Is my understanding regarding the provisioning profiles, certificates correct (during development)?
Apps are signed with a developer certificate from xcode when installing on the device? The certificate should exist in the provisioning profile (stored in the IPad/IPhone) and the deviceid of the installing device should also be present in the provisioning profile.
So when you click on an app when the device is not connected to your developer mac, the app's signed certificate should match one in the provisioning profile (which exists on the device) and the device id should also match one in the provisioning profile, only then the app would run.
When the device is connected to mac running the xcode and you want to debug, then the public+private key stored in the keychain comes into play, xcode tries to unlock the public+private key stored in the keychain using the certificate and hence identifies the mac, and also executes the bullet above and if that is true as well, then you can successfully debug
First of all, selecting a provisioning profile in Xcode is misleading; building in Xcode actually has nothing to do with the profiles whatsoever! What actually happens is Xcode just matches the public key certificate in the profile to one in your keychain, then uses the private key to sign the executable. That's bog-standard Mach-O executable signing. This is also why they've changed it in Xcode 5 to be clearer. That's also where the errors on the profiles (Signing identity not found) come from - it means Xcode couldn't find a private key corresponding to any of the public keys in the profile.
Your personal developer certificate is standard PKI stuff; your Mac sends a request to Apple for a certificate in a way that Apple doesn't know your private key (similar to SSL certificate requests). Apple generates the certificate and the keychain matches it up with the original request, giving you the public and private keys for the cert. When a profile is created for an individual developer, that developer's public key is listed. When a team profile is created, the public keys for all the chosen team members are included. This allows the team members to sign the executable, but the name of the signer will be the team name instead of the individual.
When iOS goes to launch any executable, it first checks the signature. If the signature is signed by Apple App Store, then it runs.
If not, it then checks the installed provisioning profiles. The profiles include:
1. A list of developer certificates
2. An app ID
3. Entitlements to grant (e.g. iCloud, Game Center, etc)
4. A list of device UDIDs
5. The whole thing is wrapped up and signed by Apple.
The profile is checked to ensure it was signed by Apple's key (using Apple's public key). It then validates that the current device's UDID is in the list. It also validates that the application ID matches (though wildcards are allowed). Then it checks the Mach-O signature against the list of valid developer certificate public keys. If any of them match, the executable runs and is granted the listed entitlements. If not, it is blocked.
I highly suggest opening up a .mobileprovision file in a text editor; you'll learn a lot!
Related
I used XCode to download certificates after regenerating them. I noticed the distribution certificate didn't have a private key in the key chain. I saw that XCode now has a "reset" button so I used that. The new certificate has a private key but with a different name. It still worked though and allowed me to export and install an adhoc app. Also we have two dev teams, could this be the other teams private key?
When the certificate is first requested, the private key is generated and saved in the keychain on the Mac used to generate the request. Only this Mac will be able to actually sign the apps. As in your case, if you have more than one developer authorised to sign apps for distribution using this certificate, you'll need to export the private key from the original requesting machine, and import it into the keychain of other developers.
If you use the 'reset' button, it will revoke the existing certificate and issue a new certificate signing request from your Mac. This will also invalidate all provisioning profiles in the developer account that are tied to the previous certificate. Existing apps already in the iOS app store will be OK, but you will need to regenerate the provisioning profile with the new certificate for any new app signing.
I'm trying to develop my first iOS App on my mac (OS 10.8), the application contains a push notification service. I followed the below steps to create my App ID:
Give a name to the APP ID
Set the Bundle ID.
Check the Push Notification checkbox
Create App ID
Generate a certificate, by uploading the request created by key chain access, then downloading and installing it on key chain access, exporting into .p12 file.
Create Provision Profile, Download and install on my Xcode organiser (XCode 4 updated version) and on my device to test.
The project work well on the simulator (except get the token and that's normal). However when installing the provisioning profile on the Xcode Organizer it gave me :"valid identity is not found".
Checked and tested Many Solutions:
Delete Cert from Dev Center and Key Chain Access.
Delete Provision profile recreate it.
Install provision profile directly from Xcode.
Delete Created Keys from key chain and create new ones.
Many suggestion has been provided:
Your Keychain is missing the private key associated with your iPhone Developer or iPhone Distribution certificate.
Your Keychain is missing the Apple Worldwide Developer Relations Intermediate Certificate.
Your certificate was revoked or has expired.
Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL) are turned on in Keychain Access preferences
None of the above fixed the problem.
Would you please provide a solution for this problem and thank you in advanced.
i had discover my problem. i work in a company and there is my partner have generate the developpements certificate on his own mac. i work on a different mac. so what i need, he must export the key and the certificate from his key chain access and give it to me.
that's it.
beginner's problem :d
First of all make sure your Bundle Identifier match with the bundle Identifier included in the provisioning profile. And you have correctly added your iPhone's UDID to the developer account under devices and then add the bundle identifier and device to the provisional profile. Also make sure you have requested the certificate from your own Mac and then installed the certificate after downloading it from the developer account. And there will be a key under your certificate.
Many things may go wrong, so simply try these steps, even if you've done them before.
Make sure your Bundle identifier is the same at both in Xcode and in iTunes Connect, it's a good practice to fill it manually instead of Xcode's template, as it IS case-sensitive.
Check that your testing device's UDID is listed on the Devices list at developer.apple.com.
Create a new provisioning profile with a new unique name, for your app's bundle ID, make sure, again, that it's the same bundle ID (case sensitive) and make sure you have your newly-added device UDID (or the existing one if you had it correct before) in on the provisioning profile. Take a note of the developer certificate that the provisioning profile is bound to.
Download the newly created provisioning profile AND the development certificate that the provisioning profile is for. Clean your project's build folder (open Product menu from the menu bar, press and hold down the option button on your keyboard, and select 'Clean Build Folder...', exit Xcode.
Open both your provisioning profile and certificate. One should open in Xcode, the latter, in Keychain access.
In Keychain access, make sure you have the private key to your non-expired, non-revoked developer certificate. (if not, you need to either find its private key (e.g. in another keychain or in another Mac. It should be on the Mac that the CSR is created on, or if none are available, revoke it and create a new certificate, and start over this process)
In Xcode, make sure you are using the provisioning profile, NOT overriding it (e.g. you've selected a different value under 'Debug' or 'Release' options by mistake).
In Xcode, make sure you are using the correct development certificate (the one that is bound to the provisioning profile) and not overriding it under Code-signing identity section's Debug or Release, or in 'Any iOS SDK' sub-item underneath them. If everything worked, Xcode should offer you the correct certificate for your provisioning profile.
Your project should build. Seriously, I can't think of anything else.
The client has given me the distribution profiles, how can i add the profiles in xcode 5?
As far as i know distribution certificates are responsible for distribution profiles. Importing distribution certificate enables and add all the distribution profiles in xcode. Without certificate distribution profiles can't be used.
Please correct me if i am wrong and suggest the work around for importing profiles in xcode 5.
Deployment phase is new for me.
Thanks
Importing the profiles is just double clicking on them. You can't use the profile without the private key for the certificate that was used to generate the profiles. This need to be exported from the keychain (usually as a p12 file) and imported onto your development machine.
It is possible that the client exported a package containing all of this info using Xcode, then double clicking should install everything required.
Importing distribution certificate enables and add all the distribution profiles in xcode
No, importing one doesn't automatically import the other.
There are no workarounds, you need to be supplied with both the certificate (private key) and the profiles.
A distribution profile is basically a way to make a trust relationship between a particular distribution certificate (which identifies your organisation as a registered Apple development organisation), a particular app or group of apps (identified by an AppID like com.foo.bar.myawesomegame), a set of valid devices where the app can be installed (in the case of ad-hoc distribution; in the case of App Store distribution this is not required), and a set of enabled services, like In-App Purchases.
In your particular situation, if the client wants to test your app, and you are provided with a valid distribution provisioning profile (a file with .mobileprovisioning extension), you also need to install a valid distribution certificate on your computer. The client can download this certificate from http://developer.apple.com (Member Center) and send it to you so you can import it on your machine with a double click on the .cer file.
To enable external users test an app, there's a simpler process, providing that your organisation is a registered Apple development organisation: First, you generate a distribution certificate from http://developer.apple.com. Then, you create a distribution (ad-hoc) provisioning profile and add the distribution certificate and the UUIDs of the iPhones the client wants to use for testing. The client can get the UUIDs from the iTunes app, for example. Then, you can download both the certificate and the distribution profile to your computer, double click to import them into Xcode, and finally sign the app (.ipa file) so that the client can test it on their own devices. You can do that by choosing Product, Archive in Xcode and selecting your distribution certificate and provisioning profile.
I've generated distribution provisioning profile for my ios app, but I cannot sign my application with it, I get this error:
profile doesn't match any valid certificate/private key pair in the default keychain
The developer certificates works well, I can upload my apps to my tests devices,
but I've noticed this warning for distribution profile: Valid Signing identity not found
Can this be a source of my problems for distribution provisioning profile or is this expected warning?
and I suspect that it forbid me from signing the app for the app store upload
I'm pretty sure that I've made all my bundle (app?) identifiers consistent
There are two sets of public and private keys you need to have in your keychain.
One of them will be prefixed with "iPhone Developer:" and the other "iPhone Distribution:".
Make sure both are in your keychain by opening the Keychain Access application within your "/Application/Utilities" folder. If you don't see both, then there's your problem (and you'll need to import your keys from another machine that does have the keys installed).
Don't Lose you keys!
If you bought a new computer and did not export your keys and you don't have the computer your S.O.L. you have to start the process all over again.
I'm a contract developer, and have an app to be distributed via the client's Enterprise account.
I've worked with other clients on Enterprise accounts, but for some reason, the "iPhone Distribution" certificate that I've added to my keychain for this client does not appear in Xcode Organizer.
When I import a mobileprovision for the app, Xcode complains there's no valid key pair.
The client has added me to their account; can only the developer who created the Enterprise Distribution certificate import it to a keychain? If I create a new distribution cert (not profile), does that invalidate the existing cert (used by other apps I have not worked on?)
You will need the person who created the certificate to export it from their keychain. The certificate you download from the provisioning portal is a public key and does not contain the private key.
From Apple Tech Note about Code Signing
Note: In the case of missing Private Keys for your certificates,
Automatic Device Provisioning can restore your certificate to the
keychain, but not the missing private keys.
Transferring Your Identities Once you have a healthy working code
signing configuration set up it is recommended that you follow the
steps in section Transfer Your Developer Profile to Another Computer
of the Xcode 4 User Guide to create a backup of them. The backup can
be used to restore your working code signing configuration from
hardware failure, or to enable code signing on additional Macs,
partitions, or OS X user accounts of your choice. The backup
(.developerprofile file) once created contains all of the following
items:
all iPhone Developer certificates in your keychain all iPhone
Distribution certificates in your keychain all Provisioning Profiles
in the Xcode Organizer > Devices tab > Provisioning Profiles section
under "Library" Note: While creating the backup of your identities you
will be asked to enter a brand new password. Be sure to remember as
you'll be asked to enter that password later to use the backup for its
intended purposes.
Tech Note TN2250