Certificates, Identifiers & Profiles

RSS for tag

Discuss the technical details of security certificates, identifiers, and profiles used by the OS to ensure validity of apps and services on device.

Certificates, Identifiers & Profiles Documentation

Post

Replies

Boosts

Views

Activity

Developer ID certificate missing private key
Hi, I created a developer id certification from my apple developer account a couple of year ago and downloaded it as .cer file into my Laptop. Now I want to use this certificate to sign my application, but unfortunately Xcode shows an error message like 'Missing Private Key" and I can also see that there is no private key under my developer id certificate(there is no grey arrow to expand to see private cer) in keychain access. Moreover my developer account is expired and I do not want to extend it yet so unfortunately no solutions with apple developer account will work like creating a new certification etc. Do you have any other solutions like using Keychain Access or Xcode to link my private key again into my developer id certificate? Note: 1-.cer file was created on my laptop by me, which I am using now. So I would expected that the related private key should already exist in my Keychain Access(if I did not delete it mistakenly.) but I do not know which private key is the relevant one, I have several of them. 2-I have also a CertificateSigningRequest.certSigningRequest file which was copied near my .cer file. Maybe it could be useful for a solution? 3-No! unfortunately I do not have any .p12 file. 4-I had already installed current AppleWWDRCAG3 file before I import my .cer file into my Keychain Access Tool. 5-Get Info shows that my cer file is still valid till sep 2025. 6- I have already restarted my Xcode and laptop. 7-I tried all solutions here: https://stackoverflow.com/questions/12867878/missing-private-key-in-the-distribution-certificate-on-keychain 8-https://developer.apple.com/account/resources/ shows me no certificate with the reason that my membership expired 9-I removed and re-added my apple account into Xcode. the same error occurred. XCODE:Version 15.3 (15E204a) OSX:macOS Sonoma 14.2.1 Thanks a lot in advance.
1
0
1.5k
Mar ’24
Codesign fails when executed in CI runner
Hello, I am setting up a build (Gitlab CICD) runner. I create a keychain and imported certificate and my signing key. $ security find-identity -v XXXXXX "Developer ID Application: XXXXXX, INC. (XXXXXX)" (CSSMERR_TP_NOT_TRUSTED) 1 valid identities found $ security find-identity -p codesigning -v XXXXXX "Developer ID Application: XXXXXX, INC. (XXXXXX)" 1 valid identities found Codesign fails with unable to build chain to self-signed root for signer "Developer ID Application: XXXXXX, INC. (XXXXXX)" errSecInternalComponent On the local machine everything is fine. I think the point is that the identity is both valid and CSSMERR_TP_NOT_TRUSTED. What can I do about it?
1
0
601
Mar ’24
Asset validation failed (90284) Invalid Code Signing. The executable must be signed with the certificate that is contained in the provisioning profile
Electron-Builder Version: 24.12.0 Electron-Builder-notarize Version: 1.5.1 Node Version: v15.14.0 Electron Version: 11.3.0 Electron-updater version: ^4.3.5 Target: Mac Apple Store (mas) Hello, I am trying to build and sign a new version of my electron app for the mac apple store (mas), but when I get to the final step of uploading the RenderTune.pkg file to the mac transporter app, I get a failed status with 22 errors all the same formatting like so: Asset validation failed (90284) Invalid Code Signing. The executable 'com.martinbarker.digifyunique.pkg/Payload/RenderTune.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/etc....dylib' must be signed with the certificate that is contained in the provisioning profile. (ID: abc-abc-abc-abc-abc) In order to build and sign this RenderTune.pkg file, first I run the command npm run build-mas locally while on branch v1.1.5 ( code here ) Which runs the following command: "build-mas": "electron-builder build --mac && sh signmasscript.sh", So first it runs electron-builder build --mac and gives this output: Martins-MacBook-Air:rendertune-v1.1.5-feb-24 martinbarker$ npm run build-mas > rendertune@1.1.5 build-mas > electron-builder build --mac && sh signmasscript.sh • electron-builder version=24.12.0 os=20.6.0 • loaded configuration file=package.json ("build" field) • writing effective config file=dist/builder-effective-config.yaml • packaging platform=darwin arch=x64 electron=11.3.0 appOutDir=dist/mac • signing file=dist/mac/RenderTune.app platform=darwin type=distribution identity=ACBACBACBACBACBACBACBACBACB provisioningProfile=none • skipped macOS notarization reason=`notarize` options were not provided • building target=DMG arch=x64 file=dist/RenderTune-mac.dmg • building target=macOS zip arch=x64 file=dist/RenderTune-mac.zip • building block map blockMapFile=dist/RenderTune-mac.dmg.blockmap • building block map blockMapFile=dist/RenderTune-mac.zip.blockmap Completes without issue. The next part is running the signmasscript.sh file, which does complete but gives these errors: Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1 Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1 Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1 Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1 Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1 Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1 Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1 Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1 Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1 Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1 productbuild: Adding component at /Users/martinbarker/Documents/projects/rendertune-v1.1.5-feb-24/dist/mas/RenderTune.app productbuild: Signing product with identity "3rd Party Mac Developer Installer: Martin Barker (LV6WXG529F)" from keychain /Users/martinbarker/Library/Keychains/login.keychain-db productbuild: Adding certificate "Apple Worldwide Developer Relations Certification Authority" productbuild: Adding certificate "Apple Root CA" productbuild: Wrote product to /Users/martinbarker/Documents/projects/rendertune-v1.1.5-feb-24/RenderTune.pkg productbuild: Supported OS versions: [10.10.0, ) The final output RenderTune.pkg file gives 22 error messages saying `` when I try to deliver it via the mac os transport app. Asset validation failed (90284) Invalid Code Signing. The executable must be signed with the certificate that is contained in the provisioning profile Is my app even being signed correctly? Or is there just one file that I need to fix? Please help me out !
5
0
2.1k
Feb ’24
Distribution profile : Bundle ID mismatch issue
Hi , In one of our application we are having issues of bundle Id mismatch in the distribution profile. Say there are two applications X and Y. Issue Description : On the developer portal inside the distribution profile the App Id shown is correct I.e of X but when we download the distribution profile and open it in the textedit we can see that the bundle id is of another application i.e of Y . Due to which are are unable to submit or upload the application. 
 Note: Both of them have contact notes as additional permission.
0
0
525
Feb ’24
Developer cert says revoked on one Mac but not on another
I've installed the same developer certificate onto three different Macs. When viewed in the keychain (or in Xcode) on one Mac it says its revoked, on another it says its not trusted, but on a third there's no issue reported. How could there be a difference between the three Macs? (Both Macs have the date/time set to be the same). Can 3rd party software, VPNs etc. interfere in this at all?
1
0
559
Feb ’24
Signing applications with jpackage: Is a distribution certificate sufficient, and, if so, how do I use it?
I've developed a Java application for ad hoc distribution, not intended for the Apple Store. Using the jpackage utility and the parameters... --mac-sign --mac-signing-keychain --mac-signing-key-user-name ...I'm able to point the software to a signing certificate. My problem is that jpackage requires a certificate with a "Developer ID Application" type/prefix, and I'm not authorized to create a certificate of this type, as "This operation can only be performed by the account holder." I thought it might be sufficient to create a "Distribution" certificate, since this allows a developer to "Sign your iOS, iPadOS, macOS, tvOS, watchOS, and visionOS apps for release testing using Ad Hoc distribution or for submission to the App Store." However, there doesn't appear to be any way to get jpackage to accept anything other than a "Developer ID Application" -prefixed certificate. I gather from this, and the fact that the Developer ID Application certificate is described as "This certificate is used to code sign your app for distribution outside of the Mac App Store," that this is the only type of "legitimate" security certificate Apple will accept when launching out-of-store apps. I'm not certain of this, however, and I'd like to be certain before pestering my client about it. My questions are: Is a "Developer ID Application" certificate specifically required, or can I sign the app using, e.g., a "Distribution" certificate without issues? If a "Developer ID Application" certificate is required, is it possible for my client (the "Account Holder") to grant me access to download it and use it? If a "Developer ID Application" certificate is required, what exactly is a "Distribution" certificate good for? Why isn't it sufficient to distribute software? If I can sign the app using a Distribution certificate, is there a way to force jpackage to do this, or do I have to it manually using, e.g., codesign ex post facto? Note that this issue has cropped up before on this thread, but the developer there ultimately found his developer ID certificate and the discussion was abandoned before any answers were forthcoming.
2
1
1.1k
Jan ’24
Code signing on macOS using com.apple.webinspector.allow entitlement
I'm working on a macOS app that uses a JSContext and I want to debug it with the Safari Web Inspector. According to Session 402 at WWDC 2016 the following entitlement is required: <key>com.apple.webinspector.allow</key> <true/> This is easy enough to add, but it causes the app to crash at launch with a code signing issue. The console shows that taskgated-helper is reporting just before the crash: Unsatisfied entitlements: com.apple.webinspector.allow For anyone who finds this, here's what you need to know: https://webkit.org/blog/13936/enabling-the-inspection-of-web-content-in-apps/ Basically, there's now a inspectable property on both the WKWebView and JSContext. Unfortunately, there's no mention of the old entitlement in the WebKit blog post, so it's impossible for folks using the old technique to find. Hopefully this post will bridge this gap. It also might be something for @eskimo to add to his (always helpful) code signing documentation. -ch
1
0
505
Jan ’24
How backup certificate
Hi, I have upgraded my Mac to Sonoma and for some reason I get lost now when backup up a certificate. As I wasn't able to import my old certificate (exported as p12, but this is another issue) I started from scratch. I have created from KeyChain a new CertificateSigningRequest. Then I've uploaded it to the Apple Developer Portal and created a new certificate, that I have successfully downloaded as cer file. Now, I would like to save the certificate, including the private key. From KeyChain, I don't get a Reveal option to be able to export the private key of my certificate. Was it available in old versions of KeyChain, and now not anymore? Or my certificate doesn't have the private key? (imo this doesn't make sense at all) So I right click on the certificate but I can't export as p12 file, with the private key: Can please anyone refer me to the official documentation about this? (I have searched for it, but unable to find anything)
2
0
679
Jan ’24
Certificates : Problem with Convert a CER file to a P12 file !!
I have a strange problem and I don't know what's causing it A year ago, I purchased this account and created a certificate and it was working successfully, but its time expired on 1/8/2024, and I want to create a new one in order to update my applications. So I went to create a new certificate of type (iOS Distribution) and it was downloaded successfully, and when I called it in the (Keychain access) program in order to convert it to (.P12) instead of (.cer). But the program refuses to recall it, and I choose the (Local Item) section. thus : But when the file is dragged or double-clicked while I am standing in the (Login) section, the certificate is summoned successfully, and here the real problem begins. It is assumed that in order for me to convert the certificate from (cer) to (p12), there must be an arrow next to the certificate so that the key appears so that it can be pressed. Right-click, then we choose Export, and then we choose (p12). This happens because there is no arrow next to the certificate, and also when I By clicking on the certificate to export it, I am not allowed to choose (p12). How can I convert the file successfully because I want to update my applications, which is very important.
2
0
3.3k
Jan ’24
Difficulty debugging a Provisioning problem
I am stuck. I have an iPadOS app that installs and calls a DEXT. I have a provisioning file for the DEXT and another for the app. Xcode shows me that the respective provisioning files match the bundle ids and that the entitlements and provisions match up. I have a developer certificate (two, actually) on the iPad. Xcode shows me, via "Devices" that the provisioning files are installed. When I try to run the app, I get: 0x16d3db000 +[MICodeSigningVerifier _validateSignatureAndCopyInfoForURL:withOptions:error:]: 78: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.vyncZ7/extracted/USBApp.app/SystemExtensions/w1ebr.MUUI.ipadOS.driver.dext : 0xe8008015 (A valid provisioning profile for this executable was not found.) I don't know what to check next.
10
0
1.2k
Jan ’24
Xcode: Generating a profile without a real Apple TV device?
I’m developing this tvOS app, and it builds and runs fine locally in Simulator. However, when I do Product > Archive (so I can upload it to app store later), it fails with error in the screenshot. Looks like Xcode is trying to sign the app with a certificate, but could not find a valid profile to do so. Since I don't have a physical Apple TV device, I'm unable to add an Apple TV to the Devices list on developer.apple.com, thus unable to create a profile. Is the any way around this issue to archive my tvOS app?
2
0
742
Jan ’24
Cannot open the app received via TestFlight on macOS
I send a macOS app build to appStoreConnect. The app is displayed inside TestFlight but when I click on it to open it, two modal appear. The first one: the application "AppName" can't be opened. -10673 The second one: "AppName" No longer Available. The beta app, AppName, is no longer available. The provisioning profile is invalid. I followed the following step before uploading the app archive: I made sure to purge my Mac from all the old provisioning profile having all my provisioning profile from my apple developer account valid retrieve provisioning profile Xcode settings > Accounts to export an archive. I choose TestFlight & App Store to send the Archive. I am still no understanding which part of my provisioning profiles are not valid, I would love to have insight about it or a way to fix the issue.
0
0
620
Jan ’24
Xcode Cloud - Problem with the request entity...No signing certificate "iOS Development" found
Hi, Xcode Cloud just started failing with with this error. I can archive builds just fine locally in Xcode. Using Xcode 14.3.1. All my certs on my developer portal are current. 2024-01-02T16:26:44.707563433Z Error Domain=DeveloperAPIServiceErrorDomain Code=5 "There is a problem with the request entity" UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription=There is a problem with the request entity, NSLocalizedRecoverySuggestion=You already have a current Development Managed certificate or a pending certificate request.} 2024-01-02T16:26:44.707568258Z 2024-01-02T16:26:44.707575827Z error: exportArchive: No signing certificate "iOS Development" found The post at https://developer.apple.com/forums/thread/734179 is similar but without a resolution. Any help would be appreciated. Thank you.
4
2
1.9k
Jan ’24