Hi there :)
We are trying to install our application from Xcode to an iPhone 14 Pro. After building the app, we need to go to General -> VPN & Device Management to trust the certificate.
Unfortunately, the certificate is not showing on the iPhone, and we can not install the app. Does anyone know how we can solve this problem?
Thank you very much in advance for your help!
I have an Xcode project (generated from Qt) which is signed by a post-processing script.
It uses the invocation:
codesign -o runtime --sign "$(CODE_SIGN_IDENTITY)"
CODE_SIGN_IDENTITY is set to "Apple Development" in the Build Settings for the target.
The signing step fails with this complaint
Apple Development: ambiguous (matches "Apple Development: <my name> (an ID)" and "Apple Development: <my company email> (another ID)" in login.keychain-db)
It is true, I do have two Apple Development certificates. I thought one is for personal development (when you pick the personal team) and the other for company development (when I pick the company team).
I have other Xcode projects (built "by hand") which have CODE_SIGN_IDENTITY set to "Apple Development" and with Automatic signing turned on, and they build just fine, even though I have two certificates with common names beginning "Apple Development".
However, when I look at the build log of those regular Xcode projects, which are signed by Xcode rather than in a post-processing script, the Signing step logs this:
Signing Identity: Apple Development: (an ID)
not simply "Apple Development". Xcode seems to have resolved the ambiguity all on its own before calling codesign. It then calls codesign using the hash of the certificate as its identifier.
How can I emulate Xcode's behavior here? The postprocessing script runs on different developer's machines - they all have multiple "Apple Development" certificates, and they are all different from one another.
Post not yet marked as solved
Hi Team,
Need your help on solving the errSecInternalComponent error which is getting generated while doing a xcode archive command from jenkins jobs.
Currently using Sonoma-14.4, Xcode-15.2, in local it's working well both build and archive but in case of jenkins i am unable to get that, i already given security-unlock commands also before the archive stage but no use,
Commands passed:
security unlock-keychain -p xxxx /Users/ec2-user/Library/Keychains/login.keychain-db; \
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k xxxxx
Please let me know if i have missed any configuration thing.
Error
Signing Identity: "iPhone Distribution: "
Provisioning Profile: "Notification Content Dist Profile"
(ffb7be92-3e65-4be4-b161-07c7f75723f0)
/usr/bin/codesign --force --sign 1FD10D04940E92C7A212E4A27C1E11D5C3DB12E9 --preserve-metadata\=identifier,entitlements,flags --generate-entitlement-der /Users/ec2-user/Library/Developer/Xcode/DerivedData/ReferenceApp-CardAppSDK-bwgchbllhpzevwgvnuwqvjywfeju/Build/Intermediates.noindex/ArchiveIntermediates/ReferenceApp-CardAppSDK/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/NotificationContentExtension.appex/Frameworks/PushNotificationExtensions.framework
Warning: unable to build chain to self-signed root for signer "iPhone Distribution: "
/Users/ec2-user/Library/Developer/Xcode/DerivedData/ReferenceApp-CardAppSDK-bwgchbllhpzevwgvnuwqvjywfeju/Build/Intermediates.noindex/ArchiveIntermediates/ReferenceApp-CardAppSDK/IntermediateBuildFilesPath/UninstalledProducts/iphoneos/NotificationContentExtension.appex/Frameworks/PushNotificationExtensions.framework: errSecInternalComponent
please help on this ASAP
Post not yet marked as solved
In my certificate list, I see a certificate type called “iOS Distribution Managed”. What is the difference between this and “iOS Distribution”?
It's kind of automatic. I don't remember creating it
Post not yet marked as solved
Since 2023 Apple have strongly suggested signing XCFrameworks to verify their origins. This has worked perfectly fine for the last year. Seeing that our certificate was about to expire, we revoked it and created a new one which we will use to sign all future releases. However, because that first certificate has been revoked, all previous releases of our XCFramework now have invalid signatures because the certificate they used no longer exists.
While an update to the latest XCFramework would solve the issue, that's not always a possibility for people with lower minimum deployment targets that can only run an older version of our XCFramework. In the wwdc video on the topic it states:
When the xcframework author's signing certificate expires, Xcode is able to automatically validate that a new certificate for Apple Developer Program identities is from the same developer.
Does this mean that if we had not pre-empted the expiry and instead let the certificate expire, we wouldn't have this backwards compatibility issue?
The course of action we've had to take is to manually go through all of our releases for the last year and re-sign them with the latest certificate. This doesn't seem like a tenable solution each year.
Looking for guidance on how to manage this situation each year.
Hi
I have had severe malware issues recently and need to factory reset my Mac. I may have to reinstall the OS as well in case it has a root-kit. This means I cannot use any standard backups ( Time Machine etc.) and will manually recreate my user setup on the Mac.
Will reinstalling Xcode and downloaded signing certificates from my developer account work ? Are there other things to consider ? I will recreate my user ( assuming the uid will be the same as well )
Has anyone tried this before? What is your experience with it?
Post not yet marked as solved
I made some changes to my MAUI app in VS 2022 on Windows 11. I had no trouble testing my app on a locally connected iPhone before, but now when I try to debug the same app (with changes), on the same iPhone, and the same Windows machine, with the same valid certificates in the VS Apple Accounts Details, I get this error:
iOS code signing key 'Apple Development: B... (...)' not found in keychain.
Why is it even referring to the keychain when I'm on a Windows machine using VS2022
valid certificates in the VS Apple Accounts Details
Also, I'm getting "MSB6006: 'codesign' exited with code 3." error when trying to test/debug on a remote mac machine.
I know there is a quite a few costs and licenses required for post apps to the App Store. I am interested in only developing apps for my own phone to see if this is something I want to venture into.
Is there a way (or online resources) that allow me to develop just for myself and install on my phone to experiment with? It does not make much sense if I have to purchase a developer license and all the other requirements if I am just experimenting, and being limited solely to the Xcode simulator is only half the experience.
Thoughts? and any help would be appreciated.
Post not yet marked as solved
Hello . Currently, only the ios version is on sale on the App Store. The application is offering an icloud-linked, auto-renewable subscription.
I want to sell to the app store connect with the same identifier, AppID at the same time.
I simply added visionos to the existing app project to provide the visionos version early, but the existing UI-related code and the location-related code are not compatible.
We used the same identifier with the same name, duplicated and optimized only what could be implemented, and created it without any problems on the actual device.
However, when I added the visionos platform to the App Store cennect and tried to upload it through the archive in the app for visionos that I created as an addition, there was an error in the identifier and provisioning, so the upload was blocked.
The result of looking up to solve the problem
App Group
-I found out about the function, but it was judged that a separate app was for an integrated service, so it was not suitable for me.
Add an APP to an existing app project via target and manually adjust the platform in Xcode -> Build Phases -> Compile Soures -> Archive upload success?( I haven't been able to implement this stage of information yet.)
I explained the current situation. Please give me some advice on how to implement it.visionos has a lot of constraints, so you need to take a lot of features off.
I got an email from Apple, "Your Developer ID Installer Certificate will no longer be valid in 30 days". So I went to my certificates page on developer.apple.com, and I see the attached photo.
Basically, yes, I have a Developer ID Installer Certificate that expires 2023/07/01; but I also have one that expires 2025/12/08, and one that expires 2026/01/09, and one that expires 2026/12/15, and another that expires 2026/12/16! Why do I have all these certificates? I have no idea. There is a "+" button to add a new one; but given that I already seem to have ones that won't expire for several more years, do I need to? There does not seem to be a "-" button, or any way to clear out this cruft.
I then recalled that perhaps I have managed my certificates in Xcode in the past, not on this page (or maybe I have done both, at different times?). So I went to Xcode, and things seem to be rather a mess there too, but in a different way (second image attached).
Here, I seem to have lots of stale certificates that are in gray and say "Not in Keychain" – how do I clear those out? Again there does not seem to be a "-" button. And the newer ones that I saw on developer.apple.com do not seem to be listed here, maybe – it's hard to compare, though, because on developer.apple.com it shows the expiration date but not creation date, whereas in Xcode it shows creation date but not expiration date.
What should I do? Note that I am not a member of multiple different teams, or anything like that; I'm a solo developer. This stuff is really confusing and does not seem to be well-documented anywhere that I have found. Am I just being dense?
Post not yet marked as solved
Hi,
I created a developer id certification from my apple developer account a couple of year ago and downloaded it as .cer file into my Laptop. Now I want to use this certificate to sign my application, but unfortunately Xcode shows an error message like 'Missing Private Key" and I can also see that there is no private key under my developer id certificate(there is no grey arrow to expand to see private cer) in keychain access. Moreover my developer account is expired and I do not want to extend it yet so unfortunately no solutions with apple developer account will work like creating a new certification etc.
Do you have any other solutions like using Keychain Access or Xcode to link my private key again into my developer id certificate?
Note:
1-.cer file was created on my laptop by me, which I am using now. So I would expected that the related private key should already exist in my Keychain Access(if I did not delete it mistakenly.) but I do not know which private key is the relevant one, I have several of them.
2-I have also a CertificateSigningRequest.certSigningRequest file which was copied near my .cer file. Maybe it could be useful for a solution?
3-No! unfortunately I do not have any .p12 file.
4-I had already installed current AppleWWDRCAG3 file before I import my .cer file into my Keychain Access Tool.
5-Get Info shows that my cer file is still valid till sep 2025.
6- I have already restarted my Xcode and laptop.
7-I tried all solutions here:
https://stackoverflow.com/questions/12867878/missing-private-key-in-the-distribution-certificate-on-keychain
8-https://developer.apple.com/account/resources/ shows me no certificate with the reason that my membership expired
9-I removed and re-added my apple account into Xcode. the same error occurred.
XCODE:Version 15.3 (15E204a)
OSX:macOS Sonoma 14.2.1
Thanks a lot in advance.
Hey there!
I was invited to be admin to a new developer account and it seems like admins cannot create dev certificates anymore. I already have a personal account and I was invited to the new team, but Xcode can't find my new team, it's showing the personal team only.
Can I create a request or something so the account holder can create a dev certificate and give it to me so I can develop on my MacBook with my own account?
Thanks!
Post not yet marked as solved
Hello,
I'm have a new Macbook and setup my Enterprise account. Part of my job is to view the expiration dates on certificates for other users. This should be a simple process but when I click on the certificate, there's a button "view certificates" I should be able to click on and see the expiration date and basic details on that specific certificate.
The problem I have is that when I click on "view certificates", I get the error: "An error has occurred. Unable to display information about the selected item."
I've tried steps online but to no avail. How can I get this fixed? My two other coworkers are able to just click on that button and view the certificate details, except for me. I've attached the screenshot.
Thank you for your help
Regards
JJ
Post not yet marked as solved
Hi All,
We use a small group of Mac mini units running VMs for our Apple CI system. Since you can't login to an Apple ID on an Apple Silicon VM we wanted to use an App Store Connect API token to handle all the authentication for us. In the past this has not worked but I wanted to see if it could now. The answer is no, you can not use an API token with Developer ID Cloud certificates.
The reason is that, even on an Admin role token, the DevID certificates are not enabled by default. When you are using an Apple ID this is no big deal as you can check the box to allow access, but with tokens they are minted with only the default settings for the role. This means that the option for Access to Cloud Managed Developer ID Certificates is always disabled and you can't enable it.
If we could continue logging in with an Apple ID we could stumble along with that still, but even this ability is gone on AS VMs. Right now this pretty much means that we either give up on using stateless VMs to build or we go back to manually managing all of our code signing materials. The longer term solution would be to move to Xcode Cloud, but that will take us quite some time.
I filed FB13687073 to see if there is any way to create a token that can use this checkbox.
Post not yet marked as solved
I use three Macs for development of a web application. On each of the Macs (macOS 14.4) I used mkcert to install a local CA and to issue developer certificates (all separately). Accessing the web app with https://localhost:8080 works fine on two Macs with all browsers, but on one Mac Safari claims to have another root CA for localhost which it does not trust. And I cannot override the trust settings.
Using Keychain Access I do not find this certificate. Safari shows it like this:
Scrolling down I can see DNS Names localhost, localhost.localdomain and lvl.me, so I suspect it is a leftover from trying to install a root CA before using mkcert.
The mkcert certificate looks like this and I can see it in the System keychain:
So Safari complains and I cannot tell it to trust the server certificate as the CA does not fit (I think). Firefox and Chrome open the website just fine after warning me and me telling them to do so.
I tried to find the wrong CA using Keychain Access and Terminal (security find-certificate -a -c localhost, security find-certificate -a -c lvh...) but in vain.
Where can I find this certificate and how can I delete it?
Post marked as Apple Recommended
I've been trying to notarize an installer (.pkg file) on a new laptop. Previous versions have been notarized successfully on a previous Mac.
However, in spite of having the required certificates (same as the old Mac, generated for the new Mac) the submission gets stuck at "In Progress".
Doing it multiple times (even hours apart) doesn't help.
Is there a FAQ / suggested list of steps to help resolve this issue?
Here's what I see:
xcrun notarytool history --keychain-profile "(my profile name)"
results in (problem started with v4, the first version I've tried on this new Mac):
createdDate: 2023-10-17T01:34:36.911Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-17T01:33:59.191Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-16T21:01:25.832Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-16T19:57:44.776Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v4.pkg
status: In Progress
--------------------------------------------------
createdDate: 2023-10-02T14:17:34.108Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v3.pkg
status: Accepted
--------------------------------------------------
createdDate: 2023-09-28T14:04:46.211Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v2.pkg
status: Accepted
--------------------------------------------------
createdDate: 2023-09-20T17:28:46.168Z
id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
name: xxxxxxxxxx-v1.pkg
status: Accepted
--------------------------------------------------
xcrun notarytool log xxxxxxxxxxxxxxxxxxxx --keychain-profile "(my profile name)" results in:
Submission log is not yet available or submissionId does not exist
id: xxxxxxxxxxxxxxxxxxxxxxxx
Post not yet marked as solved
If I develop my app with an SDK(binary) that other person developped and then the SDK certificate has expired,Can I submit my app to app store?
Or should I get a new SDK with updating certificate?
Post not yet marked as solved
Hello,
I am setting up a build (Gitlab CICD) runner. I create a keychain and imported certificate and my signing key.
$ security find-identity -v
XXXXXX "Developer ID Application: XXXXXX, INC. (XXXXXX)" (CSSMERR_TP_NOT_TRUSTED)
1 valid identities found
$ security find-identity -p codesigning -v
XXXXXX "Developer ID Application: XXXXXX, INC. (XXXXXX)"
1 valid identities found
Codesign fails with
unable to build chain to self-signed root for signer "Developer ID Application: XXXXXX, INC. (XXXXXX)" errSecInternalComponent
On the local machine everything is fine.
I think the point is that the identity is both valid and CSSMERR_TP_NOT_TRUSTED.
What can I do about it?
Hi,
I have this error:
Provisioning profile "iOS Team Provisioning Profile: com.Mcrich23.Pickt" doesn't include the com.apple.runningboard.assertions.webkit entitlement
However, I can't add this entitlement because it pretty much does not exist. Any ideas?
Post not yet marked as solved
Electron-Builder Version: 24.12.0
Electron-Builder-notarize Version: 1.5.1
Node Version: v15.14.0
Electron Version: 11.3.0
Electron-updater version: ^4.3.5
Target: Mac Apple Store (mas)
Hello, I am trying to build and sign a new version of my electron app for the mac apple store (mas), but when I get to the final step of uploading the RenderTune.pkg file to the mac transporter app, I get a failed status with 22 errors all the same formatting like so:
Asset validation failed (90284)
Invalid Code Signing. The executable 'com.martinbarker.digifyunique.pkg/Payload/RenderTune.app/Contents/Frameworks/Electron Framework.framework/Versions/A/Libraries/etc....dylib' must be signed with the certificate that is contained in the provisioning profile. (ID: abc-abc-abc-abc-abc)
In order to build and sign this RenderTune.pkg file, first I run the command npm run build-mas locally while on branch v1.1.5 ( code here )
Which runs the following command:
"build-mas": "electron-builder build --mac && sh signmasscript.sh",
So first it runs electron-builder build --mac and gives this output:
Martins-MacBook-Air:rendertune-v1.1.5-feb-24 martinbarker$ npm run build-mas
> rendertune@1.1.5 build-mas
> electron-builder build --mac && sh signmasscript.sh
• electron-builder version=24.12.0 os=20.6.0
• loaded configuration file=package.json ("build" field)
• writing effective config file=dist/builder-effective-config.yaml
• packaging platform=darwin arch=x64 electron=11.3.0 appOutDir=dist/mac
• signing file=dist/mac/RenderTune.app platform=darwin type=distribution identity=ACBACBACBACBACBACBACBACBACB provisioningProfile=none
• skipped macOS notarization reason=`notarize` options were not provided
• building target=DMG arch=x64 file=dist/RenderTune-mac.dmg
• building target=macOS zip arch=x64 file=dist/RenderTune-mac.zip
• building block map blockMapFile=dist/RenderTune-mac.dmg.blockmap
• building block map blockMapFile=dist/RenderTune-mac.zip.blockmap
Completes without issue. The next part is running the signmasscript.sh file, which does complete but gives these errors:
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
Failed to parse entitlements: AMFIUnserializeXML: syntax error near line 1
productbuild: Adding component at /Users/martinbarker/Documents/projects/rendertune-v1.1.5-feb-24/dist/mas/RenderTune.app
productbuild: Signing product with identity "3rd Party Mac Developer Installer: Martin Barker (LV6WXG529F)" from keychain /Users/martinbarker/Library/Keychains/login.keychain-db
productbuild: Adding certificate "Apple Worldwide Developer Relations Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to /Users/martinbarker/Documents/projects/rendertune-v1.1.5-feb-24/RenderTune.pkg
productbuild: Supported OS versions: [10.10.0, )
The final output RenderTune.pkg file gives 22 error messages saying `` when I try to deliver it via the mac os transport app.
Asset validation failed (90284)
Invalid Code Signing. The executable must be signed with the certificate that is contained in the provisioning profile
Is my app even being signed correctly? Or is there just one file that I need to fix? Please help me out !