I developed an iOS app that my client is going to use internally. They sent me their enterprise distribution provisioning profile. When I add it to XCode it says "Valid signing identity not found". How do I build the app so that my client can run it on their devices?
Your computer is unable to sign with the distribution profile, since you don't have the private key for this certificate.
Alternative 1
Apple intends that building a project for distribution will only take place on a single machine - the machine that the certificate was originally created on. So, in their eyes, you should ask your clients to build the project internally (for distribution only - for development you should have no problems building yourself).
Alternative 2
There is a way to override it.. and it involves exporting the private key from that special distribution machine and emailing it to you.
These are the steps (also outlined here):
Access the computer where the certificate was created, open the "Keychain Access" program on the computer
In "Category" panel, select "Certificates"
Find the correct distribution certificate and expand it
Highlight both the iPhone distribution certificate line and the private key line under it.
Right click and select "Export 2 items"
Save the .p12 file, choose a password that can share, you will need it to import this file later
Email the saved file to you
Once you import this and type in the password from step 6, you will have the private key on your computer too and all will be good.
Alternative 3
There's a chance that when you ask your clients to export the private key, they will have no idea what you're talking about and no idea where the machine that created it is (this is what actually happened to me). This is usually the case if they are not regularly building for distribution on their own.
In this case, you can simply delete the certificate and create a new one (for the distribution profile). If you create the certificate on your machine, then you will have the private key. You should also export it to them just in case (using the same steps of alternative 2).. so they have the ability to build without you if need be.
Each provisioning profile is paired with a certificate. If you subscribe to the Apple developer service, you should have access to create and download a development cert (tied to the apple ID) and a distribution cert (tied to the organization). The enterprise distribution provisioning profile needs to be paired with the distribution cert. So in order to use their provisioning profile, you will have to get the distribution certificate from them. This will also involve you getting their private key, which they might not be so fond of. Alternatively, they can set you up as a developer on their portal, then you can distribute through the machine that already has the distribution cert installed on it.
Related
I joined an existing enterprise developer program. I was able to run the app in developer mode, but had issues with building and archiving. The certificate for creating a universal distribution app is already present, but I am not able to build with it. How can I do it in steps??
The certificate is only half the necessary parts. You also need the key for the certificate.
Open Keychain Access on your Mac and select the Certificates filter on the left. When you select the certificate for your Enterprise Distribution, make sure you there is a green check mark in the top section next to a message that says "This certificate is valid" (bubble 4 in picture below).
Also, and this is likely your problem, you need to make sure there is a triangle next to the certificate that allows you to expand it (See bubble 3 in picture below). Without that, you have no way to code sign using the distribution certificate. You will need to get the private key from the person who created the certificate, or get the key off of the machine that was used to generate the certificate signing request file (CSR) used to generate the cert.
The client has given me the distribution profiles, how can i add the profiles in xcode 5?
As far as i know distribution certificates are responsible for distribution profiles. Importing distribution certificate enables and add all the distribution profiles in xcode. Without certificate distribution profiles can't be used.
Please correct me if i am wrong and suggest the work around for importing profiles in xcode 5.
Deployment phase is new for me.
Thanks
Importing the profiles is just double clicking on them. You can't use the profile without the private key for the certificate that was used to generate the profiles. This need to be exported from the keychain (usually as a p12 file) and imported onto your development machine.
It is possible that the client exported a package containing all of this info using Xcode, then double clicking should install everything required.
Importing distribution certificate enables and add all the distribution profiles in xcode
No, importing one doesn't automatically import the other.
There are no workarounds, you need to be supplied with both the certificate (private key) and the profiles.
A distribution profile is basically a way to make a trust relationship between a particular distribution certificate (which identifies your organisation as a registered Apple development organisation), a particular app or group of apps (identified by an AppID like com.foo.bar.myawesomegame), a set of valid devices where the app can be installed (in the case of ad-hoc distribution; in the case of App Store distribution this is not required), and a set of enabled services, like In-App Purchases.
In your particular situation, if the client wants to test your app, and you are provided with a valid distribution provisioning profile (a file with .mobileprovisioning extension), you also need to install a valid distribution certificate on your computer. The client can download this certificate from http://developer.apple.com (Member Center) and send it to you so you can import it on your machine with a double click on the .cer file.
To enable external users test an app, there's a simpler process, providing that your organisation is a registered Apple development organisation: First, you generate a distribution certificate from http://developer.apple.com. Then, you create a distribution (ad-hoc) provisioning profile and add the distribution certificate and the UUIDs of the iPhones the client wants to use for testing. The client can get the UUIDs from the iTunes app, for example. Then, you can download both the certificate and the distribution profile to your computer, double click to import them into Xcode, and finally sign the app (.ipa file) so that the client can test it on their own devices. You can do that by choosing Product, Archive in Xcode and selecting your distribution certificate and provisioning profile.
This is getting frustrating. I have two identities, one old, one new, and the latter should be used to deploy iOS apps to the App Store.
I've created the new user, granted him admin access, then I created the app name and provisioning profiles. However, in the Organizer I see that the Dev provision works flawlessly, while the Deploy profile shows me the dreaded error:
Valid signing identity not found.
How can it be?
Well, I see that in the Certificates section in the iOS Provisioning Portal, there is only one distribution certificate, the one belonging to my company.
Is there a way to enable the new user to create apps without accessing the uberadmin's Xcode?
Thanks & Cheers!
You need the key that was used to create the Distribution Certificate for your company.
Remember when you created your developer certificate? Then you went to keychain -> certificate assistant -> Request a certificate from ...
When you did this, your Mac paired your certificate request to a key in your keychain. Once your developer certificate was processed and you downloaded it to your computer, it could be accessed by your computer through that key.
But if you did not create the Distribution Certificate that your company has, you don't have the key on your computer.
Take a look at your certificates in keychain:
Go to 'Certificates' and expand your developer certificate - it will have a little key with your name.
Now try to expand your distribution certificate - it will not have a key, right?
If this is the case, you have two options:
Ask the person who created the Distribution Certificate to export it from his keychain. This will create a file that includes both certificate and key.
Delete the current Distribution Certificate, and create a new Certificate Signing Request from your computer, which will connect it to a key that you have.
First method require access to "Uberadmins" computer. The second require admin access to your teams Apple account. There is usually no downside in using method 2, because creating a new certificate is necessary from time to time anyway. It will not affect already published apps, just coming releases and updates need to use a the latest certificate.
Once all this is done, you need to create a distribution provisioning profile for App Store and connect to the Distribution Certificate that you are going to use. (if you went with option 1, you might already have done this).
Download the profile to your computer, install it, and then in your app, select to build with this profile for distribution builds.
According to Apple's documentation:
A team’s distribution certificate allows a developer to build an app for distribution. If your team wants to use another Mac to create a distribution build, you need to transfer a copy of the distribution certificate as described in, “Safeguarding and Transferring Your Signing and Provisioning Assets” in Tools Workflow Guide for iOS. (from Managing a Distribution Certificate)
So, in order to have multiple users able to create & submit App Store builds, you must share a private key between them.
Create a new private key for the team, and then send that private key to everyone who needs it. Follow the instructions under Generating a Certificate Signing Request with Keychain Access.
See also: Any concern to share private key for distribution certificate among different group under a team account in itune provisioning portal
Here's my scenario. I work on a team of 3 developers. Currently I am the only one who does iphone development so at this point we have 1 project that I created, tested and then created a deployment certificate so I could build it and deploy it to a few devices. 1 developer, 1 app, it's all pretty straight forward. Here is where my problem lies.
Now lets say one of the other developers has to checkout the source code, make a change and redeploy, and I am not around, nor is the computer that I developed on. I have read everything I could find and I understand the other developer would need to download the distribution certificate and deployment provisioning profile and that I would also need to export the private key of the distribution certificate to the .p12 format for them to put on their machine. This all works as said.
The question I have and what I can't seem to figure out is that the distribution certificate I created is signed with my developer private key. I feel like that should not be the case because if I export this and give it to them they now have my private key which from what I can tell is something you are supposed to keep secret and in a safe place for me to develop on other machines or in case I need to reinstall, not something I would give to other developers just so they can deploy. And vice versa when they create an application and I need to make changes and deploy.
I have searched everywhere for an answer but I don't seem to be able to find the exact answer I need to understand what I am missing. Maybe I'm just missing some essential concept.
Is there a way to create a distribution profile with a private key of my company rather than myself? Or even a key that I can name for each project if I have to create a distribution certificate for each project.
Is sharing my personal private key attached to the distribution certificate wrong/bad?
What can they do with my private key? I feel like we should have a company private key or something.
I know this is long winded but I am really at a loss at this point. Here is another post that is similar and it also links to another post that was having the same problem that from what I can tell didn't get answered clearly, at least as far as I can tell.
Enabling multiple team admins to build an app for distribution in XCode 4.3?
Any help for how a team of developers can all build and deploy without sharing their private keys would be greatly appreciated. I assume it's simple because I can't imagine other companies are deploying from a single machine.
Jon
The answer (like the question) is somewhat longer:
1) As a rule, distribution provisioning profiles (Ad-Hoc, Enterprise InHouse and AppStore) are using different certificate/key pairs then development provisioning profiles. There are clearly marked as such in the provisioning portal (e.g. developer certificate, distribution certificate, and push certificate).
2) Companies tend to limit the access to distribution keys, as their leakage introduces significant security implications (e.g. someone could try to distribute your application with malware etc). A common practice is to have one to three designated "Signers"
3) As for one agains multiple distribution certificates: there is a limit on the number of distribution certificates you can have (I think it's two). Also, in case of distribution provisioning profiles, you are allowed to pick only one. So if you would like to use two keys/certs regularly, you would have to have two provisioning profiles for the same app. Trust me! xcode will make you regret this idea!
Bonus note: In theory it should be possible to create a CSR (certificate signing request) with a private/public key pair of your choice, instead of the default behaviour of generating a new one. More here
Your developer private key is not being used with the distribution certificate. There are two private keys involved with your scenario above.
Open Keychain Access, select your login keychain and select "My Certificates" under category.
1) Your developer private key should never need to be shared with another developer. It is unique and for your use only. Only if you are migrating to a new computer should you need to export this. In your Keychain Access application, you will see this certificate listed as "iPhone Developer: Your Name"
2) The distribution certificate has a separate private key. It is located on the computer that created the distribution certificate request and is in the Keychain Access application listed as "iPhone Distribution: Your Company Name". You will need to export this certificate (including both public and private keys) to allow someone else to create an enterprise distribution using the EXISTING provisioning profile. For information of how to export these keys, see: https://stackoverflow.com/a/9418712/600753
I recommend the above approach, but another alternative is to have the other developer create another distribution certificate and another provisioning profile. This approach has a tendency to confuse the auto selection of the provisioning profiles within Xcode and is usually more trouble than it's worth.
I have a company iphone dev account.
According to the doc, only the team-agent is allowed to submit a distribution cert and download the distribution provisioning profile.
Can a team only have 1 Team Agent?
Also, if that is the case, is there a way around this to allow multiple devs the option to build a distributed version of the app?
I have another developer who I would like to build and submit the app to itunes. I tried giving him the distribution cert and distribution profile. When he dragged and dropped them into xcode, and checked out windows->organize, it complains
"assigning identity matching this profile cannot be found in your keychain"
So this leads me to believe I need to get my key chain credentials on his machine. I tried exporting a private key and giving it to him, but he was unable to install it.
Is there anything else I can do?
I honestly thing its really silly if apple expects one developer to be responsible for building all apps for a company. Hopefully I'm wrong and there is a way to get multiple developers access to building a distribution of an app.
Thank you
NOTE: This process is heavily simplified in XCode 4 (although not personally tested by me) with importing and exporting of developer profiles through the Organizer window (Developer Profile section).
This is how I got it working.
1) Login to the iOS Provisioning Portal as the Agent.
2) Run through the process of making the Distribution Certificate Signing Request / Provisioning Profile: http://developer.apple.com/iphone/manage/distribution/index.action. These instructions a re super long, but pretty clear and necessary.
3) Pay extra attention to the section "Obtaining your iOS Distribution Certificate" > "Saving your Private Key and Transferring to Other Systems" on that page. It describes how to generate and save the Agent's .p12 file.
4) Now invite other developer(s) to be part of the team in the Member Center: https://developer.apple.com/membercenter/index.action#invitations
5) Back in the iOS Provisioning Portal, download the app's Distribution Certificate (Certificates > Distribution (tab)). Should be named "distribution_identity.cer"
6) Now download the Distribution Provisioning Profile (Provisioning > Distribution (tab)). Should be named "whatever_you_named_it.mobileprovision"
7) Email those two files along with the Agent's .p12 file to your other developer machine.
8) On the developer's machine, double-click the distribution_identity.cer file and it should load up in Keychain Access
9) Drag the .p12 file to Keychain and it should automatically put the identity under the certificate
10) Drag the whatever_you_named_it.mobileprovision file into XCode.
11) In each of the Project and Build's Info windows, set the Code Signing Identity to the "iPhone Distribution - Your Company" identity which should now be available.
Hope that helps. Rob
Just another tutorial step by step, but slightly different, the certificates have been already installed in the team's agent keychain, so it explains how to export the .p12 files from the keychain:
how-to-share-an-ios-distribution-certificate
You definitely should be able to build your app with a distribution certificate and profile on your coworker's machine.
Are you sure that the distribution certificate and provisioning profile are installed correctly? If you can build apps with the development certificate but not the deployment one, check to make sure that everything's properly installed in the keychain and that the correct provisioning profile is selected in the settings for the active target.
You can copy the private key in this way, but it's really UNSAFE:
Give him your login.keychain file (located in ~/Library/Keychains/), and let him open it with Keychain.app, and ask him to drag your private key to his login.keychain.
Apple also said you should keep your private key secured, if you need to reinstall your system, make sure you backup the login.keychain file.