macOS installer certificate evaluation error in Keychain: Invalid Extended Key Usage - macos

I generated a mac installer certificate for use with code signing and am getting an error that is preventing me from using certificate to sign installer
When evaluating certificate in keychain access, I got an error: Invalid Extended Key Usage.
Here is the sequence of errors when trying to evaluate an installer certificate for code signing.

I find this process works better when generating code signing keys with Xcode rather than through the Keychain access app directly. This will help you create your code signing certificate with the correct provisioning and signing parameters for the type of app you are developing. If you don't yet have a paid developer account with Apple, you can still create a self signed certificate for code signing to generate signed apps without uploading them to app store.
First you have to add your Apple ID to Accounts preferences in Xcode.
Start Xcode
Select Xcode > Preferences from the navigation bar.
At the top of the window select Accounts.
Click on the + on the lower left corner and select Add Apple ID...
A dialog will appear. Add your Apple ID and your password, then select Sign in. If you don't have an account you can create your Apple ID by selecting Create Apple ID.
Select your Apple ID and your team from the right side bar, then click on View Details....
A dialog will appear where you will see your code signing identities and the provisioning profiles.
For iOS development, under the signing identities locate the iOS Development and iOS Distribution profiles.
If you have not created them you will see a Create button next to
them.
Simply select it and Xcode will issue and download your code signing
identities for you with the correct developer certificate params for
iOS app development.
Note: If you already have Code Signing Identities issued to your developer account: you will see a Reset button next to them. You can issue new certificates with it, that Xcode will generate and download, however note that this will invalidate your previous certificate, so only do this if you've lost those files or if you know what you are doing!
In future, once you have it all working I also suggest clicking the option in Xcode to allow it to automatically manage code signing. This will automatically renew your certification whenever it expires, so there won't be extra steps to renew. This option should be available in the general project settings of your app, it can also be reached by selecting project > Targets > General > Signing
Hope that helps you, best of luck!

There are some possible reasons for certificate evaluation failure:
The certificate may be not for code signing (similar to this). In this case, you should obtain a new certificate that supports code signing.
The certificate may be for code signing but damaged (similar to this). In this case, you should delete this certificate and install it again.
Note that you can create a self-signed code signing certificate in keychain app for test purpose, following this and this tutorials. Make sure to enable it in "Get Info" > "Trust" set as "Always Trust".

Related

How do I resolve problems with my Signing Certificates in Xcode

System Preferences / Manage Certificates
The above is a picture of the System Preferences/Manage Certificates area of Xcode (rev 11).
I know this is quite messy, but I'd like to ask the community for help in cleaning up my signing certificates for Xcode.
I am to the point where I cannot Archive any app in Xcode, even a "Hello World" app, due to the state of my signing certificates. I am a paid up developer on Apple Developer.
Below is a picture of the Key Chain Access of my system.
Thanks in advance.
LeonW53
[Key Chain Access Image][1]
I am a little the wiser now.
In order to submit to the Apple App Store, you need a Distribution Certificate and an IOS Distribution Certificate. Both must have the Public and Private key.
The Private Key refers to the computer from which the app will be submitted. The Private Key is password to the Mac that will archive the app and submit.
To start, you need to go onto your distribution Mac and open the Keychain Access app (Applications/Utilities/Keychain Access). Once in, at the top of the screen, go to Keychain Access/Certificate Assistant/Request a Certificate from a Certificate Authority.
Note 1The Request requires a user email address. Use the email address that you use to log into the Apple Developer Site. You do not need a common name. Select Request is Saved to Disk and Continue. You will be allowed to pick the name and Save Folder for the Certificate. Click Save.
You can create All of your Certificates from this one Certificate Signing Request.
Go into the Apple Developer Website and sign in (you need to be paid up to do this). Use the Apple ID that you used to save the Certificate.
Go to Certificates, Identifiers and Profiles.
Click Certificates in the left column. Click the + next to Certificates to add a new Certificate.
You will be asked to what kind of Certificate to Create.
You need to select Apple Development to develop an app on your mac. You may need an iOS App Development to develop iOS apps, but I haven't found this necessary
To Upload and Distribute your app, you need Apple Distribution and iOS Distribution.
Whichever one you pick, click Continue and you will be asked to Upload a Signing Certificate Request. Here you browse to the Certificate Signing Request that you saved (Note 1 above). Click Generate and the Certificate will be created. Click Download and the Certificate will be downloaded to the Downloads folder on your Mac.
You can create several different kind of certificates and you do NOT need to re-create the CSR -- use the same one over and over.
On your Mac, you can just double click the Certificates downloaded and they will be added to your Keychain.
In XCode, select the App root of the App Folder Tree and open "Signing and Capabilities". Select the Team that you have in the Apple Developer Site from the drop down list. Also select Automatically manage signings.
Also in XCode, you go to XCode/Preferences/Accounts. You should selected the Apple ID on the left which is the same as you log into the Apple Developer Account. On the right, you can select the Team which will do the Uploading and click Manage Certificates. You need valid iOS Development, Apple Development and Apple Distribution Certificates.
Note 2 If there are any Certificates that are missing the Private Key, this is because either the CSR was generated on a different PC to your current PC or that you were not logged in as the same developer on the Apple Developer Site. This happened to me, and it was because I wasn't logged into the Developer Site the same as I have logged on my PC in System Preferences.
If you Archive, and you have missing Private Keys, the Archive will ask you to log into Keychain using the password which unlocks the PC for EACH and every missing key. Once done, the archive will be created.
Note 3Make any mistake on this, and you will generate a failed archive with a non-zero exit code. Apple provide no clue as to how to solve this.
My current situation is that I have valid Apple Development, iOS Development and Apple Distribution Certificates and I can archive. In addition to the valid Apple Distribution Certificate, I have two Apple Distribution Certificates which are missing private keys. But, I can archive the app.
Be kind and be safe all.

Xcode -How to add a private key to Development Certificate if it's created using the Revoke button

By mistake I pressed the Revoke button.:
I went to developer.apple > Certificates I downloaded the new Development Certificate that was created from pressing the Revoke button. Afterwards one of the errors I got is
The second part of the error says the certificate needs a private key (in orange).
In Xcode > Preferences > Accounts > App ID > Team > plus sign it says the expiration of that Development Certificate is 10/30/20, 12:04 AM:
When I look in keychain the certificate with that expiration date is there but there isn't an arrow on the left of it to toggle the nested private key:
How do add a private key to the Development Certificate that was created using the Revoke button?
Btw the Distribution Certificate that was created after pressing the Revoke button did have a private key attached to it.
When you press the Revoke button you get issued a new iPhone Distribution certificate and a new iPhone Developer certificate. You can view these certificates inside the developer portal at developer.apple > certificates. Those certificates will also be inside your keychain. You use the certificate expiration dates to see which certificates correspond to what.
The problem with pressing the Revoke button is you will get a iPhone Distribution certificate with a private key but as far as the iPhone Developer certificate it won't have a private key.
If you look into your keychain you will see this pic below. Notice the iPhone Distribution certificate has a gray arrow next to it but the iPhone Developer certificate doesn't:
That will cause the following 2 errors:
It causes a cycle where you press the Revoke button again and you wind up with the same 2 errors. I'm not sure why Apple did it this way but someone definitely made a mistake.
When you go to Keychain > login > My Certificates you will only see certificates that have a private key (the gray arrow indicates that). Since the iPhone Developer certificate from pressing the Revoke button doesn't have a key it won't be in there. According to this you need that key otherwise you'll get the errors:
If your iOS developer and distribution certificates do not appear in
"My Certificates", then they are not correctly configured for use on
your Mac. Please note that "Certificates" is a repository of all
certificates your Mac holds, whereas "My Certificates" is the subset
of certificates valid for your Mac to actually use - a certificate
appearing in "Certificates" only is not enough.
If the certificate is not in My Certificates then this is most likely
because you do not have the correct key for that certificate also on
that Mac. You will need to locate the private key made for that
certificate (i.e., from the original Mac which requested the
certificate or a backup server).
As long as they do appear in My Certificates, then they key is there.
Since the iPhone Developer certificate won't appear in My Certificates the fix is after you press the Revoke button, delete the iPhone Developer certificate that it generates from BOTH the developer portal at developer.apple > certificates AND keychain. It's VERY important you delete it from keychain! Use the expiration date to locate it. Please keep the iPhone Distribution Certificate because that should work fine and have a key (indicated by the gray arrow).
After it's deletes from both BOTH places you can manually generate a developer certificate yourself following these directions:
Generate a Code Signing Certificate manually
1- Open your Keychain Access.
2- In the upper left hand corner next to the Apple sign select Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority...
3- Fill in User Email Address(just use yours) and the Common Name (just use your name) and select Saved to Disk. I selected Let me specify key pair information (maybe it's not necessary) but on the next screen just use the Key Size: 2048 bits and algorithm: RSA. Click on Continue and save the generated certSigningRequest file to your desktop.
4- Go to https://developer.apple.com and log in to your account.
5- Select Certificates, IDs & Profiles from the left sidebar.
6- Go to Certificates and click on the + button on the top right corner.
7- Select iOS App Development and click Continue.
8- On the next page you see the instructions for creating the certSigningRequest file. Click continue.
9- Upload the created certSigningRequest (from the 3rd step, the one saved to your desktop) to the form and click continue. It will generate your code signing certificate for you.
10- Download the certificate and double click to install it. Once installed it will be added to your Keychain Access app. Assuming it saves to your download folder you can just go in there and double click it.
Once you do those steps both errors should go away.
If you continue to have errors look at the certificates in both the portal at developer.apple > certificates and keychain > My Certificates. If anything is in the portal but isn't in My Certificates then you need to find it keychain access (look in keychain > Certificates), delete it, and delete it from the portal.
It took me a while to figure this out but the expiration date is the key to locating messed up certificates.
Unfortunately there is no way to make it working. I am on Mojave so:
I Installed Big Sur on external hard drive and booted it from there.
Installex Xcode 12.
Created empty project
I am member also in paid team but this is unnecessary.
Signing and creating certificate went smoothly without errors
I selected keychain access in system preferences in iCloud.
I exported my certificates and keys to external drive partition that is visible from Mojave.
restart and boot mojave
Imported certificates
and THIS IS NOT WORKING neither for paid account nor not-paid one. My certificates are marked as not trusted and Xcode 11.2 still has problems with repair and fix things. I got 8 emails that my certificates are revoked in the process.
So this probably is a Mojave think as Apple think system is not secure. Which is funny because yesterday I installed latest security update for Mojave (after which I lost my Mac Mini built-in speakers :( )
This looks like serious bug on Apple side I reported it through Feedback assistant but I doubt they will ever fix it so for now I have to say good bye to coding for Apple platforms.

ERROR ITMS-90292: "Invalid Provisioning Profile Signature"

Hi I wanted to submit an update to the Mac App Store today and got the following error message:
What to do?
For me it helped to renew the certificate being used to sign the application. Search for "3rd Party Mac Developer Application" in Keychain, delete it and get a new certificate from https://developer.apple.com/account/mac/certificate/
Make sure you also updated the Apple certificates: Apple Certificate for iOS Developer and Mac Developer is expired "The certificate has an invalid issuer"
Had this issue,
How I fixed it was instead of selecting my normal automatic manage signing. I selected manually manage signing
Then click on the distribution certificate dropdown, followed by manage certificates...
Then you'll notice your current certificate is not in your keychain. You can add a new one with the add button on the bottom left and it'll be your default certificate
Then once added. Click cancel on the manual signing, choose automatic signing again and it should upload.

Questions about code signing Mac App with Developer ID

I have several questions about signing Mac App with Developer ID:
First of all, I'm working on a project utilizing GateKeeper. So I have to(?) sign my App with Developer ID.
Do I need a provisioning profile to sign with Developer ID?
In the build settings tab, the Developer ID certification is marked as Identities without Provisioning Profiles. Looking around in Mac Provision Portal, I found no place to generate provisioning profile to match Developer ID cert rather than submission certs.
So do I need a provisioning profile to sign with Developer ID?
After archiving my app, when I chose Export Developer ID-signed Application in the organizer, my Developer ID certification is marked with a yellow warning icon. But I can still chose the cert and sign it. Is it OK?
After signing my app, I used sudo spctl -a -v MyApp.app to test my app with sudo spctl --master-enable runed before that. The result is as followed:
EIM.app: rejected
source=Developer ID
Is this rejection related to the warning in question 2?
It's my first time distributing Mac App with Developer ID, thanks for any help.
Re: Provisioning profiles and DeveloperID— they are unnecessary. You should be able to accept your DeveloperID in the automatic section of the Code Signing Identity portion of the Build Settings. If you cannot, your key may be missing or there may be something else wrong with the database that contains the information.
First, go into Keychain Access and verify that your DeveloperID certificate has an accompanying private key associated with it (this will be visible under a disclosure triangle). If it does not, then you should go check around to see if you saved off the key related to that certificate anywhere, because if you can't find and reimport it (from, for example, a Developer Profile exported from Xcode), you will need to revoke and reissue the certificate, since there's no way to sign it.
Second, there is a known bug in 4.6.1 that can corrupt a cached database containing information from the developer portal. There's no specific indication that this behavior can be caused by this problem, but before following the next step, you might want to give it a try. Basically, you will need to quit Xcode, move aside (or delete) ~/Library/Developer/Xcode/connect1.apple.com 4.6.1.db (yes, there's a space in that file name), restart Xcode, go to the Organizer and Refresh your profiles and certificates.
If this doesn't work, you may want to consider revoking your Developer ID.
WARNING If you have successfully distributed code with the certificate, do not revoke it until you have visited Apple's web site (https://developer.apple.com/support/technical/certificates/) and thoroughly understand the implications to shipped code for revoking a developer id. Specifically that installed software will continue to work, but users will not be able to install/reinstall binaries signed with the original certificate.
If you have never successfully distributed code with the certificate (or if your key is irrecoverably lost), you may want to go to the portal and revoke and then reissue your Developer ID certificate. Once you have revoked it, you can create a new certificate by requesting a new certificate.

How can I test app sandboxing without a Mac Developer Program account

I can develop for iOS using the Simulator without an iOS Developer Program account (I just can't run on a device.) Is there an equivalent way of working for Mac Developer Program stuff? I want to test some of my utility apps for sandboxing compatibility (and therefore App Store distribution) prior to signing up for a paid account. If my apps don't work or aren't at least easily fixable, it's not worth the $99.
Are there project settings I can enable which enforce sandboxing? I expect that code signing will not work.
Take a look at the App Sandbox Design Guide, which has sections about creating code signing certificates for testing your apps. You can do it entirely in Keychain Access without requiring a paid Apple ID.
You can create a self-signed certificate for code signing:
Open Keychain Access.
Choose Keychain Access > Certificate Assistant > Create Certificate ...
Enter a name
Set 'Certificate Type' to 'Code Signing'
Then, in Xcode > Target > Build Settings > Code Signing, you should see your new certificate show up in the drop down next to Code Signing Identity.

Resources