New iOS team member: no valid signing identity - ios

This is getting frustrating. I have two identities, one old, one new, and the latter should be used to deploy iOS apps to the App Store.
I've created the new user, granted him admin access, then I created the app name and provisioning profiles. However, in the Organizer I see that the Dev provision works flawlessly, while the Deploy profile shows me the dreaded error:
Valid signing identity not found.
How can it be?
Well, I see that in the Certificates section in the iOS Provisioning Portal, there is only one distribution certificate, the one belonging to my company.
Is there a way to enable the new user to create apps without accessing the uberadmin's Xcode?
Thanks & Cheers!

You need the key that was used to create the Distribution Certificate for your company.
Remember when you created your developer certificate? Then you went to keychain -> certificate assistant -> Request a certificate from ...
When you did this, your Mac paired your certificate request to a key in your keychain. Once your developer certificate was processed and you downloaded it to your computer, it could be accessed by your computer through that key.
But if you did not create the Distribution Certificate that your company has, you don't have the key on your computer.
Take a look at your certificates in keychain:
Go to 'Certificates' and expand your developer certificate - it will have a little key with your name.
Now try to expand your distribution certificate - it will not have a key, right?
If this is the case, you have two options:
Ask the person who created the Distribution Certificate to export it from his keychain. This will create a file that includes both certificate and key.
Delete the current Distribution Certificate, and create a new Certificate Signing Request from your computer, which will connect it to a key that you have.
First method require access to "Uberadmins" computer. The second require admin access to your teams Apple account. There is usually no downside in using method 2, because creating a new certificate is necessary from time to time anyway. It will not affect already published apps, just coming releases and updates need to use a the latest certificate.
Once all this is done, you need to create a distribution provisioning profile for App Store and connect to the Distribution Certificate that you are going to use. (if you went with option 1, you might already have done this).
Download the profile to your computer, install it, and then in your app, select to build with this profile for distribution builds.

According to Apple's documentation:
A team’s distribution certificate allows a developer to build an app for distribution. If your team wants to use another Mac to create a distribution build, you need to transfer a copy of the distribution certificate as described in, “Safeguarding and Transferring Your Signing and Provisioning Assets” in Tools Workflow Guide for iOS. (from Managing a Distribution Certificate)
So, in order to have multiple users able to create & submit App Store builds, you must share a private key between them.
Create a new private key for the team, and then send that private key to everyone who needs it. Follow the instructions under Generating a Certificate Signing Request with Keychain Access.
See also: Any concern to share private key for distribution certificate among different group under a team account in itune provisioning portal

Related

Renew Apple developer certificate

I am just about a week away of expiration of the Apple developer certificate. Accidentally I lost the CSR file which I used when I created the last certificate which I am currently using.
Could you please let me know what all issue I may face if I will go with another CSR for new certificate?
Note:
Without CSR, you will be able to work with existing certificate but once it expires, you must create new one and you can use/create new CSR if previous one is lost.
Updating your certificate will not impact on your distributed build on public environment (Apple App Store). But of-course it won't allow you to distribute your new build with invalid/expired certificate.
Here is an instruction from Apple Developer Documentation for Code Signing Identity, that says,
If you lose control of your Apple-issued signing identity, such as
your Developer ID or Mac App Distribution identity, report this to
Apple immediately. Apple will invalidate the old identity and help you
to replace it. While this seems like a bit of work, it is critical,
because anyone possessing your identity can distribute potentially
malicious or destructive code that looks like it came from you.
This may also help you.
No Code Signing Identities Found
Xcode detects when you’re missing a signing identity. Typically, this happens when you move from one Mac to another. Follow the steps in Creating the Team Provisioning Profile to create your signing identity and add it to the team provisioning profile. You’ll have the option of importing your signing identity from another Mac or resetting it. If you use a custom development provisioning profile that you manage yourself, it becomes invalid after revoking the development certificate. Read Editing Provisioning Profiles in Your Developer Account to regenerate it.
To avoid this problem, export your certificates as a developer profile file on the other Mac, and then import them on your new Mac, as described in Exporting and Importing Certificates and Profiles.
As per apple documentation .CSR is used in combination with your App ID, provisioning profile and entitlements. So, if one have both (App ID and provisioning profile) it will harmful to you.
.CSR explanation

Create distribution profile from .p12 certificate iOS

I have received a .p12 certificate from my Client. I have installed it to my KeyChain. I need to create a distribution provisioning using this and sign my app ipa with it.
How can I create the distribution profile using this information? Any help is appreciated
You cannot create a distribution profile from a certificate and private key. The provisioning profiles are created on Apple's developer site and must reference one or more certificate to be used with the profile.
You will need to either need to have the account owner create / download the profile from the developer site and send it to you, or grant you access as an admin on their team. Also, before you request the iOS distribution profile from your client, make sure you also check that the .p12 file that was sent contains the certificate and the private key for the cert. Without the private key, you won't be able to sign, even if you get the profile.
The 4 key pieces of code signing for iOS are the certificate, the private key for the certificate, the provisioning profile, and the entitlements. If you are missing any of these, or if they are out of sync, you will run into problems. The private key is exactly what it says - private. Apple does not have, nor does it want to store the private key. That is kept by the app owner. Apple will generate and allow you to download your certificate based off that private key (you share with them a cert signing request to generate the cert off of your key). Similarly, you can generate / download existing provisioning profiles from Apple's dev site. Finally, the entitlements in your app must match the entitlements granted on your profile. Those are assigned to your app, and the application's project settings requests access to services - this much match what is requested as part of the app ID / profile on Apple's dev site. So those are the key components; from your question, hopefully you can get your client to send you the provisioning profile. Also, you could potentially run into problems with out of sync entitements, if you need to do anything with additional services, like iCloud, if the client hasn't configured those properly for you.

Apple iOS distribution certificate has a new private key after reset

I used XCode to download certificates after regenerating them. I noticed the distribution certificate didn't have a private key in the key chain. I saw that XCode now has a "reset" button so I used that. The new certificate has a private key but with a different name. It still worked though and allowed me to export and install an adhoc app. Also we have two dev teams, could this be the other teams private key?
When the certificate is first requested, the private key is generated and saved in the keychain on the Mac used to generate the request. Only this Mac will be able to actually sign the apps. As in your case, if you have more than one developer authorised to sign apps for distribution using this certificate, you'll need to export the private key from the original requesting machine, and import it into the keychain of other developers.
If you use the 'reset' button, it will revoke the existing certificate and issue a new certificate signing request from your Mac. This will also invalidate all provisioning profiles in the developer account that are tied to the previous certificate. Existing apps already in the iOS app store will be OK, but you will need to regenerate the provisioning profile with the new certificate for any new app signing.

How about Apple’s enterprise distribution iOS apps

I have a iOS app use the account A.
My client gave me an enterprise account B for In-House distribution.
I'm not allowed to revoke their existing certificates and they do not provide .p12 and .developerprofile.
I called the apple center and they told me NO .P12 key can also publish procedures but did not told me how to do.
My E-mail have joined the team,
I create a new app id and a provisioning profiles but the provisioning profiles is error in my Xcode.
error message:The private key for "XXX" is not installed on this Mac.
My question:
I just want to release .ipa for in-house type how to do?
thx!
You will need to p12 (private key) form the client or revoke the current profile. There is not other option. Do not revoke any provisioning profiles for current apps since they may used.
Also explain to the client what you are doing and the consequences that it may have, if they are not able to provide you with the necessary certificates.
You generate a Certificate Sign Request (CSR) from your Keychain, login to your developer account and choose your client's team.
You then create an enterprise certificate which will have to be approved by your client's team manager. Once that is done you will be able to download it and install it on your keychain.
After that generate a provisioning profile for the app you want to distribute, download and install it on Xcode.
Build your app with this certificate and save the IPA for enterprise distribution.

How to build iOS app using 3rd party distribution provisioning profile

I developed an iOS app that my client is going to use internally. They sent me their enterprise distribution provisioning profile. When I add it to XCode it says "Valid signing identity not found". How do I build the app so that my client can run it on their devices?
Your computer is unable to sign with the distribution profile, since you don't have the private key for this certificate.
Alternative 1
Apple intends that building a project for distribution will only take place on a single machine - the machine that the certificate was originally created on. So, in their eyes, you should ask your clients to build the project internally (for distribution only - for development you should have no problems building yourself).
Alternative 2
There is a way to override it.. and it involves exporting the private key from that special distribution machine and emailing it to you.
These are the steps (also outlined here):
Access the computer where the certificate was created, open the "Keychain Access" program on the computer
In "Category" panel, select "Certificates"
Find the correct distribution certificate and expand it
Highlight both the iPhone distribution certificate line and the private key line under it.
Right click and select "Export 2 items"
Save the .p12 file, choose a password that can share, you will need it to import this file later
Email the saved file to you
Once you import this and type in the password from step 6, you will have the private key on your computer too and all will be good.
Alternative 3
There's a chance that when you ask your clients to export the private key, they will have no idea what you're talking about and no idea where the machine that created it is (this is what actually happened to me). This is usually the case if they are not regularly building for distribution on their own.
In this case, you can simply delete the certificate and create a new one (for the distribution profile). If you create the certificate on your machine, then you will have the private key. You should also export it to them just in case (using the same steps of alternative 2).. so they have the ability to build without you if need be.
Each provisioning profile is paired with a certificate. If you subscribe to the Apple developer service, you should have access to create and download a development cert (tied to the apple ID) and a distribution cert (tied to the organization). The enterprise distribution provisioning profile needs to be paired with the distribution cert. So in order to use their provisioning profile, you will have to get the distribution certificate from them. This will also involve you getting their private key, which they might not be so fond of. Alternatively, they can set you up as a developer on their portal, then you can distribute through the machine that already has the distribution cert installed on it.

Resources