Revoking iOS Distribution Certificate - ios

[I've checked similar posts and my question differs slightly from others in that we have multiple apps signed under one certificate]
We've been commissioned to work on an existing iOS app for a client and now need to distribute it to the app store using their certificate. The problem is that the certificate wasn't generated by us so we do not have the private key (.p12 file). Assuming that we can't get this, I believe the only option is to revoke the existing distribution certificate and create a new one...so my question is:
Q1) The client has 3 existing apps on the app store all signed under this existing Distribution Certificate. If we revoke the existing certificate and create a new one will it break the existing apps?
Q2) Presumably the 'Company' name for your app in the app store is taken from the distribution certificate? i.e. If I signed the app using our certificate instead, would our company name appear above the app instead of the clients?
Thanks!!
Neil

I had this same dilemma.
Q1) It is ok to do this, it will not break the existing apps. Just go ahead and create a new one right after you do it.
Q2) The name will not be affected, you set this yourself in iTunes connect when you submit the app.

Related

iOS Distribution Certificates

I would like to know if iOS distribution I can use for various applications, for example I used my iOS distribution in the application to it is already in production now I want to use this same iOS distribution in application b to also put into production is this possible?
Certificates are just a private and public key pair. You can use single certificate for signing multiple apps. But you need a separate provisioning profile for every app. Every app must have a unique bundle identifier. If you explore developer account and create a new provisioning file you will be able to select your old certificate in it.
you can use one certificate for multiple app but you bundle identifier (i.e com.yourappname.complanyname) should be different for each app
A certificate/driver license/ID card is attached to an author/app publisher†
A single author can have thousands of books/apps.
For each book they will dictate who can download it. e.g. only people with these email address can download this books.
Hence every book needs an email list/ provisioning profile.
†: Each certificate is created by the developer's Macbook. A user doesn't need multiple driver licenses to identify himself, yet he can create multiple ID cards for himself. In the real world a user can't have multiple driver licenses of a given state. But in the world of computers, I could create 100s of certificates for myself. Each certificate would have its own expiry date. The certificate will become invalid either by reaching its expiry date or by manual revocation through apple developer portal.
In the image below you can see that the certificate has an expiry date and that I can also revoke the certificate at any time:
To learn more about revocation and its effect, I highly recommend you to see If I revoke an existing distribution certificate, will it mess up anything with existing apps?
No you can not do this. One certificate corresponds to one app. You have to create another certificate for other app

Can i revoke all of my ios certificates and get new ones? [duplicate]

This question already has answers here:
If I revoke an existing distribution certificate, will it mess up anything with existing apps?
(4 answers)
Closed 4 years ago.
I have a new mac and I am trying to upload a new version of an app to the app store on xcode (current version). The problem is that I get an error that says "name has 3 iOS Distribution certificates but their private keys are not installed. Contact the creator of one of these certificates to get a copy of the private key." I tried to export the key from one of the old computers via keychain and import it on the new one and it fails to import. So my question is.. is there any harm in just revoking all of the iOS Distribution and iOS Developer certifications and having xcode request new ones? I believe this is the solution but I want to make sure before doing it. Thanks
First let's explain the problem. 3 iOS Distribution certificates but their private keys are not installed.. It means that you don't have the private key that was used to create the certificates on developer portal. You can't export it from your Keychain if you're not the creator of the certificate, on the one who actually generated the certificate can export it from his keychain.
Second, to answer your question. There is one thing to keep in mind, Xcode will request for developer certificates (AFAIK), and the ones that are really important are the distribution ones, that are used to release the app to the store.
Now if you have the developer account and you can create new distribution certificates, then you can revoke them for sure. If you are not the person that releases the app to the store, you can revoke them, since that person will have the right distribution certificate (you can ask him/her to send the certificate to you too). THE MOST IMPORTANT: if you are the one who releases the app to the store but you don't have access to the developer account, don't revoke them, you won't be able to do another release to the store.
I think I got everything covered but if you have any other questions, feel free to ask.

Apple Developer /iOS Distribution Certificate Management

We are struggling with the Distribution Certificate handling from Apple.
We have several developers setup in the Apple Developer Portal, for the sake of the example:
Alice: Team Admin
Bob: Admin
Charles: Admin
Dan: Developer
Alice, Bob, and Charles should be able to build Apps for Distribution (Adhoc for internal testing, Testflight for external testing, and Appstore for distribution). Dan is only producing code and debugging on his local machine.
All users use individual accounts for the development.
From what we understood from the Apple documentation, Alice, Bob, Charles need a valid distribution certificate. If xCode generates it for them, they will start playing “ping pong”, and keep revoking each other’s certificate – at least this is what appears to be happening at the moment.
We are not sure why this would happen. One would think, that if you create a different new user this account can also maintain his own (distribution) certificates.
Anyway, so they will need to share a distribution certificate, by sharing the private key (p12 file) of it, as you can find in the answer here.
In our account, it appears as if we can have up to two valid distribution certificates.
We don’t really know how this ultimately worked – we didn’t do it manually over the developer portal, but used xCode for it. Alice generated her certificate, Bob revoked and regenerated, Alice did the same thing – but suddenly they both had a valid distribution certificate, instead of invalidating Bobs certificate.
In the documentation it was mentioned that you can have up to 2 valid distribution certificates. We have also manually tried to generate the distribution certificates and could confirm that it is limited to two.
However, we then got recently invited to a customer’s developer program to sign apps on his behalf.
I assume the customer was not aware that we require the private key from his distribution certificate. We therefore tried to manually generate a distribution certificate, and saw that it was not possible. To our surprise though, the customer managed to generate 3 valid distribution certificates.
Any idea how this worked?
Our questions in a nutshell:
1. What is best practice when you manage a team of developers?
Do you normally share the private key of the first developer who generated the certificate with all other team members, which should be able to sign the app?
2. What is the best practice when you work with clients?
Do you ask them to generate another private key, or is there some hidden functionality to generate as many distribution certificates as you want, given that every developer uses his own account?
3. What happens when we revoke a certificate.
It doesn’t affect the apps in the app store, but only seems to limit other developers to build their app. However, what happens with APNS / Push Server certificates? When we revoke a distribution certificate through xCode, will this also suddenly stop working for the sender?
Thank you for your help.
After a long time of investigation and trying things out, here is what we think is the best fit for us. Not sure if it is best practice but it seems to work for us just fine.
1. What is best practice when you manage a team of developers?
One person generates a distribution certificate using his mac. He then exports the certificate (public AND private key) in a p12 file, as suggested by washloops and shares it with the team.
2. What is the best practice when you work with clients?
We have two sorts of clients:
Clients working with multiple suppliers (so we are just taking care of 1 app, out of their portfolio) - We ask them to share their distribution certificate (public + private key). If they don't have it, they need to get it from another vendor.
Clients working only with us - We generate the certificate and share it with the client later on. This allows them to share it with other vendors if they need to.
3. What happens when we revoke a certificate.
From our tests: "nothing". If you revoke a distribution certificate, it will prevent developers using this certificate from submitting / building apps. However, existing APNS / Push certificates are not affected.
For us it seems as APNS / Push certificates are totally independent, and if you wish to revoke them, you need to revoke both.
You have to create just 1 distribution certificate. After that you go to Keychain Access, select the certificate and export it as ".p12", and maybe add a password to it.
After that you just install it in the other computers.
Regards :)

Distribute client app update to app store without the certificate

I've done an app update for a client.
He previously work with another external dev, and have no access to the certificate private key.
Using xCode, (as team member), looks like a can get the client provisioning profile, but not the Distribution certificate.
What are the solution, Are the client have to create a new one?
Thanks!
It is not possible to build an app for the app store without the certificate. As #Shubhank says, you'll have to revoke the certificate and create a new one.

Client wants me to upload to apple store without admin and without key

I made an application for a client. He added me as a team member, but without admin/agent rights. In order to upload the application to apple store, I need a distribution provisioning profile, the distribution certificate associated with it, and the key that was used to create the certificate, exported from the mac where it was created. As I know, there is no way to use the distribution provisioning profile without both distribution certificate and the key. The client doesn't want to give me the key but he also doesn't want to give me admin.
There is a 3rd solution, to create my own distribution certificate on his account using a private key from my mac, but I noticed that the maximum number of distribution certificates is 3, and the client already has 3.
I doubt there is any problem security wise for providing my distribution certificate in there. Is there?
I also am not sure if the client should accept my own distribution certificate to be used for uploading the application. Should he?
Also, assuming that all 3 distribution certificates slots are taken and there is no way to obtain a free slot, what should I ask the client to do, in order to assure him that all is safe and good.
Also, is there any other way to upload his application without him giving me admin or key?
If they are touchy about this, which they don't need to be, they could provide you with the cert and its key and, once you have uploaded the app, revoke the cert. meaning you wouldn't be able to do anything with it. They can then just generate a new one as and when they need it.

Resources