I have several questions about signing Mac App with Developer ID:
First of all, I'm working on a project utilizing GateKeeper. So I have to(?) sign my App with Developer ID.
Do I need a provisioning profile to sign with Developer ID?
In the build settings tab, the Developer ID certification is marked as Identities without Provisioning Profiles. Looking around in Mac Provision Portal, I found no place to generate provisioning profile to match Developer ID cert rather than submission certs.
So do I need a provisioning profile to sign with Developer ID?
After archiving my app, when I chose Export Developer ID-signed Application in the organizer, my Developer ID certification is marked with a yellow warning icon. But I can still chose the cert and sign it. Is it OK?
After signing my app, I used sudo spctl -a -v MyApp.app to test my app with sudo spctl --master-enable runed before that. The result is as followed:
EIM.app: rejected
source=Developer ID
Is this rejection related to the warning in question 2?
It's my first time distributing Mac App with Developer ID, thanks for any help.
Re: Provisioning profiles and DeveloperID— they are unnecessary. You should be able to accept your DeveloperID in the automatic section of the Code Signing Identity portion of the Build Settings. If you cannot, your key may be missing or there may be something else wrong with the database that contains the information.
First, go into Keychain Access and verify that your DeveloperID certificate has an accompanying private key associated with it (this will be visible under a disclosure triangle). If it does not, then you should go check around to see if you saved off the key related to that certificate anywhere, because if you can't find and reimport it (from, for example, a Developer Profile exported from Xcode), you will need to revoke and reissue the certificate, since there's no way to sign it.
Second, there is a known bug in 4.6.1 that can corrupt a cached database containing information from the developer portal. There's no specific indication that this behavior can be caused by this problem, but before following the next step, you might want to give it a try. Basically, you will need to quit Xcode, move aside (or delete) ~/Library/Developer/Xcode/connect1.apple.com 4.6.1.db (yes, there's a space in that file name), restart Xcode, go to the Organizer and Refresh your profiles and certificates.
If this doesn't work, you may want to consider revoking your Developer ID.
WARNING If you have successfully distributed code with the certificate, do not revoke it until you have visited Apple's web site (https://developer.apple.com/support/technical/certificates/) and thoroughly understand the implications to shipped code for revoking a developer id. Specifically that installed software will continue to work, but users will not be able to install/reinstall binaries signed with the original certificate.
If you have never successfully distributed code with the certificate (or if your key is irrecoverably lost), you may want to go to the portal and revoke and then reissue your Developer ID certificate. Once you have revoked it, you can create a new certificate by requesting a new certificate.
Related
System Preferences / Manage Certificates
The above is a picture of the System Preferences/Manage Certificates area of Xcode (rev 11).
I know this is quite messy, but I'd like to ask the community for help in cleaning up my signing certificates for Xcode.
I am to the point where I cannot Archive any app in Xcode, even a "Hello World" app, due to the state of my signing certificates. I am a paid up developer on Apple Developer.
Below is a picture of the Key Chain Access of my system.
Thanks in advance.
LeonW53
[Key Chain Access Image][1]
I am a little the wiser now.
In order to submit to the Apple App Store, you need a Distribution Certificate and an IOS Distribution Certificate. Both must have the Public and Private key.
The Private Key refers to the computer from which the app will be submitted. The Private Key is password to the Mac that will archive the app and submit.
To start, you need to go onto your distribution Mac and open the Keychain Access app (Applications/Utilities/Keychain Access). Once in, at the top of the screen, go to Keychain Access/Certificate Assistant/Request a Certificate from a Certificate Authority.
Note 1The Request requires a user email address. Use the email address that you use to log into the Apple Developer Site. You do not need a common name. Select Request is Saved to Disk and Continue. You will be allowed to pick the name and Save Folder for the Certificate. Click Save.
You can create All of your Certificates from this one Certificate Signing Request.
Go into the Apple Developer Website and sign in (you need to be paid up to do this). Use the Apple ID that you used to save the Certificate.
Go to Certificates, Identifiers and Profiles.
Click Certificates in the left column. Click the + next to Certificates to add a new Certificate.
You will be asked to what kind of Certificate to Create.
You need to select Apple Development to develop an app on your mac. You may need an iOS App Development to develop iOS apps, but I haven't found this necessary
To Upload and Distribute your app, you need Apple Distribution and iOS Distribution.
Whichever one you pick, click Continue and you will be asked to Upload a Signing Certificate Request. Here you browse to the Certificate Signing Request that you saved (Note 1 above). Click Generate and the Certificate will be created. Click Download and the Certificate will be downloaded to the Downloads folder on your Mac.
You can create several different kind of certificates and you do NOT need to re-create the CSR -- use the same one over and over.
On your Mac, you can just double click the Certificates downloaded and they will be added to your Keychain.
In XCode, select the App root of the App Folder Tree and open "Signing and Capabilities". Select the Team that you have in the Apple Developer Site from the drop down list. Also select Automatically manage signings.
Also in XCode, you go to XCode/Preferences/Accounts. You should selected the Apple ID on the left which is the same as you log into the Apple Developer Account. On the right, you can select the Team which will do the Uploading and click Manage Certificates. You need valid iOS Development, Apple Development and Apple Distribution Certificates.
Note 2 If there are any Certificates that are missing the Private Key, this is because either the CSR was generated on a different PC to your current PC or that you were not logged in as the same developer on the Apple Developer Site. This happened to me, and it was because I wasn't logged into the Developer Site the same as I have logged on my PC in System Preferences.
If you Archive, and you have missing Private Keys, the Archive will ask you to log into Keychain using the password which unlocks the PC for EACH and every missing key. Once done, the archive will be created.
Note 3Make any mistake on this, and you will generate a failed archive with a non-zero exit code. Apple provide no clue as to how to solve this.
My current situation is that I have valid Apple Development, iOS Development and Apple Distribution Certificates and I can archive. In addition to the valid Apple Distribution Certificate, I have two Apple Distribution Certificates which are missing private keys. But, I can archive the app.
Be kind and be safe all.
I generated a mac installer certificate for use with code signing and am getting an error that is preventing me from using certificate to sign installer
When evaluating certificate in keychain access, I got an error: Invalid Extended Key Usage.
Here is the sequence of errors when trying to evaluate an installer certificate for code signing.
I find this process works better when generating code signing keys with Xcode rather than through the Keychain access app directly. This will help you create your code signing certificate with the correct provisioning and signing parameters for the type of app you are developing. If you don't yet have a paid developer account with Apple, you can still create a self signed certificate for code signing to generate signed apps without uploading them to app store.
First you have to add your Apple ID to Accounts preferences in Xcode.
Start Xcode
Select Xcode > Preferences from the navigation bar.
At the top of the window select Accounts.
Click on the + on the lower left corner and select Add Apple ID...
A dialog will appear. Add your Apple ID and your password, then select Sign in. If you don't have an account you can create your Apple ID by selecting Create Apple ID.
Select your Apple ID and your team from the right side bar, then click on View Details....
A dialog will appear where you will see your code signing identities and the provisioning profiles.
For iOS development, under the signing identities locate the iOS Development and iOS Distribution profiles.
If you have not created them you will see a Create button next to
them.
Simply select it and Xcode will issue and download your code signing
identities for you with the correct developer certificate params for
iOS app development.
Note: If you already have Code Signing Identities issued to your developer account: you will see a Reset button next to them. You can issue new certificates with it, that Xcode will generate and download, however note that this will invalidate your previous certificate, so only do this if you've lost those files or if you know what you are doing!
In future, once you have it all working I also suggest clicking the option in Xcode to allow it to automatically manage code signing. This will automatically renew your certification whenever it expires, so there won't be extra steps to renew. This option should be available in the general project settings of your app, it can also be reached by selecting project > Targets > General > Signing
Hope that helps you, best of luck!
There are some possible reasons for certificate evaluation failure:
The certificate may be not for code signing (similar to this). In this case, you should obtain a new certificate that supports code signing.
The certificate may be for code signing but damaged (similar to this). In this case, you should delete this certificate and install it again.
Note that you can create a self-signed code signing certificate in keychain app for test purpose, following this and this tutorials. Make sure to enable it in "Get Info" > "Trust" set as "Always Trust".
I have already published my app on mac store, now I want to distribute my app outside Mac Store.
I am following this tutorial by apple.
Here I am requesting for a Developer ID certificate, in Xcode->preferences->accounts->view details.
When I select the Developer ID option after clicking on the little + icon, I get following error.
I have Developer ID Certification Authority intermediate certificate in my keychain which is needed for Developer IDs
The tutorial also says> Only a team agent can request Developer ID certificates. If you’re an individual developer, you’re the team agent and can request these certificates.
You can see in the screenshot below, that I am an admin, so thats not an issue as well, what am I doing wrong?
I am not quite sure if its relevant, but upon exploring on Mac developer ceriticates, I found out that download button on Developer ID cert was disabled.
So I am thinking I must have forgot to create a developer ID, also the expiry of that cert is 2018, which seems weird.
So If at all i have not created the Developer ID for some reason, how do I create those?
So, admin of the team cannot request for developer IDs, only agent can request for developer IDs for distribution outside mac store.
The Team Agent can export the Developer ID certificates using the Keychain Access app and share the resulting .p12 file with a Team Admin. When the Team Admin opens the file on their computer and types in the password, those certificates are imported into their keychain and become accessible to XCode. The Team Admin can now create archives and export apps signed with the Developer ID (no provisioning profile needed).
If you have the Developer ID certificate and you don't have the private key, you don't have an identity and you cannot sign anything with it.
Two situations:
1. you are the team agent and therefore you can generate Developer ID certificates
2. you are an individual and again you can generate Developer Id certificates
Unless you export it, the identity will be present only on the computer you used to request the certificate. So that will be the machine where you can practically sign anything with your Developer ID certificate.
If you are a team member or admin you don't have rights to generate the Developer ID certificates and you will simply not see the option at all. Your screen shows Revoke and Download buttons disabled because they were generated by someone else and you are not allowed to use it in any way.
I have an app that is ready for testing on my iPad, and I've created a development provisioning profile, matched up the bundleID and lowered the iOS deployment target.
However when I downloaded the profile and dragged it into the organizer, it says 'Valid signing identity not found'. I'm pretty sure this has got to do with the certificates in the keychain and private keys (???) however I have no idea how to fix this problem.
Can someone please point me to a tutorial or give me some advice on adding certificates into the keychain without using Xcode; stuff like the 'use for development' button isn't working for me!
Note:
The only valid Provisioning Profiles are distribution.
When I try to click 'Renew' Xcode says 'No value was provided for the parameter 'CertificateIDs'. I hope this helps!
The .p12 file associated with your provisioning profile is not found in your system keychain.
Check the below few things!
Make sure you have enabled the correct certificate while generating the provisioning profile in the apple developer site.
Check if you have any duplicates of the your certificate & private key more than once in your keychain access.
If you do not have the .p12 corresponding to the provisioning profile, Get it exported from the mac system on which it was created & install it in your mac system.
Check your code signing identity set your profile there.
and your Provisioning profile bundle id is same as your app bundle identifier.
To do a valid code-signing - without using XCode - you need a valid certificate and key, corresponding to the provisioning profile :
check with Keychain Access that you indeed have a 'iPhone distribution' certificate, with its own private key.
Make sure this is the same certificate that was used on 'provisioning portal' to create you developement / distribution profile. If not, create a new one, or import the certificate from the other Mac you used when you created the provisioning
Download the provisioning profile, and just double-click it.
Posting this here because none of the other answers really went into enough detail to help me and I still had to figure it out on my own.
On the apple developer website, log in and under certificates click 'All'. The certificate needs to be generated on YOUR machine and with YOUR account or things do not build. This is what confused me... You can click the + icon and make a new certificate (development, or distribution). If it does not let you select for example Distribution, it's because there are already too many certificates in the account. So first, you have to delete an older certificate.
1) Delete the oldest certificate in the portal
2) Click the + and create a new certificate -- this will guide you through opening Keychain Access on your machine and requesting a certificate from apple, and you will have to save a file and upload it to the developer portal to create the certificate.
3) Download the new certificate and it will add to Keychain access
4) Go back to provisioning profiles on dev portal, click EDIT on the one you are trying to use and change it to use the newly generated certificate.
5) Download and click the provisioning profile
6) Everything works great.
This process actually was not that difficult, but for some reason I could not find the correct explanation anywhere. I hope this will help someone.
I had the same issue. I did have all the private keys and everything was correct, but xcode refused to build and kept saying that I didn't have a valid provisioning profile and organiser showed 'valid signing identity not found'.
The solution involved:
revoking my developer certificate and development provisioning profiles from the ios provisioning portal
deleting those certificates from keychain
try building again and tell xcode to 'fix issue'
This lets XCode manage the certificates, and it magically worked.
However on another project I still had the problem, and it was solved by this answer:
https://stackoverflow.com/a/18966088/1192732
What are "code signing identities" in Xcode?
Are they the certificates?
Are they the private keys?
Are they the app ids?
Are they the provisioning profiles?
If I go to the target build settings, it asks for the code signing identity, so I need to figure this out.
I thought we signed code using our private key. None of my private key names show up, however. It shows a list of certificates (I think, though I am not even sure.)
You've definitely hit on a topic that gets very deep very quickly and is a common source of headaches when trying to make device builds of iOS applications. First, let me put a little structure around each of the terms involved in the Code Sign process (both for you and anyone stumbling across this question later) and then we can turn to your main question:
CodeSign Terminology
The Code Sign phase of an iOS Device build is the process by which we cryptographically sign and secure a specific arrangement of data in an application including the application executable binary itself, any embedded media assets (like button textures, custom artwork, fonts, etc.), and a set of metadata about our application and represents a unique 'thumbprint' of our application's data. This thumbprint is what is used by Apple and iOS to help ensure that our applications are not tampered with when being delivered to user's devices or when being run on user's iOS devices. To make this possible Developers are required to register with Apple, setup an App Identifier, request Development and Distribution Certificates, Register a set of Test Devices, and finally request a Provisioning Profile for their development efforts. The role each of these elements is as follows:
App Identifier (or AppID) - A reverse DNS-style string that uniquely identifies exactly one iOS application on the AppStore.
Development and Distribution Certificates - These are digital documents cryptographically signed by Apple certifying the identity of the individual to which the documents were issued. For those familiar with Public Key Infrastructure, the Certificate itself contains a public key that can be used to verify the integrity of signatures later in the process.
Test Devices - The only approved standard distribution channels for iOS software is via the AppStore. By registering a test device, developers may circumvent the AppStore and install software directly to devices for development and testing purposes. The total number of test devices allowed in a given membership year is 100 test devices.
Provisioning Profile - A document containing three main components: 1) Exactly one App ID, 2) One or more iOS Developer Certificates, and 3) Zero or more registered test devices on which the named iOS app may be directly installed. The contents of this document are cryptographically signed by Apple to ensure its contents can not be tampered with.
It is the presence of this file and the thumbprint checks that determines if a developer-generated app can be installed to device as it contains the notion of the 'Who' (Certificates), the 'What' (AppID), and the 'Where' (which devices).
Great, I got it...Now what about this Code Sign Identity thing?
In the context of an individual build target's build settings, the term Code Sign Identity refers to the Common Name of those certificates that are installed in the Keychain of the Developer's machine. In the Xcode build setting it appears as a list of options from which developers must select an Identity to use for CodeSign -- there's a lot of information encoded in each section of this menu:
Looking first at the black text - From the image above 'iPhone Developer: Bryan Musial (XXXXXXXXXX)' - This is really the primary item Xcode uses to find the public and private keys used to Code Sign. When selecting this item, you are instructing Xcode to reach into your Keychain and try to find a certificate whose 'Common Name' field matches that string and then grab that certificate (which contains the public key) and the associated private key for use in the Code Sign operation.
Just to be thorough if you open up Keychain Access and double click any of the 'iPhone Development: ...' or 'iPhone Distribution: ...' certificates shows all of the information encoded into the certificates Apple issues to its developers. If I were to select the entry in the first image, Xcode would reach into my Keychain and pull back this certificate (NOTE: Unique identifying details have been X'd or changed):
As you can see, the black text from the Xcode selection exactly matches the Common Name field in my certificate, so Xcode would pull back this certificate and its linked private key for use in Codes Signing my app.
Looking back at the Xcode setting again, we also notice that there is more text in that menu selection as well -- the lighter gray text identifies the Provisioning Profile that will be built into the application. In the case of my example setting, Xcode will go and get the Provisioning Profile "MyiOSApp Testing" which has its AppID set to 'com.myiosapp.*'. Xcode is very greedy with stashing Provisioning Profiles, and fortunately Organizer gives you a great place to look over the Provisioning Profiles that are installed and get a sense about the basic data they contain. Again for the Xcode Code Sign Identity in the first image, the related Provisioning Profile in my Organizer would look like this:
The 'Name' column and the tail end of the App Identifier column match the light gray text from my Xcode setting so this is the Provisioning Profile that would get selected for use during Code Sign. It is also important to note the 'Status' column at the end of the row. In this case, it is green and indicates 'Valid Profile'. This means that my Keychain has both the Public and Private keys for at least one of the certificates encoded in that Provisioning Profile. If this status is anything other than green then there is a problem with your current setup of Public/Private Keys and/or the Provisioning Profile -- Code Signing can not work unless the Provisioning Profile you are trying to use has its status set to Green. Other possible status options include:
Valid signing identity not found: You do not have both the Public and Private key for at least one of the Certificates encoded in this Provisioning Profile. Delete the profile from Organizer, then return to the Certificates, Identifiers & Profiles tool on developer.apple.com/ios and ensure you have your Development Certificate included in the Provisioning profile. Verify your certificate in Keychain Access is not expired or revoked and has a private key linked to the public key certificate.
Profile has expired: The expiry date for the provisioning profile has lapsed. Delete this Provisioning Profile from Organizer, then revisit the Certificates, Identifiers & Profiles tool on developer.apple.com/ios and reissue this Provisioning Profile (if it is actually still needed)
Other items that can trip you up
In addition to all of the nuances about making sure you have both Public and Private keys installed, and that the Provisioning Profiles are set just right, there are a few other things that can trip developers up. First, Xcode collects Provisioning Profiles and hangs on to them until you tell it to delete them. In theory, this isn't a super huge deal except in scenarios where you make changes to a Provisioning Profile, download and install a newer version. Many times Xcode will grab the right profile, but sometimes it doesn't get it right and you'll spend hours looking over the Certificates, Identifiers & Profiles tool as well as your keychain to try and get an idea about what is going on.
Suggestion 1: When installing a newer version of a Provisioning Profile, delete older ones so that Xcode isn't put in a position where it may have to make a decision.
A similar thing can happen if you reissue a Development or Distribution Certificate -- Most times Xcode will trigger a warning during the build about an ambiguous certificate.
Suggestion 2: Pay attention to ambiguity warnings during the build. It implies that you have an old certificate floating around that meets the build criteria and could be inadvertently used potentially causing a build problem.
Suggestion 3: Anytime you are in Keychain dealing with your certificates, look for 'iPhone Developer: ...' or 'iPhone Distribution: ...' certificates that have a red 'X' on them. This is an indicator that the certificate has expired or has been revoked. Either way, this Public Key (and potentially linked Private key) is of no further use to you for build purposes and can be deleted.
Finally, the Code Sign Identity setting also has an option that lists as 'Automatic Profile Selector'. In many cases you will want to use this option as it will do its best to automatically look up your AppID from your build target's settings, look for a Provisioning Profile that matches that AppId and contains certificates that you have both a public and private key for. In some custom build circumstances it may not be possible to use this option and you'll have to use one of the fixed, specific options, like my demonstration setting in the first image. Be advised if you go with a fixed option -- any time you update the Provisioning Profile, you will need to also update the Code Signing Identity build setting to match the newer version.
Key Takeaways
Make sure you keep both your Keychain and Xcode Provisioning Profile lists clean and deduplicated.
After installing a Certificate and Provisioning Profile, make sure the Organizer reports that provisioning profile's status as Green ('Valid profile'). Any other status indicates a problem exists between your keychain and provisioning profile that needs to be addressed before you even consider running a build.
Try and use the 'Automatic Profile Selector'. Your teammates and any automated build systems will be happier with you if they too don't have to think about Code Sign Identity settings.
If you can't use the Automatic Profile Selector, make sure you always keep that setting up-to-date as newer iterations of your provisioning profile are made.
You can only sign your app with a certificate.
That certificate is either:
dev certificate (build from Xcode into your physical device)
enterprise certificate (build for employees)
app store certificate (build for real world customers)
The following will list certs you have available on your mac for signing.
security find-identity -p codesigning -v
Example mine returns:
1) A0D1B4FBH9768DA909766DC27D6882088A994473 "Apple Development: Mohammad F (5ABCS7TRT6)"
2) 5404044732CF2A011D95C28222DCF0000D3B84E "Apple Development: mfaani#foo.com (97ENL333NA)"
My two certs can be identified by either:
A0D1B4FBH9768DA909766DC27D6882088A994473 OR "Apple Development: Mohammad F (5ABCS7TRT6"
5404044732CF2A011D95C28222DCF0000D3B84E OR "Apple Development: mfaani#foo.com (97ENL333NA)"
Summary
Code signing identity is anything that can uniquely identify your certificate.