Unable to revoke Mac Certificates - xcode

I was having some code signing problems and in a rash decision I decided to delete all my certificates and private keys and to start over. I read and understood that this would mean a lot of work to set things up again, but I didn't think this would create an irreversible situation:
I have 10 un-revokable Developer ID certificates: 5 Developer ID Application certificates and 5 Developer ID Installer certificates, with different expiration dates (2017 to 2019).
If I click the + button to add a certificate the radio button for Developer ID is unselectable (grayed out).
So, my problem is that I don't have the private key for these certificates, I can't revoke them, and I can't create new Developer ID certificates. One other thing: I'm the only member of the team.
I called Apple Developer Support and they weren't sure how to fix this. They said they'd have to get back to me.
Anyone else have any suggestions?
Thanks
Philip

Okay, in case anyone else missed this in the App Distribution Guide here's what I found:
You can’t revoke Developer ID or Passbook certificates using Member
Center. Instead, send a request to Apple at product-security#apple.com
to revoke these types of certificates. If Apple revokes your
Developer ID certificate, users can no longer install applications
that have been signed with that certificate. Instead of revoking a
Developer ID certificate, you can create additional Developer ID
certificates using Member Center as described in “Requesting
Additional Developer ID Certificates.
I didn't realize 5 Developer ID Application and 5 Developer ID Installer certificates were the limit. Hopefully, Apple will revoke them for me.

I got some extra certificates also (5). It took about two weeks and various emails to and back from Apple support, but I got them in the end.
Its very important when creating your new certificate using KeyChain to immediately backup the private and public keys that are created with your name when you do the "Request a Certificate from a Certificate Authority" stage within the KeyChain app. This will enable you (hopefully anyways) to re-use your developer id certificates when you change machine.
I deleted all private and public keys in my name (again using the KeyChain app) prior to doing this step so to reduce confusion but that may not be necessary and might even be unadvisable.

Related

Renew Apple Push Services certificate

The Apple Push Services certifcate is about to expire in a few days.
To renew the certificate a new certificate has to be requested, and then the current certificate can be rewoked (or left to expire..). The new certificate then has to be uploaded to the service used to handle the notifications (in my case Firebase Messaging).
I have a hard time wrapping my head around who can update the certificates, without breaking the push-notifications and causing the app to be updated.
Does the new certificate has to be requested by the same APPLE-ID as the current? Or can anyone else of the mantainers with role "Admin" or "App Manager" (https://appstoreconnect.apple.com/access/users) update it with their account?
The .CSR file from Apple Keychain can be created by any APPLE-ID, or only by the APPLE-ID who created the original? Do I need the original .CSR from the current certificate?
The Apple ID of the requester does not really matter. As long as they belong to the same team on App Store Connect and have the necessary rights, they can do that. The fastest way is probably using a tool like https://docs.fastlane.tools/actions/pem/ or kind of the "web version" of that https://onesignal.com/provisionator

Signing ClickOnce application with code signing certificate, but publisher still unknown

I have 2 code signing certificates, for both CSR is created same way, also import and export is done same way. The only difference that I see is that one of certificates Common name contains Quotes, and the other doesn't.
e.g.
some cert and
some "cert"
CSR creation
Request format PKCS #10
disabled "Strong private key encryption"
Entered Common name, Organization, Locality, State, Country
2048 bytes for private key
set private key exportable
Import
place all certificates in Personal store
Export
Include all certificates if possible
Enable certificate privacy
encryption algorithm TripleDES-SHA1
Misleading thing is that this Common name value is NOT taken from the value I entered when I created CSR request
I am using those certificates to sign Winforms applications in Visual Studio. Certificate without Quotes in common name is working correctly (i.e. when I install application user is not getting security warning about unknown publisher), but when I install application which is signed with the other Code signing certificate (with Quotes in Common name) - it does not recognize Publisher. No error when published my application. When I take a look at setup.exe properties in Windows Explorer I see a Digital signatures tab which contains row for my certificate.
I tried to sign files with signtool and then verify - it said that certificate is valid.
I tried to get help from godaddy.com where I bought my certificate, they said that it should work with quotes, too, but didn't offer help to solve the issue. Rekey also didn't help.
I see that there are some suggestions to use Pre Publish, Post Build tasks, but I am not using those for my first certificate which is working.
So, is anyone here using code signing certificate for Winforms application with common name having quotes in it? Or maybe anyone knows about this problem and how to solve it?
Had to revoke (common name which is entered when creating CSR is not taken into account, so rekeying is not enough!) my code signing certificate and create from start without quotes/brackets in company name.
So this means, you will have to wait again for few days, because verification process is made from start again. When you will be contacted by issuer, they will verify / ask you about company name - make sure that they do not include quotes/brackets.
Revoking means that you will basically have to buy your certificate once more, because after you revoke it (at least in godaddy case) in your account you don't have options to create it again. So, you have to contact support (use call center and not chat ;)

Your account does not have permission to create Developer ID Application certificates

Can anyone help me with the following error message?
I have seen a few of these messages in Xcode (and on Stackoverflow) but not exactly this one. I have an admin role (but I am not the account holder). Does anyone know why Xcode has problems with the creation of the Developer ID Application certificate?
In Xcode I signed in with the admin account but still no success. Any help is highly appreciated!
The documentation on this is pretty clear from this chart (see https://developer.apple.com/support/roles/):
You are not the account holder so you do not have the ability to create Developer ID certificates. The Account Holder must create them. The certificate belongs to the team as a whole so you will be able to use it.

Re-enrollment after upgrading Apple Push Certificate

Can anyone confirm that after changing the Apple Push Certificate to follow the new steps, you have to re-enroll all the devices?
I have tried creating the CSR based on the existing P12 key store, and afterwards creating a new P12 key store with the Apple signed public key. When using this new key store I am able to enroll devices, but all devices already enrolled needs to be re-enrolled.
After much search I found the answer at McAfee.
If you obtained your previous MDM certificate using an Apple Developer's Account your old certificate has been migrated to the new Apple Push Certificates Portal...
This explains everything. A my work we have one idep user that created the old certificate for me. When I signed in using my own Apple ID, naturally I was not able to see the migrated certificate.

About aps_developer_identity.cer related

I downloaded my push notification certificate "aps_developer_identity.cer" from apple developer portal, and installed it. This certificate shows up only in the "certificates" filter and not in "My Certificates" filter in my keychain. Where am I going wrong? I need to export the ".p12" of "aps_developer_identity.cer" and upload it to UrbanAirship for testing purpose. Please help
Make sure that you have the private key signing the certificate in your Keychain. If that's not the case, revoke the old certificate and generate a new one with one of your private keys.

Resources