I just lost my private key with OS reinstallation so will have to create new Certificate Signing Requests.. I wanted to know if revoking my Distribution Certificate will have any effect on my existing applications on App Store especially when one of my applications is waiting for approval ( In Review ) build from old distribution certificate.
Should i wait for the app to be
accepted by the Apple or revoking the
distribution certificate won't have any
affect on the application?
I know this is an ancient question, but since it hasn't been answered... According to Apple support, you can revoke the certificate immediately after submitting an app for review and the app won't be affected. Apps already on the app store will not be affected either.
Related SO threads to support the above:
If I revoke an existing distribution certificate, will it mess up anything with existing apps?
iOS Provisioning and Certifcates - Will Revoke/Renew effect App Store Apps?
Often developers face this question and stay away from revoking a certificate. Possible thoughts are if it affect the app in the store, or will the same certificate be required for the next update etc.
But there are no any issues like that.
An Appstore and Adhoc production certificates are used for the App store submission process only. It needs to check the private key public key pair to validate that the ipa is code signed by a valid signing authority. Once the app goes to app store you need not have to bother about the certificate used.
The next time for creating an update, you can codesign using a different certificate, but you need to use the same app id.
As per my experience and according to Apple support, revoking certificate will not have any effect on the already uploaded build on iTunes either for review or on live.
Hope this helps!!
There will not be any affect on your current uploads. As the bundle identifier and app id for your application will remain same, it will not affect any of your push notification service too. This is the only reason we are able to replace PEM or p.12 certificates to web developers if the current certificate of any live app has expired.
From the apple docs:
https://developer.apple.com/support/technical/certificates/
iOS Distribution Certificate (App Store)
If your iOS Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to submit new apps or updates to the App Store.
Related
My app is in live in Appstore. Does it affect anything?
Questions:
How can I generate certificate before expiry?
If I revoke that certificate does it will raise any issue in the live app?
Shall I need to upload any builds while renewal of this certificate?
How the push notification certificates are handled?
Can I able to renew this or shall i need to create any new certificate with the same bundle Id?
No, it does not affect the actively live app.
If you revoke the certificate it's totally fine, just provision another. I usually provision a new certificate every time I upload an app and have never had any issues, just be sure to delete the old ones.
For good measure I would upload a new build with it
Push certificates are tied to a Distribution Certificate so you will need to provision another one as well.
TL;DR Apple's certificates are an absolute pain, but they are more forgiving than you might think (and I initially thought). You can delete and re-provision without any effect to your live app, I've done it tons of times.
1. How can I generate certificate before expiry?
Ans: You can renew it after expiry instead of generating new one. A distribution certificate is valid for one year from date of issue. After it expires, you won’t be able sign and install apps on your devices although this will not affect any existing apps in the App Store.
2. If I revoke that certificate does it will raise any issue in the live app?
Ans: No, this will not affect any existing apps in the App Store.
3. Shall I need to upload any builds while renewal of this certificate?
Ans: Not required
4. How the push notification certificates are handled?
Ans: The push notification certificate is not part of the application build. Therefore for push to continue working you only have to create a new certificate and deploy the p12 file at your server. You don't have to submit a new version of your app.
I'm new to iOS development and the signing process is somehow confusing.
Let's assume the following scenario:
Someone develops a new iOS application and distribute it through the app
store.
Let's assume that, that someone for some reason their current installation of mac OS fried up, he/she now reinstall the OS but he/she didn't made a backup of his private keys (iOS Development and iOS Distribution).
Time pass and that person now wants to push some update.
He now revoke the old certificates and create new ones, signs the app and upload it to the app store.
From the docs
Code signing also allows your app’s signature to be removed and re-signed by a trusted source. For example, you sign your app before uploading it to iTunes Connect, but Apple re-signs it before distributing it to customers
From what understand Apple will remove my sign and sign with their's key.
So the question is:
Is there a problem when you revoke and recreate the iOS distribution certificate as long as you always upload a new version to the app store?
Yep, it's fine for you to revoke and create a new iOS distribution certificate, if you are distributing via the App Store and are not working with any other developers who are relying on that private key / certificate.
It's more important that you prevent your private key from falling in to the hands of the wrong person. As Apple says here:
Because the private key is stored locally on your Mac, protect it as you would an account password. Keep a secure backup of your public-private key pair. If the private key is lost, you’ll have to create an entirely new identity to sign code. Worse, if someone else has your private key, that person may be able to impersonate you. In the wrong hands, someone might attempt to distribute an app that contains malicious code. Not only could that cause the app to be rejected, it could also mean your developer credentials could be revoked by Apple.
If you are distributing Enterprise apps, using enterprise code signing, your private key is more important. If you revoke an Enterprise distribution certificate, your apps in the wild will stop working eventually. (This doesn't happen straight away - it will happen next time the iOS device phones home to check that its provisioning profiles are still valid).
Our team had published App on Apple Appstore 2 year ago. After that we lost its code due mac hardware issue. Now we have made new App and want to replace existing app on Apple store. However provisioning profile (distribution) certificate with which app was submitted 2 years ago is expired. Can I submit App update with new distribution certificate???
When your certificate expires, the provisioning profiles using that certificate will become invalid. On App Store, the app will still work as long as you’re enrolled in the development program. All the ad hoc builds signed with that certificate won’t work anymore. When revoking a distribution certificate the below scenarios will occur for your users:
When you revoke a certificate that means that any app that is not deployed onto a device (not hosted by AppStore) will no longer be valid. Existing users can continue to use the app.
When you revoke a certificate and your App is being hosted on the AppStore; users that have already installed the app will not be affected. New users that go to install the app will not be affected.
When you revoke a certificate and your App is being hosted in-house (internally) and users download it via OTA; users that have already installed the app will not be affected. New users that go to install the app will not be able to install it. Please note this is based off of behavior we have experienced from Apple.
Revoking a certificate will not affect the ability to update existing apps regardless of whether they are AppStore or in-house apps.
I have published my app first time this year on app store. Now I have received email that Distribution Profile and Distribution Certificate which I used for app publication are about to expires. So my query is whether it will affect my current published app if I will not revoke both certificate and profile.
Let's say my profile and certificate get expired and some user tries to download my app from app store then will it work?
Yes, there is no need to worry about Distribution Profile and Distribution Certificate (Production Certificate) which are used earlier for publishing app on app store. You just need to generate new certificate when you want to upload new version of application.
Nothing happens.
Previous submitted apps will be working fine. No need to worry about it. Because there is no link between a distribution's certification status and use of apps by customers. But if you want to submit new version of app or new app in appstore you have to revoke it.
You can get more info from here.
iOS Distribution Certificate (App Store):
If your iOS Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to submit new apps or updates to the App Store.
I am updating in-house app for a client which they have a previous version currently on over 100+ iPads.
I want to push an update, but when i try to sign the app with the distribution provisioning profile it asks me for the private key. After searching, people suggested to revoke the old certificate and generate a new one on the machine i'm using so i can have the private key. I don't know if this is the best approach or not, but my client is concerned if I will be revoking the current In-House Distribution certificate, it will affect the applications which are currently distributed on those 100+ iPads? Thanks!
Unfortunately, yes. For enterprise distributed apps, the devices will regularly check with apples servers whether the certificate which has been used to sign them is still valid. So revoking the certificate will make those installations fail. Maybe not until the next reboot, maybe not when there is no internet connection available, but sooner or later, the app will refuse to launch.
If availability of the app must not be interrupted, you need to take precautions - for example by preparing the new version and notifying all users ahead of time that at a certain date, the old version will stop working and the new one must be installed.
Update:
I kept investigating and it appears like you can have two distribution certificates at the same time now. This is meant to eliminate gaps in app availability by allowing you to phase from one cert to another, way before the first one expires.
If this is still true, you might be able to simply create another distribution certificate without revoking the existing one. You will need to create new provisioning profiles as well (or update the old ones to use the new cert), but that shouldn't invalidate those already deployed. You would then be able to distribute the new / updated app and the existing installations will remain unaffected.
It has been some time since I last worked with enterprise distribution and right now, I don't have access to an enterprise dev account, so I can't try. But I don't think there is any risk if you just go ahead and try it - I assume the portal will either let you create a second cert or it just won't...
Toastor is correct - I recently had a discussion with Apple about this and it intentionally differs from App Store apps. When the distribution certificate is revoked (or expired) for an Enterprise app, the app stops working after expiration is reached, or revocation information is retrieved from Apple.
However if you manage several Enterprise apps, instead of requiring users to install a recompiled version of every single app with the new certificate, you may:
Push the new Provisioning Profile(s) to users over MDM (like Airwatch) **
Use a wildcard App ID for your apps and then as long as the user installs one app with the updated cert, it will apply to all apps that share that App ID
Allow users to download the updated Provisioning Profile without requiring an app install **
** CAVEAT: I don't code apps but do manage our certs, App IDs, and Provisioning Profiles. I haven't yet tested these approaches - it's my best effort based on notes from my recent discussion with Apple.