Can't able to Access Keychain After revoke distribution certificate - ios

I am working in project which is already in Appstore submitted by different developer. Now I am trying to submit updated version of the app with different version and build number. I can't able to access previously stored keychain values.
Here is the steps I did
Revoked the old Distribution certificate created by another person and created a new one with my machine.
Regenerated Provisioning Profile which is used by previous developers
Code signed and submitted to App Store
Downloading old build from App Store
Installing the updated build from test flight
Now I can't able to access keychain values already stored.
Now what can I do to retrieve the old keychain value? I have also checked the team ID for Keychain group access it is same as old one. Is there any way I can retrieve the old keychain values.

Here is brief answer which may help you to resolve your issue :
keychain group which is tied your team identifier. So, basically,
access to keychain after app updates depends on distribution
certificate you use, not on the provisioning profile
So if you are saying you revoke all old certificate and the one with the new certificate ( that you created ) that access to keychain groups will be lost for this version.

Finally I got a solution from apple guides
Note: In iOS, Keychain rights depend on the provisioning profile used
to sign your application. Be sure to consistently use the same
provisioning profile across different versions of your application.
https://developer.apple.com/library/content/documentation/Security/Conceptual/keychainServConcepts/iPhoneTasks/iPhoneTasks.html

Related

iOS Keychain access and Provisioning Profiles

Just came across this on apple Keychain Services Concepts
Note: On iPhone, Keychain rights depend on the provisioning profile
used to sign your application. Be sure to consistently use the same
provisioning profile across different versions of your application.
I also know that provisioning profiles can change for many reasons, including adding a new functionality like push notification, adding watch support, or even adding a new team member.
Now am I correct to assume that whenever above changes occur, new versions of my app will no longer be able to access keychain items that were created with previous versions?
Thanks!
I don't think your assumption is right. The Keychain Acces only depends on the bundle identifier of your application and the profile which was first used to create the app. If it would depend of your code-provisioning profiles changes, indeed what you said would be correct, but if so, the bussinesses and the enterprises would be totally unable to develop updates for their applications, which would have also included the old info stored in the Keychain. That's because in a bussiness, people come and leave often!
Note: On iPhone, Keychain rights depend on the provisioning profile used to sign your application. Be sure to consistently use the same provisioning profile across different versions of your application.
You can add a team member, configure a push notification services and so on, as long as the provisioning profile stays the same.
Note: If you change the provisioning profile just to add a team member, yes, your assumption is right, but it just isn't the best way of doing this. Rather, I recommend reading this tutorial (on how to add a team member to a provisioning profile).
keychain directly depepds on Bundle id , if bundle id remain same then your app can acess keychain , so provisioning profile should map the same bundle id if app needs to acccess keychain.

valid iOS Distribution Cetificate - developer name change

Here's how I've been led to this path.
I started on a macbook, with a standard developer account. Submitted a few applications. Then moved to an iMac, same developer account. Submitted a few applications.
Now, my developer account is a company account i.e, I got the name changed to my company name. However, now I cannot submit to the app store. I get your account already has a valid iOS Distribution Certificate
I cannot get past this hurdle!
I'll now try and explain which profiles and signing identities I have in my developer account.
Certificates
Company name - iOS Distribution
My Old account name and/or my actual name - iOS Development
App IDs
Application Name - Correct bundle identifier
Provisioning Profiles
iOSTeam Provisioning Profile: App-Name - iOS Development
App Name - iOS Distribution - Active ( correct app id and correct certification for distribution )
All of these certificates are locally in my keychain.
However, I cannot get it to work. Some help would be greatly appreciated, I'm having an absolute nightmare.
The certificate is just used to prove that you are the person who (signed and) submitted the app.
Apple re-signs your app with their credentials before it appears on the store. You can be assured that revoking a certificate won't invalidate any previous submissions for this reason.
The issue right now is that Xcode and/or keychain are likely affected by (or using) conflicted (or old) details, and Xcode doesn't recognize that something has changed, or cannot replace the old data with the current data.
You should revoke your certificate(s), delete them from Xcode and keychain, then let Xcode generate a new one.
Otherwise, those old keys will linger in Xcode and keychain and be a point of confusion, both now, and down the road.
I realize it seems like an ominous thing to do, but if there were dire consequences, Apple would clearly be warning you, instead of letting you simply revoke and be reissued a new certificate.
Solution in my case.
I deleted all old certificates/keys, revoked my distribution profile from the members centre ( so I didn't have any ) Then proceeded to xCode>Accounts>View Info> + > distribution profile and it generated me a new one.
This has now allowed me to submit via the app store and remove the very vague error.

iOS Appstore App Update - Code Signing

I have a doubt on Code Signing during Appstore submission. I already submitted an app to appstore with the profiles and certs created and its currrently in appstore. Unfortunately, i lost my machine where i had backup of those profiles and certs. I know that Prov Profile can be downloaded from my developer account.
My Doubt here is, 1) As i dont have backup of .p12, should i need to raise a request for new certificate from my keychain and proceed with that?
2) If so, will users can be able to upgrade the existing app from the appstore?
Thanks in Advance.
Here are your answers
1) As I don't have backup of certificate and .p12, should I need to raise a request for new certificate from my keychain and proceed with that?
Don't worry, when you like to give new update for your application, create new .p12 file and use it. Certificates are used to basically authenticate your machine with developer account.
2) If so, will users can be able to upgrade the existing app from the appstore?
No problem for users, as app store distribution provisioning profile works very different from developer provisioning profile, so no user needs to update.
Just for your info: the signing files for Android are very important, not for iPhone application. For Android, if signing keys are lost, you cannot update apps, whereas for iPhone you can create new certificates and update your apps.
Yes, you can just request a new production certificate from your new machine.
Then use it for your old provisioning profile for the app.
Yes without private key in your keychain, You cant use the existing provision files created with that private key. So you need to create a new Developer/Distribution certificates in developer portal with new Certificates. This will not affect the existing application in appstore.

access to keychain from app after system update

What's happen to data stored in keychain when user update his iOS version to new system ? i.e user have ios 6 and stored some information from my App in Keychain, are those information will be still avaiable after install ios 7 ??
BR
Kivu
Nothing will happen to data in KeyChain, keychain persists even after the app is removed, it is linked to AppID and the access rights depend on the provisioning profile used when signing your application.
On iPhone, Keychain rights depend on the provisioning profile used to
sign your application. Be sure to consistently use the same
provisioning profile across different versions of your application
After my customers upgraded to a new version of my App using KeyChain.... under iOS7 they lost all the information.

Certificate identity 'iPhone Developer: ' appears more than once in the keychain. The codesign tool requires there only be one

Ok, I am completely pulling my hair out on this one.
Back in July I created a provisioning profile so I could test on my iPad.
Then at the end of August I tried submitting my first App to the iTunes Store. The process was a complete nightmare, and I struggled. A lot. In the end I found a tutorial with relatively recent information in it, and only by following it step by step could I actually get anywhere with this. Unfortunately the result of this was that I created a new provisioning profile.
Now when I try to test on my iPad I get the following error in Xcode:
Certificate identity 'iPhone Developer: MyName' appears more than once in the keychain. The codesign tool requires there only be one.
I check the keychain, and sure enough there are the two provisioning profiles for development, one from July and the one I used to submit to the iTunes Store in August.
Now what I want to do is get rid of the old one, and then connect my iPad up to the new one. I can get rid of the old one fine, but I cannot connect my iPad to the new one, it insists on using the old profile, even to the point of re-attaching it to the keychain after Ive deleted it.
Can anyone tell me:
How to connect my iPad to the new provisioning profile?
And while we are at it, can anyone shed any light on why this entire process is so convoluted and difficult? Considering that so much of Apples interface is so well designed and fluid, this process of registering certificates and applying them to different devices and Apps seems so backwards. I initially suspected this was just me, but googling for these error messages reveals that there are many who are struggling at various points along this process.
This has nothing to do with Xcode and everything to do with keychain.
Open keychain.
Find the signing certificates that are tied to your provisioning profiles.
Delete one. You probably want to keep the newer one, so look at the expiration dates and remove the one that expires first.
Restart Xcode
You may need to update your provisioning profile if it isn't tied to the new certificate, but it won't be as painful as creating a new certificate.
Here's a broad overview of how code signing in Xcode works. It a bit much but will explain what's wrong with your configuration, and how you can fix it.
There are three parts to the mechanism that ensures that you are who you say you are and that your app is allowed to run where it wants to.
You've got a pair of keys, one public and one private. Your public key matches your private key, which identifies you.
Your keys are used to generate certificates. Generally, you'll have one certificate for development and one for distribution,either on the App Store or via Ad Hoc distribution. These certificates permit you to provision your apps.
Each certificate is used to generate provisioning profiles. The profiles must be attached to either a development or a distribution certification. A distribution profile either works on the App Store, or it contains a list of device IDs which may run apps signed with that profile.
If your certificate is expired, the provisioning profiles that are created with it are going to be invalid. In this case, replace both the certificate and the profiles. Generate a certificate signing request (CSR) from Keychain Access and upload it to the developer portal.
If you have multiple certificates in your keychain, Xcode won't know which one to use. This may happen if you renew your certificate and don't remove the old one. (It may also happen if you exported your developer profile and then imported it later. Your old certificates will carry over.)
If your provisioning profile is expired or invalid, you can renew it in the developer portal without generating a new CSR. You can just attach it to an existing valid certificate.
Certificates can't be carried over from one machine to another without moving the original key pair that requested it. Exporting the certificate from Keychain will export the keys as well.
Delete the old one, and start build with new.
One more way you can try , set code signing identity with profile you want to run in both target as well as project build setting.
Hope it will help you.
Otherwise you have to delete old one.

Resources