Apple iOS distribution certificate has a new private key after reset - ios

I used XCode to download certificates after regenerating them. I noticed the distribution certificate didn't have a private key in the key chain. I saw that XCode now has a "reset" button so I used that. The new certificate has a private key but with a different name. It still worked though and allowed me to export and install an adhoc app. Also we have two dev teams, could this be the other teams private key?

When the certificate is first requested, the private key is generated and saved in the keychain on the Mac used to generate the request. Only this Mac will be able to actually sign the apps. As in your case, if you have more than one developer authorised to sign apps for distribution using this certificate, you'll need to export the private key from the original requesting machine, and import it into the keychain of other developers.
If you use the 'reset' button, it will revoke the existing certificate and issue a new certificate signing request from your Mac. This will also invalidate all provisioning profiles in the developer account that are tied to the previous certificate. Existing apps already in the iOS app store will be OK, but you will need to regenerate the provisioning profile with the new certificate for any new app signing.

Related

Apple App Store certificates from clients

I'm still struggeling with Apple App-Store Certification for iOS Apps.
Now I have a client who has his own developer account, but I'm developing for him and doing all the stuff. I have a separate developer Account on my own. The Client authorized my account on Itunes Connect, as App Manager.
He created a Distribution Certificate, an App Id and a Provisioning Profile for the App ID and sent the certificate and the Profile to me. I included it in the keychain and can now select those in XCode.
But XCODE says: the provisioning Profile "doesn't include any certificate for which the private key is installed in keychain."
What am I missing? Do I need the private key of the clients? Or is there an other way to do this?
Any Help would be appreciated
You have two options:
1) Ask your client to export developer certificate from keychain(.p12) and share it with you.
2) You have to create a new developer certificates(By removing old one from keychain) by upload a new CSR certificate so the private key will be installed in your system.
if issue is with both(Developer and Distribution)certificate you need both to be exported from your client machine.
You need both certificate and private key (.p12). Ask your client to export the private key and shared it with you. Once you got the private key, install it in your system and you are good to go. Follow this tutorial to export the private key.
https://www.ironpaper.com/webintel/articles/how-to-share-an-ios-distribution-certificate/
Make sure your client export the private key of distribution certificate.

Create distribution profile from .p12 certificate iOS

I have received a .p12 certificate from my Client. I have installed it to my KeyChain. I need to create a distribution provisioning using this and sign my app ipa with it.
How can I create the distribution profile using this information? Any help is appreciated
You cannot create a distribution profile from a certificate and private key. The provisioning profiles are created on Apple's developer site and must reference one or more certificate to be used with the profile.
You will need to either need to have the account owner create / download the profile from the developer site and send it to you, or grant you access as an admin on their team. Also, before you request the iOS distribution profile from your client, make sure you also check that the .p12 file that was sent contains the certificate and the private key for the cert. Without the private key, you won't be able to sign, even if you get the profile.
The 4 key pieces of code signing for iOS are the certificate, the private key for the certificate, the provisioning profile, and the entitlements. If you are missing any of these, or if they are out of sync, you will run into problems. The private key is exactly what it says - private. Apple does not have, nor does it want to store the private key. That is kept by the app owner. Apple will generate and allow you to download your certificate based off that private key (you share with them a cert signing request to generate the cert off of your key). Similarly, you can generate / download existing provisioning profiles from Apple's dev site. Finally, the entitlements in your app must match the entitlements granted on your profile. Those are assigned to your app, and the application's project settings requests access to services - this much match what is requested as part of the app ID / profile on Apple's dev site. So those are the key components; from your question, hopefully you can get your client to send you the provisioning profile. Also, you could potentially run into problems with out of sync entitements, if you need to do anything with additional services, like iCloud, if the client hasn't configured those properly for you.

Understanding iOS Development certificates

We received the email from Apple: Your iOS Development certificate has been revoked.
There are answers on SO about how to restore your cert (1, 2) but I have some other questions
Why did it get revoked? What I did is try to run our app on my iPhone. I'm doing this for the second time - this time on a new MacBook to a new iPhone. Is this the issue that triggered the email?
What is the significance of this email? I can still run the app on the same iPhone. Uninstalled it and reinstalled it and it worked fine. Is there really an issue?
Every certificate is just usual pair of private and public key. When you generate a new certificate, actually you save a private key on your machine, and send a part of public key to Apple. Then Apple generates a key by itself, and send you a public key as result (see Diffie–Hellman key exchange).
If you changed a machine and now don't have a private key on your new machine, Xcode is unable to sign your application with your certificate. Because you can only download a public key from the developer portal. So if you used "Automatic manage signing" Xcode took decision to recreate a certificate, because it couldn't find a private key. All this process is same for a Private team, and for iOS developer program. You can export your old certificate with private key from your old machine before you try to sign smth, so you don't need to revoke old certificate.
As for email, Apple just notifies you that your old certificate has been revoked, and it can't be used to sign apps now. Just like it written. It could been revoked because has been expired, or somebody else has revoked it (e.g. it was you). So to keep you informed, Apple sent you such email.
I think what happened is is that when you ran it from a new Macbook you downloaded the new certificate there, and when you did that, Apple revoked your current one and made a new one. We had something like this happen at where I work.
Maybe you don't import the Development certificate to your new Macbook. So when you run app to your phone with Xcode, Xcode will detects an issue with a signing identity. From the developer site:
If Xcode detects an issue with a signing identity, it displays an appropriate action in Accounts preferences. If Xcode displays a Create button, the signing identity doesn’t exist in your developer account or on your Mac. If Xcode displays a Reset button, the signing identity is not usable on your Mac—for example, it is missing the private key. If you click the Reset button, Xcode revokes and re-creates the corresponding certificate.
So, maybe Xcode revoke the certificate.
Because you have a new certificate on your new Macbook, so you can still run your app. But when you work on your old Macbook, the certificate on your old Macbook has been revoked, Xcode can't compile your app to run on your phone.
Once you create a new certificate you need export it from Xcode-> Preferences->Accounts->YourAppleID->ViewDetails->Right click the certificate->Export.
Then your can import it on a new Macbook without revoke it and create a new one.

Transferring Apple dev account & certificate to new machine

I've recently attempted to transfer my apple dev certificate to a new mac, however, the provisioning profiles are appearing as valid signing identity not found.
I imported my developer account into Xcode5 and when I deploy a build, I get the option to fix the issue of not having a valid signing - this generates an iOS team provisioning profile for the bundle id.
So far have found this is fine for testing - we distribute ourselves not using the app store.
If anyone would be able to give me a heads up on whether this is an okay method, or whether I will need to generate a new certificate for distribution in case we do use the app store for distribution.
If you still have access to your previous computer, you can export as p12 the private key you used to generate the Apple certificate.
Go to keychain, select the iOS certificate and right click to export it. Then import it to your new computer and you do not need to generate new certificates.
what you need to do is to remake the developer and distribution certificates for your new mac and install it then, you update your provision profile with the new certificate, reinstall it and everything works
PS: for remake your developer and distribution certificates you have to go in the keychan
Certificate Assistant > Request a Certificate From a Certificate Authority..
then add your email and common Name, check Saved to disk. Finally Into the developer web site you remove your old certificates and create the new one with the new file that you have in the disk.
Did you export from Xcode → Preferences → Accounts like Apple's guide suggests?
Did you also export your private key from the keychain? I have seen this issue before, and that was resolved by exporting and importing the private key.
If you do want to distribute on App Store later on you will definitely need to import a valid certificate, yes.
here you can find a solution or ask your problem to a developers Apple support:
https://developer.apple.com/support/
Other way you can call the developer support center here:
https://developer.apple.com/contact/phone.php

New iOS team member: no valid signing identity

This is getting frustrating. I have two identities, one old, one new, and the latter should be used to deploy iOS apps to the App Store.
I've created the new user, granted him admin access, then I created the app name and provisioning profiles. However, in the Organizer I see that the Dev provision works flawlessly, while the Deploy profile shows me the dreaded error:
Valid signing identity not found.
How can it be?
Well, I see that in the Certificates section in the iOS Provisioning Portal, there is only one distribution certificate, the one belonging to my company.
Is there a way to enable the new user to create apps without accessing the uberadmin's Xcode?
Thanks & Cheers!
You need the key that was used to create the Distribution Certificate for your company.
Remember when you created your developer certificate? Then you went to keychain -> certificate assistant -> Request a certificate from ...
When you did this, your Mac paired your certificate request to a key in your keychain. Once your developer certificate was processed and you downloaded it to your computer, it could be accessed by your computer through that key.
But if you did not create the Distribution Certificate that your company has, you don't have the key on your computer.
Take a look at your certificates in keychain:
Go to 'Certificates' and expand your developer certificate - it will have a little key with your name.
Now try to expand your distribution certificate - it will not have a key, right?
If this is the case, you have two options:
Ask the person who created the Distribution Certificate to export it from his keychain. This will create a file that includes both certificate and key.
Delete the current Distribution Certificate, and create a new Certificate Signing Request from your computer, which will connect it to a key that you have.
First method require access to "Uberadmins" computer. The second require admin access to your teams Apple account. There is usually no downside in using method 2, because creating a new certificate is necessary from time to time anyway. It will not affect already published apps, just coming releases and updates need to use a the latest certificate.
Once all this is done, you need to create a distribution provisioning profile for App Store and connect to the Distribution Certificate that you are going to use. (if you went with option 1, you might already have done this).
Download the profile to your computer, install it, and then in your app, select to build with this profile for distribution builds.
According to Apple's documentation:
A team’s distribution certificate allows a developer to build an app for distribution. If your team wants to use another Mac to create a distribution build, you need to transfer a copy of the distribution certificate as described in, “Safeguarding and Transferring Your Signing and Provisioning Assets” in Tools Workflow Guide for iOS. (from Managing a Distribution Certificate)
So, in order to have multiple users able to create & submit App Store builds, you must share a private key between them.
Create a new private key for the team, and then send that private key to everyone who needs it. Follow the instructions under Generating a Certificate Signing Request with Keychain Access.
See also: Any concern to share private key for distribution certificate among different group under a team account in itune provisioning portal

Resources