on Developer ID should yield any Developer ID-related certificates)
Each certificate which has an associated private Key will have a disclosure triangle to the left, click on that to expose the keys
This Key may be exported by selecting the key and certificate (make sure they're both selected, or export them one at a time) and using File > Export Items
Provide a password when prompted to protect the export file
Copy the exported file(s) to your other machine
Use Keychain Access and File > Import Items to import the certificate/key to the new machine
NOTE: If you lose your private key, you will need to revoke your certificate, generate a new key, and create a new signing certificate. Don't do this without first making sure you have no available copies of the key. The specific implications depend on what kind of certificates are signed with the key, but you will need to regenerate all of the certificates that used the previous key.
When signing an app from an ssh terminal session, I am getting the following error:
productsign[29321:707] SignData failed: CSSMERR_CSP_NO_USER_INTERACTION (-2147415840)
productsign was working until recently.
How do I get around this error?
I solved it by accident - after combing the web for hours - while reproducing the steps when filing an incident report with Apple Support.
From the Mac (as opposed to from an ssh session) the same command generated a popup asking for permission to access the Keychain.
After choosing "Always Allow" the problem went away. Forever.
try to unlock keychain from this terminal:
security -v unlock-keychain -p "<Password>" "/Users/<UserName>/Library/Keychains/login.keychain"
Based on Danny Schoemann's answer and my own research I found complete solution for me:
You really need login to your mac machine using GUI, first time, and sign anything with the certificate that you need. Then you will get request window with available option "Always allow" to use this certificate (or smth like that).
Important: if you need to use productsign with ssh or other console session (like Jenkins), your certificate must by installed into system scope, but not into user scope.
If you need to keep your certificate in user scope, you need to unlock your keychain every time in console session when you need to sign something (as Alex wrote):
security -v unlock-keychain -p "Password" /Users/<UserName>/Library/Keychains/login.keychain"
You may put it into you build script.
Obvious minus of this solution - you need to store your password in some unencrypted script, that is insecure, so I prefer first solution.
You can actually fix this error. When you are in productsign you are using the Developer ID Installer certificate and generally suggests that it doesn't have access to Private key for signing where it fails with this error.
To fix this goto
Keychain Access->Click on the Little Triangle Arrow (>) in front of "Developer ID Installer" certificate under login keychain or your appropriate keychain.
Double click on the Private Key
Click on "Access Control" tab
Select "Allow all applications to access this item"
Now try productsign from commandline again, it should work.
I want to create a safari extension on my Windows 7 pc. I have created a safari developer certificate properly but I couldn't really install it. After some googling, I tried importing it into Personal and Trusted Root Certification authorities. But Extension Builder keeps showing "No Safari Developer Certificate." I even revoked the certificate and created a new one. Still no luck. Can anybody help me?
When you enter something like certmgr.msc in the run command in Windows, you will get to see something like this:
So using the certificate consists of the following steps:
Save the file and run the command in cmd.exe as directed in the developer certificate generator in extension certificate developer.
When you are done, check the certmgr (shown in the image above) and see a certificate named "Safari Developer" installed somewhere near Certificate Enrollment Requests. Cut the certificate and paste one copy inside trusted root certification Authorities and another inside Personal.
Generate the csr file and install the file inside Personal folder and trusted root certification Authorities folder.
Extension builder will now recognize the certificate.