What are "code signing identities" in Xcode?
Are they the certificates?
Are they the private keys?
Are they the app ids?
Are they the provisioning profiles?
If I go to the target build settings, it asks for the code signing identity, so I need to figure this out.
I thought we signed code using our private key. None of my private key names show up, however. It shows a list of certificates (I think, though I am not even sure.)
You've definitely hit on a topic that gets very deep very quickly and is a common source of headaches when trying to make device builds of iOS applications. First, let me put a little structure around each of the terms involved in the Code Sign process (both for you and anyone stumbling across this question later) and then we can turn to your main question:
CodeSign Terminology
The Code Sign phase of an iOS Device build is the process by which we cryptographically sign and secure a specific arrangement of data in an application including the application executable binary itself, any embedded media assets (like button textures, custom artwork, fonts, etc.), and a set of metadata about our application and represents a unique 'thumbprint' of our application's data. This thumbprint is what is used by Apple and iOS to help ensure that our applications are not tampered with when being delivered to user's devices or when being run on user's iOS devices. To make this possible Developers are required to register with Apple, setup an App Identifier, request Development and Distribution Certificates, Register a set of Test Devices, and finally request a Provisioning Profile for their development efforts. The role each of these elements is as follows:
App Identifier (or AppID) - A reverse DNS-style string that uniquely identifies exactly one iOS application on the AppStore.
Development and Distribution Certificates - These are digital documents cryptographically signed by Apple certifying the identity of the individual to which the documents were issued. For those familiar with Public Key Infrastructure, the Certificate itself contains a public key that can be used to verify the integrity of signatures later in the process.
Test Devices - The only approved standard distribution channels for iOS software is via the AppStore. By registering a test device, developers may circumvent the AppStore and install software directly to devices for development and testing purposes. The total number of test devices allowed in a given membership year is 100 test devices.
Provisioning Profile - A document containing three main components: 1) Exactly one App ID, 2) One or more iOS Developer Certificates, and 3) Zero or more registered test devices on which the named iOS app may be directly installed. The contents of this document are cryptographically signed by Apple to ensure its contents can not be tampered with.
It is the presence of this file and the thumbprint checks that determines if a developer-generated app can be installed to device as it contains the notion of the 'Who' (Certificates), the 'What' (AppID), and the 'Where' (which devices).
Great, I got it...Now what about this Code Sign Identity thing?
In the context of an individual build target's build settings, the term Code Sign Identity refers to the Common Name of those certificates that are installed in the Keychain of the Developer's machine. In the Xcode build setting it appears as a list of options from which developers must select an Identity to use for CodeSign -- there's a lot of information encoded in each section of this menu:
Looking first at the black text - From the image above 'iPhone Developer: Bryan Musial (XXXXXXXXXX)' - This is really the primary item Xcode uses to find the public and private keys used to Code Sign. When selecting this item, you are instructing Xcode to reach into your Keychain and try to find a certificate whose 'Common Name' field matches that string and then grab that certificate (which contains the public key) and the associated private key for use in the Code Sign operation.
Just to be thorough if you open up Keychain Access and double click any of the 'iPhone Development: ...' or 'iPhone Distribution: ...' certificates shows all of the information encoded into the certificates Apple issues to its developers. If I were to select the entry in the first image, Xcode would reach into my Keychain and pull back this certificate (NOTE: Unique identifying details have been X'd or changed):
As you can see, the black text from the Xcode selection exactly matches the Common Name field in my certificate, so Xcode would pull back this certificate and its linked private key for use in Codes Signing my app.
Looking back at the Xcode setting again, we also notice that there is more text in that menu selection as well -- the lighter gray text identifies the Provisioning Profile that will be built into the application. In the case of my example setting, Xcode will go and get the Provisioning Profile "MyiOSApp Testing" which has its AppID set to 'com.myiosapp.*'. Xcode is very greedy with stashing Provisioning Profiles, and fortunately Organizer gives you a great place to look over the Provisioning Profiles that are installed and get a sense about the basic data they contain. Again for the Xcode Code Sign Identity in the first image, the related Provisioning Profile in my Organizer would look like this:
The 'Name' column and the tail end of the App Identifier column match the light gray text from my Xcode setting so this is the Provisioning Profile that would get selected for use during Code Sign. It is also important to note the 'Status' column at the end of the row. In this case, it is green and indicates 'Valid Profile'. This means that my Keychain has both the Public and Private keys for at least one of the certificates encoded in that Provisioning Profile. If this status is anything other than green then there is a problem with your current setup of Public/Private Keys and/or the Provisioning Profile -- Code Signing can not work unless the Provisioning Profile you are trying to use has its status set to Green. Other possible status options include:
Valid signing identity not found: You do not have both the Public and Private key for at least one of the Certificates encoded in this Provisioning Profile. Delete the profile from Organizer, then return to the Certificates, Identifiers & Profiles tool on developer.apple.com/ios and ensure you have your Development Certificate included in the Provisioning profile. Verify your certificate in Keychain Access is not expired or revoked and has a private key linked to the public key certificate.
Profile has expired: The expiry date for the provisioning profile has lapsed. Delete this Provisioning Profile from Organizer, then revisit the Certificates, Identifiers & Profiles tool on developer.apple.com/ios and reissue this Provisioning Profile (if it is actually still needed)
Other items that can trip you up
In addition to all of the nuances about making sure you have both Public and Private keys installed, and that the Provisioning Profiles are set just right, there are a few other things that can trip developers up. First, Xcode collects Provisioning Profiles and hangs on to them until you tell it to delete them. In theory, this isn't a super huge deal except in scenarios where you make changes to a Provisioning Profile, download and install a newer version. Many times Xcode will grab the right profile, but sometimes it doesn't get it right and you'll spend hours looking over the Certificates, Identifiers & Profiles tool as well as your keychain to try and get an idea about what is going on.
Suggestion 1: When installing a newer version of a Provisioning Profile, delete older ones so that Xcode isn't put in a position where it may have to make a decision.
A similar thing can happen if you reissue a Development or Distribution Certificate -- Most times Xcode will trigger a warning during the build about an ambiguous certificate.
Suggestion 2: Pay attention to ambiguity warnings during the build. It implies that you have an old certificate floating around that meets the build criteria and could be inadvertently used potentially causing a build problem.
Suggestion 3: Anytime you are in Keychain dealing with your certificates, look for 'iPhone Developer: ...' or 'iPhone Distribution: ...' certificates that have a red 'X' on them. This is an indicator that the certificate has expired or has been revoked. Either way, this Public Key (and potentially linked Private key) is of no further use to you for build purposes and can be deleted.
Finally, the Code Sign Identity setting also has an option that lists as 'Automatic Profile Selector'. In many cases you will want to use this option as it will do its best to automatically look up your AppID from your build target's settings, look for a Provisioning Profile that matches that AppId and contains certificates that you have both a public and private key for. In some custom build circumstances it may not be possible to use this option and you'll have to use one of the fixed, specific options, like my demonstration setting in the first image. Be advised if you go with a fixed option -- any time you update the Provisioning Profile, you will need to also update the Code Signing Identity build setting to match the newer version.
Key Takeaways
Make sure you keep both your Keychain and Xcode Provisioning Profile lists clean and deduplicated.
After installing a Certificate and Provisioning Profile, make sure the Organizer reports that provisioning profile's status as Green ('Valid profile'). Any other status indicates a problem exists between your keychain and provisioning profile that needs to be addressed before you even consider running a build.
Try and use the 'Automatic Profile Selector'. Your teammates and any automated build systems will be happier with you if they too don't have to think about Code Sign Identity settings.
If you can't use the Automatic Profile Selector, make sure you always keep that setting up-to-date as newer iterations of your provisioning profile are made.
You can only sign your app with a certificate.
That certificate is either:
dev certificate (build from Xcode into your physical device)
enterprise certificate (build for employees)
app store certificate (build for real world customers)
The following will list certs you have available on your mac for signing.
security find-identity -p codesigning -v
Example mine returns:
1) A0D1B4FBH9768DA909766DC27D6882088A994473 "Apple Development: Mohammad F (5ABCS7TRT6)"
2) 5404044732CF2A011D95C28222DCF0000D3B84E "Apple Development: mfaani#foo.com (97ENL333NA)"
My two certs can be identified by either:
A0D1B4FBH9768DA909766DC27D6882088A994473 OR "Apple Development: Mohammad F (5ABCS7TRT6"
5404044732CF2A011D95C28222DCF0000D3B84E OR "Apple Development: mfaani#foo.com (97ENL333NA)"
Summary
Code signing identity is anything that can uniquely identify your certificate.
Related
System Preferences / Manage Certificates
The above is a picture of the System Preferences/Manage Certificates area of Xcode (rev 11).
I know this is quite messy, but I'd like to ask the community for help in cleaning up my signing certificates for Xcode.
I am to the point where I cannot Archive any app in Xcode, even a "Hello World" app, due to the state of my signing certificates. I am a paid up developer on Apple Developer.
Below is a picture of the Key Chain Access of my system.
Thanks in advance.
LeonW53
[Key Chain Access Image][1]
I am a little the wiser now.
In order to submit to the Apple App Store, you need a Distribution Certificate and an IOS Distribution Certificate. Both must have the Public and Private key.
The Private Key refers to the computer from which the app will be submitted. The Private Key is password to the Mac that will archive the app and submit.
To start, you need to go onto your distribution Mac and open the Keychain Access app (Applications/Utilities/Keychain Access). Once in, at the top of the screen, go to Keychain Access/Certificate Assistant/Request a Certificate from a Certificate Authority.
Note 1The Request requires a user email address. Use the email address that you use to log into the Apple Developer Site. You do not need a common name. Select Request is Saved to Disk and Continue. You will be allowed to pick the name and Save Folder for the Certificate. Click Save.
You can create All of your Certificates from this one Certificate Signing Request.
Go into the Apple Developer Website and sign in (you need to be paid up to do this). Use the Apple ID that you used to save the Certificate.
Go to Certificates, Identifiers and Profiles.
Click Certificates in the left column. Click the + next to Certificates to add a new Certificate.
You will be asked to what kind of Certificate to Create.
You need to select Apple Development to develop an app on your mac. You may need an iOS App Development to develop iOS apps, but I haven't found this necessary
To Upload and Distribute your app, you need Apple Distribution and iOS Distribution.
Whichever one you pick, click Continue and you will be asked to Upload a Signing Certificate Request. Here you browse to the Certificate Signing Request that you saved (Note 1 above). Click Generate and the Certificate will be created. Click Download and the Certificate will be downloaded to the Downloads folder on your Mac.
You can create several different kind of certificates and you do NOT need to re-create the CSR -- use the same one over and over.
On your Mac, you can just double click the Certificates downloaded and they will be added to your Keychain.
In XCode, select the App root of the App Folder Tree and open "Signing and Capabilities". Select the Team that you have in the Apple Developer Site from the drop down list. Also select Automatically manage signings.
Also in XCode, you go to XCode/Preferences/Accounts. You should selected the Apple ID on the left which is the same as you log into the Apple Developer Account. On the right, you can select the Team which will do the Uploading and click Manage Certificates. You need valid iOS Development, Apple Development and Apple Distribution Certificates.
Note 2 If there are any Certificates that are missing the Private Key, this is because either the CSR was generated on a different PC to your current PC or that you were not logged in as the same developer on the Apple Developer Site. This happened to me, and it was because I wasn't logged into the Developer Site the same as I have logged on my PC in System Preferences.
If you Archive, and you have missing Private Keys, the Archive will ask you to log into Keychain using the password which unlocks the PC for EACH and every missing key. Once done, the archive will be created.
Note 3Make any mistake on this, and you will generate a failed archive with a non-zero exit code. Apple provide no clue as to how to solve this.
My current situation is that I have valid Apple Development, iOS Development and Apple Distribution Certificates and I can archive. In addition to the valid Apple Distribution Certificate, I have two Apple Distribution Certificates which are missing private keys. But, I can archive the app.
Be kind and be safe all.
I generated a mac installer certificate for use with code signing and am getting an error that is preventing me from using certificate to sign installer
When evaluating certificate in keychain access, I got an error: Invalid Extended Key Usage.
Here is the sequence of errors when trying to evaluate an installer certificate for code signing.
I find this process works better when generating code signing keys with Xcode rather than through the Keychain access app directly. This will help you create your code signing certificate with the correct provisioning and signing parameters for the type of app you are developing. If you don't yet have a paid developer account with Apple, you can still create a self signed certificate for code signing to generate signed apps without uploading them to app store.
First you have to add your Apple ID to Accounts preferences in Xcode.
Start Xcode
Select Xcode > Preferences from the navigation bar.
At the top of the window select Accounts.
Click on the + on the lower left corner and select Add Apple ID...
A dialog will appear. Add your Apple ID and your password, then select Sign in. If you don't have an account you can create your Apple ID by selecting Create Apple ID.
Select your Apple ID and your team from the right side bar, then click on View Details....
A dialog will appear where you will see your code signing identities and the provisioning profiles.
For iOS development, under the signing identities locate the iOS Development and iOS Distribution profiles.
If you have not created them you will see a Create button next to
them.
Simply select it and Xcode will issue and download your code signing
identities for you with the correct developer certificate params for
iOS app development.
Note: If you already have Code Signing Identities issued to your developer account: you will see a Reset button next to them. You can issue new certificates with it, that Xcode will generate and download, however note that this will invalidate your previous certificate, so only do this if you've lost those files or if you know what you are doing!
In future, once you have it all working I also suggest clicking the option in Xcode to allow it to automatically manage code signing. This will automatically renew your certification whenever it expires, so there won't be extra steps to renew. This option should be available in the general project settings of your app, it can also be reached by selecting project > Targets > General > Signing
Hope that helps you, best of luck!
There are some possible reasons for certificate evaluation failure:
The certificate may be not for code signing (similar to this). In this case, you should obtain a new certificate that supports code signing.
The certificate may be for code signing but damaged (similar to this). In this case, you should delete this certificate and install it again.
Note that you can create a self-signed code signing certificate in keychain app for test purpose, following this and this tutorials. Make sure to enable it in "Get Info" > "Trust" set as "Always Trust".
On a new mac, I installed xcode and needed to set up provisioning for a hello-world project to deploy to my iPad.
NOTE: I am using the new FREE provisioning (do not have a paid Apple account)
I went to Preferences/Account signed in to my Apple account
In the project, General tab, Team is set to my (free) Apple Dev account. (all seemed well, it recognized this as valid)
I tried to deploy to the iPad and I got a build error "codesign failed with exit code 1"
Supposedly this is to do with certificates. I went to Keychain Access and found "iPhone Developer: my#email.com (...)" in there, which was added when I signed in via my Apple Account.
I DELETED this key (thinking I would simply re-add my Apple Account and thus this key)
I then removed and re-added my Apple account from xcode preferences
I can sign-in, I can see it adds keys, and Keychain Access Get Info on the keys indicates no issues (valid, etc)
In xcode Preferences, when I click Manage Certificates, it shows "David's MacBook Pro (2)" and a bunch of "Untitled" keys ALL of which have a status of "Missing Private Key".
xcode/General/Status section says "The username or passphrase you entered is not correct" even though my "Team" is signed in and valid
Clicking "Try Again" shows "Waiting to repair", followed by "revoking...", followed by "Generating certificates" - which sounds promising, like it's doing exactly what I need, but then fails, private keys still missing, and back to step 9 here in a loop of hell.
ok? How do I get this resolved without flattening my OS back to factory and starting completely over?
Note: there are resolutions on SO that talk about Revoking the keys and generating new private keys from the Dev Console, like this one:
How can I add private key to the distribution certificate?
HOWEVER, on a "free" account I have NO access to the Certificates section! I can't manage anything from the Dev portal online. I do, however, see xcode specifically set up to handle certs (see step 9-10 above) but it is not working. I really don't know where to go from here. I'm new to all things Mac and iOS and xcode. Frustrated. Thanks Apple, so much for a simple on-boarding experience on a simple hello-world app.
After two bounties for this question which gave no results, I managed to find a solution to this problem.
Apparently, it was some keychain related problem.
To fix it:
Open Keychain Access on your Mac.
Right click on the "login" keychain in the left side of the window.
Press Lock keychain "login".
Then do the same to Unlock it.
Go back to Xcode and try to set your app to run with your personal account.
Solution was found using the first comment here:
https://github.com/desktop/desktop/issues/3625
I had this error and it occurred because I had moved to a new Macbook. Although there was a provisioning profile on our Apple account and it was not expired, the private key was on the old Macbook. So downloading and installing the profile did not help, as it was the private key that was missing. I revoked the provisioning profile and created a new one. I had the same issue for the distribution certificate.
If you are concerned whether revoking and creating new certificates/profiles will affect existing deployed applications, take a look at this question and the answers. The bottom line is, for applications on the app store it will have no affect, but for Enterprise Distributions, deployed applications will stop working if you revoke the provisioning profile. So if the application is on an Enterprise Account, then it is best to try find the private key in the keychain of the Macbook where it was created.
While trying to export a Developer ID Signed Mac application with Xcode I run into this error: "Missing Developer ID Application signing identity for (null)" How do I resolve this?
I struggled with this issue for a while so wanted to post what I found in case others run into a similar issue. I ran into the above issue after revoking my certificate while trying to export my build from a friend's machine. I found the best support by going step by step through this link:
https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/DistributingApplicationsOutside/DistributingApplicationsOutside.html
I would recommend following the steps in this link for anyone uploading a build to the Mac app store or exporting a Developer ID Signed Mac application.
There is a certificate called "Developer ID Certification Authority", this seems to be the one I was missing, and which caused the most trouble.
Another interesting thing to note is that the 10 digit letter/number ID for your Team/Distribution profile will be different than the ID for your developer profile. This should not throw you off, these two profiles work together.
Another good thing to know is that at the top of developer.apple.com there is a non-obvious drop down menu that lets you switch between iOS, tvOS, watchOS profiles and MacOS X profiles.
Another non-obvious UX issue when dealing with certificates is the system tab within Keychain Access. If you read that you should delete or change a property both within Login and within system, when they write system, they are referring to the system tab, which can be accessed within Key Chain access and can be seen at the bottom of this image:
This link is also helpful for certificate trouble shooting:
https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/Troubleshooting/Troubleshooting.html#//apple_ref/doc/uid/TP40012582-CH5-SW11
But mainly just go through the steps in the first link given for exporting a Mac App with Developer ID Signing.
I have several questions about signing Mac App with Developer ID:
First of all, I'm working on a project utilizing GateKeeper. So I have to(?) sign my App with Developer ID.
Do I need a provisioning profile to sign with Developer ID?
In the build settings tab, the Developer ID certification is marked as Identities without Provisioning Profiles. Looking around in Mac Provision Portal, I found no place to generate provisioning profile to match Developer ID cert rather than submission certs.
So do I need a provisioning profile to sign with Developer ID?
After archiving my app, when I chose Export Developer ID-signed Application in the organizer, my Developer ID certification is marked with a yellow warning icon. But I can still chose the cert and sign it. Is it OK?
After signing my app, I used sudo spctl -a -v MyApp.app to test my app with sudo spctl --master-enable runed before that. The result is as followed:
EIM.app: rejected
source=Developer ID
Is this rejection related to the warning in question 2?
It's my first time distributing Mac App with Developer ID, thanks for any help.
Re: Provisioning profiles and DeveloperID— they are unnecessary. You should be able to accept your DeveloperID in the automatic section of the Code Signing Identity portion of the Build Settings. If you cannot, your key may be missing or there may be something else wrong with the database that contains the information.
First, go into Keychain Access and verify that your DeveloperID certificate has an accompanying private key associated with it (this will be visible under a disclosure triangle). If it does not, then you should go check around to see if you saved off the key related to that certificate anywhere, because if you can't find and reimport it (from, for example, a Developer Profile exported from Xcode), you will need to revoke and reissue the certificate, since there's no way to sign it.
Second, there is a known bug in 4.6.1 that can corrupt a cached database containing information from the developer portal. There's no specific indication that this behavior can be caused by this problem, but before following the next step, you might want to give it a try. Basically, you will need to quit Xcode, move aside (or delete) ~/Library/Developer/Xcode/connect1.apple.com 4.6.1.db (yes, there's a space in that file name), restart Xcode, go to the Organizer and Refresh your profiles and certificates.
If this doesn't work, you may want to consider revoking your Developer ID.
WARNING If you have successfully distributed code with the certificate, do not revoke it until you have visited Apple's web site (https://developer.apple.com/support/technical/certificates/) and thoroughly understand the implications to shipped code for revoking a developer id. Specifically that installed software will continue to work, but users will not be able to install/reinstall binaries signed with the original certificate.
If you have never successfully distributed code with the certificate (or if your key is irrecoverably lost), you may want to go to the portal and revoke and then reissue your Developer ID certificate. Once you have revoked it, you can create a new certificate by requesting a new certificate.