iOS Provisioning and Certifcates - Will Revoke/Renew effect App Store Apps? - ios

While working on a new version of one of my apps Xcode told me today, that it cannot run the project any more because the development profile has expired.
The organizer shows for all development profiles "Valid signing identity not found" and for all distribution profiles "Profile has expired".
Of course it is not a suprise that profiles expire. In the past all I had to do was a click on "Renew" but this does not work any more. After entering user name and password for my Account Xcode shows the error message "No value was provided for the parameter 'certificateIds'"...
What can I do?
Instead of using the Organizer the directly visited the Provisioning Center webpage. There are two entries within the section "iOS Apps/Certificates/All":
1. "My Name iOS Development Expires: Mar, 17 2012"
2. "My Name Development Expires: Mar, 19 2013"
A click on one of the certificates show option to "Revoke" or "Download" certificate. There is also a "+ Button" to create a new Certificate but the option "iOS App Development Sign development versions of your iOS app." is deactivated.
In the section "Provision Profiles" all development profiles are marked as "Active" and all distribution profile as "Expired". Only "Edit" and "Delete" options are available while a "Renew" option is missing. The "Edit" option shows the profile details and "Generate" button. I would assume that "Generate" creates a new version, but after pressing the button only a progress indicator is shown which comes to no result. After I reload the page the status is unchanged.
So, there are no options to renew the existing certificates and profiles (are there?). Thus I have to create new certificates but - as described - this option is grayed out. I Assume that I have to delete / revoke the existing certificates first. A click on "Revoke" shows a very explicit warning: "Revoking this certificate will invalidate it and any related services or provisioning profiles that use this certificate may be affected."
I am afraid that revoking the certificate might effect my existing app in the App Store - that the app might be removed from sale because the certificate they are based on was deleted.
Of course this is a scenario I would like to avoid. Does anyone know for sure what happens when using the Revoke option for an existing certificate. Does this even effect App Store apps?
Thank you very much!

For App Store apps, you don't need to worry. The signing information on app store binaries is only used for the initial validation to ensure it came from you. Once it has been uploaded the binary will be transformed and resigned with Apple's private key, encrypted with Fairplay, etc.
This means revoking your distribution certification will not affect live apps. You only need to worry if you have an enterprise account.

No, revoking certificates does not affect apps already on sale. For that matter it won't even affect apps submitted for review. (We had renew a certificate while an update was in review. No problems at all)

Related

IOS App go down if certificate is invalid / been revoked

I accidentally pressed the reset button on 'IOS Distribution' within IOS Developer account. This in turn made a hand-full of provisioning profiles invalid.
From what I have read here: https://developer.apple.com/support/certificates/
apps are still intact I will no longer be able to submit new apps or updates to the App Store.
Just want to verify if this is correct in my case and apps will not go down??
Thanks
Yes , the current apps will have no effect of the certificate being revoked.
Happened with me many times .
similar question threads here
Will revoking Distribution certificate affect application which is In Review (on apple store) for Iphone?
If I revoke an existing distribution certificate, will it mess up anything with existing apps?
If you are revoked .cer then you can generate it again and that does not effect on your live application.
In the developer Member Center there is your generated application ID that you generate for each application. You must take care about that Application id is not removed else you need to generate it as a new because its a unique and in this case you need add new app app and you can not update the current application that live.
What kind of steps you need to do if .CER revoked or expire:
If .cer revoked then just click on add new and select your CSR(Certificate Signing Request)
Now you have new cer then you need to just update your provisional profile and download it and use it thats it

Provisioning profiles status invalid (managed by XCode)

Suddenly all my provisioning profiles are in status Invalid (managed by XCode). Why?
Also I remember in XCode 4 that you always had to create your provisioning profile. Now XCode autocreates your provisioning profile for development. Is this a new feature on XCode 6?
I had the same problem today.
In the Apple Developer website, all of my company's Provisioning Profiles were marked as "Invalid (managed in Xcode)". None were out of them were date, none were using iOS Certificates which had expired, and the website gave zero suggestion that anything was actually wrong.
The solution, ridiculously, was to delete my perfectly valid iOS Certificates, and recreate them.
We write in-house apps aswell as apps for the App Store, and Apple (quietly) refuses to let you have more than 2 of these at once. So I was unable to create a third iOS Certificate which would allow me to use the "In house and Ad-hoc" option, hence the need to delete an iOS Certificate first.
Once I had pointlessly recreated the "iOS Certificate", the Provisioning Profiles came to life.
Part 2 of this farce is to go into Xcode, and delete your Provision Profiles (XCode \ Preferences \ select your iOS Certificate \ View Details, then select all of your provisioning profiles, right click and select "Move to trash".
At this point, absolutely nothing will change, and you'll think you've done something wrong.
But then, if you then quit Xcode, and go back in, then you'll see the Provisioning Profiles will have disappeared.
Now you can re-download the Provisioning Profiles from the Apple Developers website, and redownload the latest versions.
Until Xcode 7.2 comes along, and breaks something else.
(Seriously, I spend more time fighting with Xcode bugs than writing code..)
Apple introduced Xcode Managed profiles in Xcode 5 as a way to try and make the provisioning process less cumbersome and get Developers sending code to their devices without having to go through the manual upload/setup/download/install/build process. In effect, Xcode was completely automating the entire provisioning process whenever there was a code sign error detected. For developers that had already wrestled with understanding Provisioning, this new behavior was frustrating as the processes those teams put in place were unintentionally being wrecked by Xcode's best attempts to be helpful. That said, it is better today but not as transparent as it should be when it comes to affecting your Certificates, Identities, and Profiles data. If you are't familiar with what all is included in a provisioning profile or signing identity, there's some related reading you might want to skim: What are code signing identities?
Suddenly all my provisioning profiles are in status Invalid (managed by XCode). Why?
The most common reason for a profile to move to the "Invalid" state is because at least one of the profile's registered test devices has been deactivated / removed from the developer's account. By doing so, all profiles that included that device UDID are marked as invalid and require regeneration. This can be accomplished in Xcode > Preferences > Accounts, clicking 'View Details' on your Apple ID account, and then clicking the refresh button in the lower right corner of that account details screen.
Also I remember in XCode 4 that you always had to create your provisioning profile. Now XCode autocreates your provisioning profile for development. Is this a new feature on XCode 6?
As stated in the start of this answer, no. Autogenerated provisioning profiles were introduced in Xcode 5 and the workflow has been refined several times since Xcode 5.0 and modern Xcode. If you allow Xcode to assist you with Code Signing error messages, its default position is to check the validity of your development or distribution certificate (depending on what kind of code sign operation you were trying to do), check the validity of the AppId and Provisioning Profile, and revoke then reissue whichever part of the signing identity is in error.
Really it messing up on me. it destroyed my 4 hours fighting with Xcode. At last created another new provisioning file with selecting appleID as iOS Wildcard App ID (xxx.*)

Uploading app to client account in app store

This is my first time trying to upload app to app store, so I am completely lost. I have searched all over the web about the issue I am having, but could not find how to fix the issue.
Here is the problem:
I have developed an updated version for the existing iPhone app for client. Original version of app is already in app store for long time. Client wants me to upload new version of the app to their account in app store as "prerelease" for testing. They gave me their store account (admin role) username and password to log in. I added the account in Xcode and configured build settings to their team. But, after building the archive, when I click the "Validate" button and select their team, I am getting an error popup with the message "Your account already has a valid iOS Distribution certificate". I can't post images here, so here is snapshot image of the popup):
http://imgur.com/yLL5K1k
Apple troubleshooting documentation (documentation link here) shows that they should export developer profile and give me to import on my Mac. However, client say they don't have Mac and no Xcode, so they can't do it themselves. Apple documentation is mentioning another option - “Revoke and Request”, but I can't see that option. Also, if "revoke" is performed, will that affect client's application (more than 20 apps in app store)?
I have downloaded all of their certificates and profiles from Member center, imported to keychain, added account to Xcode, configured Xcode, but nothing helped.
Does anyone know what can I do, or ask to client, so that I can upload app to their app store account?
Thank you!
You must have downloaded the Distribution certificate from the account. That alone is not sufficient. You must get the private key from the client or developer who has created the certificate first or uploaded the application.
Log in to developer.apple.com portal, using the required credentials.
Click on "Manage your certificates, App IDs, devices, and provisioning profiles." under Certificates, Identifiers & Profiles
Then click on "Certificates"
On the new page Click on "+" button at right upper corner.
Now on this page select "App Store and Ad Hoc" under Production.
Then follow the instructions related to CSR file given on new page.
Note: Create new certificates with unique names so that you won't download old certificates to your mac, mistakenly.
For more info Distributing iOS Apps With iTunes Connect

Xcode 6.3 - You already have a current iOS Development certificate or a pending certificate request

Xcode as of 6.3 is no longer allowing me to automatically perform device provisioning for a client. Has anyone else experienced this issue? I found no results when searching for this on Google...
This client has their own bundle ID and it's possible they also have their own provisioning profile for this device. So maybe Apple is matching up the bundle ID irrespective of the developer account being used for provisioning.
I was able to address the issue by modifying the app's bundle ID and manually going through the provisioning process, but I'm guessing this issue is extremely rare, so I'm not sure if this post will be of use to anyone.
When I am create new certificate from my Xcode 9.2 the error was appear
"You already have a current iOS Distribution certificate or a pending certificate request".
Just 2 step for fix this error.
Remove old certificate from developer.apple.com
Create new certificate from Xcode or developer.apple.com
My problem has been solved (I am using Xcode 9.2).
I just found that if I remove my account from Xcode, and then sign in again, it solved the issue. I did revoke my existing certificates and request new ones though as part of that process. I didn't import an existing profile.
My team has maxed out on release certificates, because apparently there is a quota.
We had to delete one of the existing release certificates.
This issue is actually more common than you think.
Some Solutions:
I usually find that opening Xcode's settings and signing out of my account and the signing in again resolves most of those issues.
You may have an older mac that already used up that one allotted development certificate. In that case you'll want to export the developer profile from that machine. If you no longer have access to that machine, it may be time to invalidate that certificate and simply request a new one.
Another option may be to double check your build settings in your project and ensure that it's looking for the right certificate. It's fairly common in my experience for these settings to make decisions on their own, and confirming that they're what you expect may help.
Background:
When dealing with provisioning, it's really easy to get caught up with the frustration of all of the steps you need to go through. The first thing to note is if the error you see is talking about a "Certificate" or a "Profile." In your case, it's a certificate. Good.
Certificates differ from provisioning profiles in a few ways. Certificates are usually only generated twice: once for development, and once for distribution. (Exceptions to this rule are if you decide to add support for some of the special features like push notification or for generating passbook passes on a server.)
The process for generating certificates is also a little more bureaucratic than profiles. You request a certificate from Apple's Member Center. You generate a provisioning profile.
The reason for the word request vs generate is because both Apple and your iOS team's admin need to approve certificate requests. This is because certificates identify you as part of your iOS developer team, and offer all the powers associated with that.
For the sake of completeness, I'll add that provisioning profiles are generated based on that certificate, and really only tell iOS what environment your app is meant to run in. (On any device via the store, specific devices, etc.)
Now, the important part for you is the request business. Most people don't pay much attention to this terminology, since indie developers and small teams (where the developers are admins) don't require developers to ask for permission.
Your error is talking about a previously generated certificate or request. You can only have one development certificate per developer. You either have one, or you've requested one and someone has to approve.
That's what's happening here.
This process is made simple with Xcode 8.3 and 9. Just delete one of your old certifcates in the "validate" interface and click the plus button to request new one, Xcode will request for you and add it in keychain. in my case, maximum number was reached, so I deleted one which was lost in a old Mac and created new one.
This error may also be occur if you reach your distribution certificate limit. After creating 3 iOS Distribution Certificates in an account, the following error message will be displayed when you try to create 4th one: "You already have a current Distribution certificate or a pending certificate request."
Open this link
https://developer.apple.com/account/resources/certificates/add
Press + icon in front of Certificate
Check Apple Distribution section if its show the red text as shown in image then you should revoke you existing certificates to generate new one because you have reached you limit.
Just 2 step for fix this error.
Remove old certificate from developer.apple.com
Create new certificate from Xcode or developer.apple.com
Delete old developer certificate from https://developer.apple.com/account/ios/certificate/ and try to create developer certificate from xcode
1) Remove old certificate from apple developer account.
2) Go to the 'Xcode' 3) Select 'Preferences' option and then Select the 'Account' Tab
3) Select apple id from left side and click on 'Manage Certificate'.
4) Click on '+' (add certificate) button.
5) Add 'Apple Distribution' Certificate.
Unfortunately, only a macbook restart resolved this for me.
Creating another Distribution certificate was not an option, because it had already reached the max. number of certificates.
I manually added an existing one (incl. its private key) to the Keychain …and still Xcode said "Not in Keychain". I then tried to trigger a refresh of the Xcode listing by removing & adding my developer account to Xcode, but that didn't work — neither did restarting Xcode.
So, when all else fails, you try to reboot your system.
When you have three active distribution certificates that were created on distinct machines, you'll see this issue. You can either ask for the private key of a previously made one or simply revoke any of them and make your own.

Provisioning Profiles was invalid but Certificate and App ID are valid, why is that

My provisioning profile suddenly became invalid.
I logged in developer.apple.com couples of days ago and everything was fine. Today I logged in again and was surprised to find that both of my development profile and distribution profile were invalid. The certificates and App ID are valid, I did not revoke any of them and they are not expired at all. So why my profile became invalid?
I know I can re-generate profile but because I do enterprises distribution not app store distribution. I am worried that regenerating profile may affect current users. Also, I really need to figure out the reason to prevent it from happening again.
Any idea? Thanks!
Updated: First of all, it is not because the profiles were expired, their expiration date is at the end of 2015.
Second, I did re-generate development profile at morning but I just checked it and found the profile was invalid again! Something weird must happen and I have submitted a support ticket to apple and wait for their response.
I'm curious to see what Apple support says. According to Apple (https://developer.apple.com/library/ios/qa/qa1878/_index.html) :
Q: What causes the provisioning profile "Invalid" status? How do I resolve it, and how do I prevent it?
A: The provisioning profile invalid status is caused by changes to the profile’s associated certificate or App ID. Any time an App ID or certificate changes, all profiles that are associated to it are marked Invalid. This does not apply to Xcode's team profiles, but applies to all profiles that Xcode does not manage, specifically, custom development profiles and distribution profiles. This document explains the causes in detail and provides steps to resolve and avoid the profile invalid status.
One possibility is that you modified the app id by turning on or off services in Xcode:
Avoidance
Since Xcode started managing services on App IDs (through the Xcode >
Target > Capabilities tab), Invalidating provisioning profiles became
as easy as enabling or disabling a target capability. Remember that
every time the App ID changes with respect to its enabled services,
all profiles attached to that ID become invalid.
Hope this helps.
It seems that somebody still hits this problem after almost a year when I first raised it. So I am answering my own question trying to provide some insight.
Apple never answered my ticket instead they returned my credit. I took that as a sign that they had no idea either (saw my comments above). I can still use that "invalid" profile but it really made me uncomfortable. So I created a different one.
In summary it maybe just a bug in their system and if you have tried all the solutions and the problem still exists just create a new one.
If you generate a new provisioning profile, your old installations (store or adhoc) won't be affected
The provisioning profile lives for 1 year, maybe it expired so simply remove it and make another one with the same certificates, app ids and devices and you can use it without any problem
EDIT:
I don't know a case where a provisioing profile would become invalid unless:
It reached its expiry date;
You modified the app id or certificates that are related to it.
I guess it's related Automatically manage signing in Xcode. In case you switch to another branch which has different configures in Xcode > Target > Capabilities, Xcode will change your App ID settings
If you generate a new CSR for something like an APNS certificate, it will mark your provisioning profiles as invalid.
Guess I found the answer, it's simple go to the apple developer account and select those certificates which wasn't working.
1.Edit them and simply add some new name just to remember.
Select same App Id and certificate for both development profile and distribution profile and hit the download button
After downloading add them into you Xcode and you will them there.
it generally happens when you update your Xcode, so be sure when you check certification where Xcode is mentioned(For use in Xcode 11 or later in my case)
For me it's just opening the apple developer account, edit the profile, save it and download the provisioning. Made a new build and then reupload it.

Resources