My company has a Apple Developer Id, and I have acquired a distribution certification to release Ad Hoc version app for testing. However, now owing to my leaving, they need me to transfer the company Developer id and the certification to other computers.
I export the p12 file of the Distribution Certification and ruined it on other Mac.
On one computer, everything went well, while it did not work on another one. I have tried to download the WRDCA and run it, yet the solution did not figure out the problem.
In addition, I found that on the computer, there is no the certification of Apple Application Integration Certification Authority. Is this the reason why the p12 file did not work on the Mac? If not, how can I solve this problem?
In short, I carelessly to ensure to delete all the AWDRCA in my keychain.
If any one else finds that the certification is in the situation of "This certificate was signed by an unknown authority" with the AWDRCA installed in you system, please check whether there is any other AWDRCA in the "System" keychain category which is invalid or overtime. Delete them either if there are. And then your other CA might be valid as well.
In addition, for the certification of Apple Application Integration Certification Authority, it might be less likely, if possible, to influence you CA because the direct signer of the certification is AWDRCA. However, if you doubt about this, you could just download the AAICA at the following address.
Apple Original PKI Website
A screen print of the website Apple PKI
There are three kind of AAICA which depends on you. I just use the first one.
Finally, thanks Gary Lip for the patient description. My carelessness might mislead his/her thought of solving my problem.
Related
I'm kind of new in this Apple certificate and provisioning galore, and also don't really understand much about keychain. What I've learn from this error is that I need to get the original team certificate from the original Mac which create the team certificate, export it, and import it to mine.
The only problem is: which certificate? I have my own team dev certificate, so I guess I want to draw parallel comparison. But when I tried to open my own the keychain, I'm presented with tons of keys that I don't know which one to export. And now, I need to give instruction to people on the remote location on which certificate to export, but how I'm supposed to give instruction if I myself don't know certificate with which name to export? The other guy is also don't know so much about certificates too.
All this time, I always use "reset" or "revoke" certificate to resolve this problem. But I know that's not the correct way because the certificate on the other computer will be invalid then. Because this is a different team, I cannot use the "revoke" tricks here. How can I do this the correct way and point the other guy which one to export? What is the hints that usually give signs that this is the correct certificate to export?
We are struggling with the Distribution Certificate handling from Apple.
We have several developers setup in the Apple Developer Portal, for the sake of the example:
Alice: Team Admin
Bob: Admin
Charles: Admin
Dan: Developer
Alice, Bob, and Charles should be able to build Apps for Distribution (Adhoc for internal testing, Testflight for external testing, and Appstore for distribution). Dan is only producing code and debugging on his local machine.
All users use individual accounts for the development.
From what we understood from the Apple documentation, Alice, Bob, Charles need a valid distribution certificate. If xCode generates it for them, they will start playing “ping pong”, and keep revoking each other’s certificate – at least this is what appears to be happening at the moment.
We are not sure why this would happen. One would think, that if you create a different new user this account can also maintain his own (distribution) certificates.
Anyway, so they will need to share a distribution certificate, by sharing the private key (p12 file) of it, as you can find in the answer here.
In our account, it appears as if we can have up to two valid distribution certificates.
We don’t really know how this ultimately worked – we didn’t do it manually over the developer portal, but used xCode for it. Alice generated her certificate, Bob revoked and regenerated, Alice did the same thing – but suddenly they both had a valid distribution certificate, instead of invalidating Bobs certificate.
In the documentation it was mentioned that you can have up to 2 valid distribution certificates. We have also manually tried to generate the distribution certificates and could confirm that it is limited to two.
However, we then got recently invited to a customer’s developer program to sign apps on his behalf.
I assume the customer was not aware that we require the private key from his distribution certificate. We therefore tried to manually generate a distribution certificate, and saw that it was not possible. To our surprise though, the customer managed to generate 3 valid distribution certificates.
Any idea how this worked?
Our questions in a nutshell:
1. What is best practice when you manage a team of developers?
Do you normally share the private key of the first developer who generated the certificate with all other team members, which should be able to sign the app?
2. What is the best practice when you work with clients?
Do you ask them to generate another private key, or is there some hidden functionality to generate as many distribution certificates as you want, given that every developer uses his own account?
3. What happens when we revoke a certificate.
It doesn’t affect the apps in the app store, but only seems to limit other developers to build their app. However, what happens with APNS / Push Server certificates? When we revoke a distribution certificate through xCode, will this also suddenly stop working for the sender?
Thank you for your help.
After a long time of investigation and trying things out, here is what we think is the best fit for us. Not sure if it is best practice but it seems to work for us just fine.
1. What is best practice when you manage a team of developers?
One person generates a distribution certificate using his mac. He then exports the certificate (public AND private key) in a p12 file, as suggested by washloops and shares it with the team.
2. What is the best practice when you work with clients?
We have two sorts of clients:
Clients working with multiple suppliers (so we are just taking care of 1 app, out of their portfolio) - We ask them to share their distribution certificate (public + private key). If they don't have it, they need to get it from another vendor.
Clients working only with us - We generate the certificate and share it with the client later on. This allows them to share it with other vendors if they need to.
3. What happens when we revoke a certificate.
From our tests: "nothing". If you revoke a distribution certificate, it will prevent developers using this certificate from submitting / building apps. However, existing APNS / Push certificates are not affected.
For us it seems as APNS / Push certificates are totally independent, and if you wish to revoke them, you need to revoke both.
You have to create just 1 distribution certificate. After that you go to Keychain Access, select the certificate and export it as ".p12", and maybe add a password to it.
After that you just install it in the other computers.
Regards :)
when i try to generate ipa file, i am getting this error. Not able to solve.Please help me out to resolve this error:
i have own account , in my key chain access its shoeing like this :
i am not using new mac, i have already created ipa .Day before itself i have created. But today not able to do. i have .cer profile too.Its valid
Here's statement from Apple.
Thanks for bringing this to the attention of the community and apologies for the issues you’ve been having. This issue stems from having a copy of the expired WWDR Intermediate certificate in both your System and Login keychains. To resolve the issue, you should first download and install the new WWDR intermediate certificate (by double-clicking on the file). Next, in the Keychain Access application, select the System keychain. Make sure to select “Show Expired Certificates” in the View menu and then delete the expired version of the Apple Worldwide Developer Relations Certificate Authority Intermediate certificate (expired on February 14, 2016). Your certificates should now appear as valid in Keychain Access and be available to Xcode for submissions to the App Store.
https://forums.developer.apple.com/thread/37208
Download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
and double-click to install to Keychain.
Select "View" -> "Show Expired Certificates" in Keychain app.
Remove Apple Worldwide Developer Relations Certificate Authority certificates from "login" tab and "System" tab in Keychain app.
Ensure the new downloaded cert is in both login and system Default to only system tab will still give error.**
Open Keychain
Search for
Apple world wide Developer relations certification authority
Delete this.
Download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer and add it to Keychain access > certificates
Worked for me.
If you still have this issue even after deleting and installing the new WWDRCA, make sure you deleted it as well in you system tab certificates
I struggled with this issue for a while so wanted to post what I found in case others run into a similar issue. I ran into the above issue after revoking my certificate while trying to export my build from a friend's machine. I found the best support by going step by step through this link:
https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/DistributingApplicationsOutside/DistributingApplicationsOutside.html
I would recommend following the steps in this link for anyone uploading a build to the Mac app store or exporting a Developer ID Signed Mac application.
There is a certificate called "Developer ID Certification Authority", this seems to be the one I was missing, and which caused the most trouble.
Another interesting thing to note is that the 10 digit letter/number ID for your Team/Distribution profile will be different than the ID for your developer profile. This should not throw you off, these two profiles work together.
Another good thing to know is that at the top of developer.apple.com there is a non-obvious drop down menu that lets you switch between iOS, tvOS, watchOS profiles and MacOS X profiles.
Another non-obvious UX issue when dealing with certificates is the system tab within Keychain Access. If you read that you should delete or change a property both within Login and within system, when they write system, they are referring to the system tab, which can be accessed within Key Chain access and can be seen at the bottom of this image:
This link is also helpful for certificate trouble shooting:
https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/Troubleshooting/Troubleshooting.html#//apple_ref/doc/uid/TP40012582-CH5-SW11
But mainly just go through the steps in the first link given for exporting a Mac App with Developer ID Signing.
The issue is because the Apple Intermediate Certificate (Apple WWDR CA) is expired yesterday, 14 February 2016, on Saint Valentine. https://developer.apple.com/support/certificates/expiration/
1- Update the system date to 13 February 2016. (IT’S WORKING FOR ME)
or
2- Open Keychain Access, and in the menu, click View -> Show Expired Certificates. Then, delete the expired Apple Worldwide Developer Relations Certificate Authority from both the login and System Keychains. Install the renewed certificate from Apple by downloading from https://developer.apple.com/certificationauthority/AppleWWDRCA.cer and then opening it.
or
3- Follow the steps 1 and 2; only later change the system date to the current date.
I tried to upload my App to iTunes Connect resp. AppStore and got the following error:
Failed to locate or generate matching signing assets
Xcode attempted to locate or generate matching signing assets and failed to do so because of the following issues.
Missing iOS Distribution signing identity for ...
Xcode can request one for you.
Before I set up a new development machine, exported the developer accounts via Xcode 7 from the old to the new machine.
What can I do to fix this?
From Apple -
Thanks for bringing this to the attention of the community and
apologies for the issues you’ve been having. This issue stems from
having a copy of the expired WWDR Intermediate certificate in both
your System and Login keychains. To resolve the issue, you should
first download and install the new WWDR intermediate certificate (by
double-clicking on the file). Next, in the Keychain Access
application, select the System keychain. Make sure to select “Show
Expired Certificates” in the View menu and then delete the expired
version of the Apple Worldwide Developer Relations Certificate
Authority Intermediate certificate (expired on February 14, 2016).
Your certificates should now appear as valid in Keychain Access and be
available to Xcode for submissions to the App Store.
As noted in a comment below, the expired certificate also needs to be removed from the login section, as well:
To all that cannot get it working despite the instructions... There
are two expired WWDR certs. One is in login keychain, and the other
one is in the System. You have to delete both of them in order to make
things working
I also faced the same issue today. The following steps fixed my issue.
Download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
Double-click to install to Keychain.
Then in Keychain, Select View -> "Show Expired Certificates" in Keychain app.
It will list all the expired certifcates.
Delete "Apple Worldwide Developer Relations Certificate Authority certificates" from "login" tab
And also delete it from "System" tab.
Now you are ready go.
I kept running into the issue and saw that all my certs were invalidated -- oh no!
It turns out I never deleted the expired cert. It was not showing up for me, until I selected from Keychain Access application:
View->Show Expired Certificates
then
System->All Items
will finally display that gnarly expired cert. Delete that and retry from XCode will pick up the new valid certs.
Just make sure you search "All Items" in the Keychain Access app. The invalidated certs are a result of pointing to the expired certificate that has not been deleted yet.
The below process will solve the problem,
1: Open KeyChain access, and Delete "Apple world wide Developer relations certification authority" (Which expires on 14th Feb 2016) from both "Login" and "System" sections. If you can't find it, use “Show Expired Certificates” in the 'View' menu.
2: Now download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer and double click the certificate to add it to Keychain access > certificates (which expires on 8th Feb 2023).
Now the valid status of the certificates should turn green like below.
Once check the status.
Apple has made following changes so download new certificate developer.apple.com
renewed certificate and place it as below screen shots .In the keychain as below screen shots click on system and then certificate. Delete the expired certificate . Then drag and drop the AppleWWDRCA.cer that you downloaded from above link
Apple Worldwide Developer Relations Intermediate Certificate Expiration
To help protect customers and developers, we require that all third
party apps, passes for Apple Wallet, Safari Extensions, Safari Push
Notifications, and App Store purchase receipts are signed by a trusted
certificate authority. The Apple Worldwide Developer Relations
Certificate Authority issues the certificates you use to sign your
software for Apple devices, allowing our systems to confirm that your
software is delivered to users as intended and has not been modified.
The Apple Worldwide Developer Relations Certification Intermediate
Certificate expires soon and we've issued a renewed certificate that
must be included when signing all new Apple Wallet Passes, push
packages for Safari Push Notifications, and Safari Extensions starting
February 14, 2016.
While most developers and users will not be affected by the
certificate change, we recommend that all developers download and
install the renewed certificate on their development systems and
servers as a best practice. All apps will remain available on the App
Store for iOS, Mac, and Apple TV.
Since different methods can be used for validating receipts and
delivering remote notifications, we recommend that you test your
services to ensure no implementation-specific issues exist. Your apps
may experience receipt verification failure if the receipt checking
code makes incorrect assumptions about the certificate. Make sure that
your code adheres to the Receipt Validation Programming Guide and
resolve all receipt validation issues before February 14, 2016.
After searching for a while I found out that it is not sufficient to export the developer accounts from Xcode and import these on the new machine, again via Xcode.
Additionally I needed to copy the Certficate named "Apple World Wide Developer Relations Certificate Authority" from the keychain of the former development machine to the keychain of the new one.
This solved the problem for me.
I imported the new Apple WWDR Certificate that expires in 2023, but I was still getting problems and my developer certificates were showing the invalid issuer error.
In keychain access, go to View -> Show Expired Certificates, then in your login keychain highlight the expired WWDR Certificate and delete it.
I also had the same expired certificate in my System keychain, so I deleted it from there too.(Important)
After deleting the expired cert from the login and System keychains, I was able to build for Distribution again.
I removed old AppleWWDRCA, downloaded and installed AppleWWDRCA, but problem remained. I also, checked my distribution and development certificates from Keychain Access, and see below error;
"This certificate has an invalid issuer."
Then,
I revoked both development and distribution certificates on member center.
Re-created CSR file and add development and distribution certificates from zero, downloaded them, and installed.
This fixed certificate problem.
Since old certificates revoked, existing provisioning profiles become invalid. To fix this;
On member center, opened provisioning profiles.
Opened profile detail by clicking "Edit", checked certificate from the list, and clicked "Generate" button.
Downloaded and installed both development and distribution profiles.
I hope this helps.
My answer was different and came along with the message:
resource fork, Finder information, or similar detritus not allowed
The solution was to do with generated graphics:
Code Sign Error in macOS Sierra Xcode 8 : resource fork, Finder information, or similar detritus not allowed
Don't forget to also install the iOS cert for your Apple Developer Account.
Make Sure that in Project Navigator > Signing > Team , A team name must need be selected.
I followed the instructions on the iOS developer site, used keychain access to generate a certificate request, and uploaded it to the distribution part of the certificates tab in the provisioning portal.
The instructions say that I should now accept that certificate. Except all it says is the name of the certificate and "issued". There's no place for me to accept it. There isn't even a place for me to delete it. I've searched all over for help, and can't find any.
Any help is much appreciated.
If you are the person who created the Apple developer account, you need not accept it. It will get automatically accepted after a while. You need to go to the distribution section and it should be there to be downloaded in Certificates->Distribution. You would also need a distribution provisioning profile which is created in a more or less similar fashion.
If you are not the person who created the Apple developer account, then you cannot create a distribution build. Contact the person who has the "Agent" account.