I'm a contract developer, and have an app to be distributed via the client's Enterprise account.
I've worked with other clients on Enterprise accounts, but for some reason, the "iPhone Distribution" certificate that I've added to my keychain for this client does not appear in Xcode Organizer.
When I import a mobileprovision for the app, Xcode complains there's no valid key pair.
The client has added me to their account; can only the developer who created the Enterprise Distribution certificate import it to a keychain? If I create a new distribution cert (not profile), does that invalidate the existing cert (used by other apps I have not worked on?)
You will need the person who created the certificate to export it from their keychain. The certificate you download from the provisioning portal is a public key and does not contain the private key.
From Apple Tech Note about Code Signing
Note: In the case of missing Private Keys for your certificates,
Automatic Device Provisioning can restore your certificate to the
keychain, but not the missing private keys.
Transferring Your Identities Once you have a healthy working code
signing configuration set up it is recommended that you follow the
steps in section Transfer Your Developer Profile to Another Computer
of the Xcode 4 User Guide to create a backup of them. The backup can
be used to restore your working code signing configuration from
hardware failure, or to enable code signing on additional Macs,
partitions, or OS X user accounts of your choice. The backup
(.developerprofile file) once created contains all of the following
items:
all iPhone Developer certificates in your keychain all iPhone
Distribution certificates in your keychain all Provisioning Profiles
in the Xcode Organizer > Devices tab > Provisioning Profiles section
under "Library" Note: While creating the backup of your identities you
will be asked to enter a brand new password. Be sure to remember as
you'll be asked to enter that password later to use the backup for its
intended purposes.
Tech Note TN2250
Related
I understand that in iOS app development, for team collaboration, the leaving developer should export the distribution certificate from his keychain app because only his Macbook has the private key used as code signing identity. (Please correct me if I am wrong here.)
My questions are:
1. Am I right that the distribution provisioning profile for app store & the provisioning profile for ad-hoc distribution using the same code signing identity?
2. Am I right that if we lost the contact of leaving developer who has distributed the app to Apple Store, I can just delete the distribution certificate & corresponding distribution provisioning profile in Apple Developer account , and create a new distribution certificate & profile on my Macbook so that I have the new signing identity in my keychain, I don't need the leaving developer to export his, because the distribution certificate & profile is only used to distribute the app to Apple store or do ad-hoc distribution? Is there any harmful consequence I missed if do so?
For question 1
Yes, distribution certificate is used for uploading app to apple store. And development for running on device or sending build.
For question 2
Yes, you can simply revoke his certificate. And create new one. That way your previous developer certificate are not required. Moreover, he wont be able to use them anymore and you can create new one and keep your certificate on apple developer account clean.
Hope it clears your doubt.
On the Apple site, in the Certificates section, I see that I have two certificates (iOS Development and iOS Distribution). They both expire in 2017. Everything looks fine there.
When I download the certificates and try to install them locally, they both appear in the “Certificates” section of my Keychain. In the “My certificates” section of my Keychain, however, I see only the Developer certificate. If I try to copy the Distribution certificate from “Certificates” to “My Certificates”, it does not help.
In XCode, in the Accounts section, when I choose my Apple ID and click on “View Details,” I see only “iOS Development” in the list of Signing Identities. And its status is “Revoked” for some reasons! When I click on “+” under the table and try to add iOS Distribution certificate, a dialog appears which says: “Your account already has a valid iOS Distribution certificate. You have a valid iOS Distribution certificate in the Member Center, but it is not installed locally. If your signing identity is installed on another Mac, you can export a developer profile on that Mac and import it on this Mac. You can also revoke your current certificate and request a new one.”
Is it safe to go to the Apple site and revoke the certificates there? Would it help somehow? Or maybe there are better solutions?
You may revoke your distribution and create a new one with CertificateSigningRequest created from keychain access. But if you have other project using this distribution certificate, It is better export that certificate from the originally installed computer using keychain access export with the .p12 extension and install it to your computer.
If you export a certificate distribution or development. You need to go to developer.apple.com and renew all your previous provisioning file with a new certificate. It is time consuming but if you are not able to export old certificate that is the only option.
The client has given me the distribution profiles, how can i add the profiles in xcode 5?
As far as i know distribution certificates are responsible for distribution profiles. Importing distribution certificate enables and add all the distribution profiles in xcode. Without certificate distribution profiles can't be used.
Please correct me if i am wrong and suggest the work around for importing profiles in xcode 5.
Deployment phase is new for me.
Thanks
Importing the profiles is just double clicking on them. You can't use the profile without the private key for the certificate that was used to generate the profiles. This need to be exported from the keychain (usually as a p12 file) and imported onto your development machine.
It is possible that the client exported a package containing all of this info using Xcode, then double clicking should install everything required.
Importing distribution certificate enables and add all the distribution profiles in xcode
No, importing one doesn't automatically import the other.
There are no workarounds, you need to be supplied with both the certificate (private key) and the profiles.
A distribution profile is basically a way to make a trust relationship between a particular distribution certificate (which identifies your organisation as a registered Apple development organisation), a particular app or group of apps (identified by an AppID like com.foo.bar.myawesomegame), a set of valid devices where the app can be installed (in the case of ad-hoc distribution; in the case of App Store distribution this is not required), and a set of enabled services, like In-App Purchases.
In your particular situation, if the client wants to test your app, and you are provided with a valid distribution provisioning profile (a file with .mobileprovisioning extension), you also need to install a valid distribution certificate on your computer. The client can download this certificate from http://developer.apple.com (Member Center) and send it to you so you can import it on your machine with a double click on the .cer file.
To enable external users test an app, there's a simpler process, providing that your organisation is a registered Apple development organisation: First, you generate a distribution certificate from http://developer.apple.com. Then, you create a distribution (ad-hoc) provisioning profile and add the distribution certificate and the UUIDs of the iPhones the client wants to use for testing. The client can get the UUIDs from the iTunes app, for example. Then, you can download both the certificate and the distribution profile to your computer, double click to import them into Xcode, and finally sign the app (.ipa file) so that the client can test it on their own devices. You can do that by choosing Product, Archive in Xcode and selecting your distribution certificate and provisioning profile.
I have a iOS app use the account A.
My client gave me an enterprise account B for In-House distribution.
I'm not allowed to revoke their existing certificates and they do not provide .p12 and .developerprofile.
I called the apple center and they told me NO .P12 key can also publish procedures but did not told me how to do.
My E-mail have joined the team,
I create a new app id and a provisioning profiles but the provisioning profiles is error in my Xcode.
error message:The private key for "XXX" is not installed on this Mac.
My question:
I just want to release .ipa for in-house type how to do?
thx!
You will need to p12 (private key) form the client or revoke the current profile. There is not other option. Do not revoke any provisioning profiles for current apps since they may used.
Also explain to the client what you are doing and the consequences that it may have, if they are not able to provide you with the necessary certificates.
You generate a Certificate Sign Request (CSR) from your Keychain, login to your developer account and choose your client's team.
You then create an enterprise certificate which will have to be approved by your client's team manager. Once that is done you will be able to download it and install it on your keychain.
After that generate a provisioning profile for the app you want to distribute, download and install it on Xcode.
Build your app with this certificate and save the IPA for enterprise distribution.
This is getting frustrating. I have two identities, one old, one new, and the latter should be used to deploy iOS apps to the App Store.
I've created the new user, granted him admin access, then I created the app name and provisioning profiles. However, in the Organizer I see that the Dev provision works flawlessly, while the Deploy profile shows me the dreaded error:
Valid signing identity not found.
How can it be?
Well, I see that in the Certificates section in the iOS Provisioning Portal, there is only one distribution certificate, the one belonging to my company.
Is there a way to enable the new user to create apps without accessing the uberadmin's Xcode?
Thanks & Cheers!
You need the key that was used to create the Distribution Certificate for your company.
Remember when you created your developer certificate? Then you went to keychain -> certificate assistant -> Request a certificate from ...
When you did this, your Mac paired your certificate request to a key in your keychain. Once your developer certificate was processed and you downloaded it to your computer, it could be accessed by your computer through that key.
But if you did not create the Distribution Certificate that your company has, you don't have the key on your computer.
Take a look at your certificates in keychain:
Go to 'Certificates' and expand your developer certificate - it will have a little key with your name.
Now try to expand your distribution certificate - it will not have a key, right?
If this is the case, you have two options:
Ask the person who created the Distribution Certificate to export it from his keychain. This will create a file that includes both certificate and key.
Delete the current Distribution Certificate, and create a new Certificate Signing Request from your computer, which will connect it to a key that you have.
First method require access to "Uberadmins" computer. The second require admin access to your teams Apple account. There is usually no downside in using method 2, because creating a new certificate is necessary from time to time anyway. It will not affect already published apps, just coming releases and updates need to use a the latest certificate.
Once all this is done, you need to create a distribution provisioning profile for App Store and connect to the Distribution Certificate that you are going to use. (if you went with option 1, you might already have done this).
Download the profile to your computer, install it, and then in your app, select to build with this profile for distribution builds.
According to Apple's documentation:
A team’s distribution certificate allows a developer to build an app for distribution. If your team wants to use another Mac to create a distribution build, you need to transfer a copy of the distribution certificate as described in, “Safeguarding and Transferring Your Signing and Provisioning Assets” in Tools Workflow Guide for iOS. (from Managing a Distribution Certificate)
So, in order to have multiple users able to create & submit App Store builds, you must share a private key between them.
Create a new private key for the team, and then send that private key to everyone who needs it. Follow the instructions under Generating a Certificate Signing Request with Keychain Access.
See also: Any concern to share private key for distribution certificate among different group under a team account in itune provisioning portal