Hi..
I have created the free apple developer account for the purpose of learning the iOS development. In my Mac book air M2 two certificates (APPLE DEVELOPMENT CERTIFICATES) were created by the XCODE automatically these certificates have an expiry of 1 year from the date of creation.
Kindly tell me what will happen after these certificates are expired, will I be able to create new certificates with my free developer account ?
Will XCODE will be able to create new certificates in the same way after these certificates are expired ?
Or, the existing certificates need to be renewed again ?
I request you to please clarify these points as per the entitlements of my free developer account.
Also tell what is the maximum number of certificates which can be created by XCODE ?
I tried to search on internet but could not find any source which can clear these queries.
Regards
Signing Certificates
RSS for tagA signing certificate is a digital identity used for code signing during the build and archive process.
Posts under Signing Certificates tag
169 Posts
Sort by:
Post
Replies
Boosts
Views
Activity
Looking at the certificate chains for various binaries (using Apple's APIs or codesign --vvd) shows several patterns for the common names.
I am wondering why some code has the structure
Apple Root CA
Developer ID Certification Authority
Developer ID Application: Google LLC (EQHXZ8M8AV)
while others have the pattern
Apple Root CA
Apple Worldwide Developer Relations Certification Authority
Apple Mac OS Application Signing
Note, the second pattern does not include an organizational name.
Why is there a difference?
Is the second pattern an older pattern and the first (with the organization name) the new pattern?
(There are other certificate patterns like for Apple's binaries and development code I am testing)
MyPythonExe is a compiled file coming from a python script compiled with using pyinstaller. After compiled, it was signed using codesign:
codesign -s "Developer ID TTT", -o runtime -f --timestamp MyPythonExe
Once signed, the exe was placed in a Zip container (exeZip), and then successfully notarized using the following:
xcrun notarytool submit exeZip --keychain-profile "MyNotarProf" --wait
It was accepted.
Now, when try to run it, the following error was thrown (oddly, the compiled unsigned Exe runs in the same computer without any issues):
/Users/admin/Downloads/MyPythonExe ; exit;
admin@admins-MacBook-Air ~ % /Users/admin/Downloads/MyPythonExe ; exit;
[1767] Error loading Python lib '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python': dlopen: dlopen(/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python, 0x000A): tried: '/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (code signature in <88BFFD37-99D8-36AB-9B95-9F54B30BD667> '/private/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' not valid for use in process: mapped file has no Team ID and is not a platform binary (signed with custom identity or adhoc?)), '/System/Volumes/Preboot/Cryptexes/OS/var/folders/80/35xy0t2n3t96b5nl5ldl24_r0000gn/T/_MEIEhOx1q/Python' (no such file), .... (+ a couple of similar errors)
No, the said exe file (MyPythonExe) was signed and successfully notarized. Oddly, the very same file, but unsigned runs perfectly well (after being authorized so it can surpass Gatekeeper, of course). What could be going on here? Any hint on how to overcome this issue?
My certificate is expired and get new one.
I built application with new distribution p12 file.
And update the application.
But new application don't have the before version information in th secure store.
what do i do?
Behavior:
I was recently having issues with errSecInternalComponent during codesign when using sudo su but NOT when logged into the non administrator account. Which appears to be due to the intermediate certificate not being in the admin user's keychain.
Workaround:
Add intermediate certificate (in my case the Apple Worldwide Developer Relations Certification Authority (G3) available here) to the Admin (who is running sudo su) user's keychain.
Why this is unexpected:
security find-identity -p codesigning indicates the identity is valid, but codesign fails with Warning: unable to build chain to self-signed root for signer and errSecInternalComponent. This behavior also seems to imply that while using codesign and sudo su, we are using the switched user (myuser)'s keychain for the signing identity, but the admin user's keychain for intermediate certificates.
Setup:
Admin user (referred to as admin)
Regular user (referred to as myuser)
For resting purposes do cp /usr/bin/true /Users/myuser/MyTrue
Steps to reproduce:
Login to the computer via Mac OS GUI as myuser
Install developer certificate and intermediates as myuser such that myuser's keychain has the development certificate and apple WWDR certificate
Verify that development certificate is valid and can codesign
myuser@mymachine % security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 identity found
Valid identities only
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 valid identity found
Verify that signing works
myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue
/Users/myuser/MyTrue: replacing existing signature
Login to computer via Mac OS GUI as admin
As admin verify your login keychain does NOT contain the Apple Development identity or any intermediate WWDR certificates (delete them if present).
Use sudo su myuser to switch to myuser while in the admin GUI account.
admin@mymachine % sudo su myuser
myuser@mymachine %
Verify that development certificate is valid and can codesign after switching
myuser@mymachine % security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 identity found
Valid identities only
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 valid identity found
Verify that codesigning fails
myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue
Warning: unable to build chain to self-signed root for signer: <REDACTED> "Apple Development: My User"
/Users/myuser/MyTrue: errSecInternalComponent
Verify that after installing the WWDR G3 intermediate in the admin user's keychain, signing works as expected.
myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue
/Users/myuser/MyTrue: replacing existing signature
Hello,
I have a valid developer ID downloaded from Apple. I signed the code (compiled exe file for intel Macs) and put it into a ZIP, which I also signed.
While signing I use timestamp and hardener option:
codesign -s "$LbaDevID" -o runtime -f --timestamp $conFile3
codesign -s "$LbaDevID" -o runtime -f --timestamp $conZip3
where variable $LbaDevID represent my Dev code id (VALID, downloaded from Apple after request cert; and $conFile3 the path to the exe file and $conZip3 the path to the ZIP (just $conFile3 zipped)
I attempt to notarize using the following command:
xcrun notarytool submit $compZip3 --keychain-profile "TestAppNotarz" --wait
the reply Log downloaded says:
Invalid dev ID (which is valid)
no timestamp... I corrected this error after the 1st attempt but the reply says exactly the same, even when I can see "TIMESTAMP" in the signature.
The third and last error refers to the runtime, which is present but not being seen.
Any help on how to troubleshoot this issue will be highly appreciated!
Please point me to the relevant documentation to solve this issue...
Hi,
I'm trying to sign and app which is a python compiled exe for Mac OS (one file only).
The app runs perfectly on my own mac (or some else's, but only after being admin authorized)
after running
codesign --sign "$devID" $file2sign
I got the following error:
Warning: unable to build chain to self-signed root for signer "Apple Development:..."
errSecInternalComponent
As per screenshot, I have both a current Dev cert and the intermediate certs installed.
Any help will be highly appreciated!
Hello Apple team,
We're having a problem submitting one of our apps to TestFlight via Xcode Cloud. We have over 10 apps with the same codebase and all of them build successfully. However, one application fails to build in Xcode Cloud, although there is no problem with manual build. We would appreciate your help in resolving this situation. Can you please help us resolve this issue? We are ready to provide additional information or logs to clarify the causes of the error.
Sincerely,
Anton Babich
Xcode Cloud
Archive - iOS encountered a failure that caused the build to fail.
Prepare Build for App Store Connect
Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “moBiel Live.app/Frameworks/grpcpp.framework/grpcpp” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing.
Prepare Build for App Store Connect
Invalid Signature. Code failed to satisfy specified code requirement(s). The file at path “moBiel Live.app/Frameworks/Braintree.framework/Braintree” is not properly signed. Make sure you have signed your application with a distribution certificate, not an ad hoc certificate or a development certificate. Verify that the code signing settings in Xcode are correct at the target level (which override any values at the project level). Additionally, make sure the bundle you are uploading was built using a Release target in Xcode, not a Simulator target. If you are certain your code signing settings are correct, choose “Clean All” in Xcode, delete the “build” directory in the Finder, and rebuild your release target. For more information, please consult https://developer.apple.com/support/code-signing.
I am trying to implement sign in with apple with firebase. I cannot get around an issue where I get the following error when attempting a sign in:
When running:
Auth.auth().signIn(with: credential) { (authResult, error) in
I get:
nil credential = OAuthProvider.credential Optional(Error Domain=FIRAuthErrorDomain Code=17004 "The audience in ID Token [com.name.app] does not match the expected audience." UserInfo={NSLocalizedDescription=The audience in ID Token [com.name.app] does not match the expected audience., FIRAuthErrorUserInfoNameKey=ERROR_INVALID_CREDENTIAL})
Optional("The audience in ID Token [com.name.app] does not match the expected audience.")
I have added my URL as stated on firebase to my identifier.
To complete set up, add this authorization callback URL to your app configuration in the Apple Developer Console. Additional steps may be needed to verify ownership of this web domain to Apple.
More code:
func authorizationController(controller: ASAuthorizationController, didCompleteWithAuthorization authorization: ASAuthorization) {
if let appleIDCredential = authorization.credential as? ASAuthorizationAppleIDCredential {
guard let nonce = currentNonce else {
fatalError("Invalid state: A login callback was received, but no login request was sent.")
}
guard let appleIDToken = appleIDCredential.identityToken else {
print("Unable to fetch identity token")
return
}
guard let idTokenString = String(data: appleIDToken, encoding: .utf8) else {
print("Unable to serialize token string from data: \(appleIDToken.debugDescription)")
return
}
print("credential = OAuthProvider.credential")
// Initialize a Firebase credential.
let credential = OAuthProvider.credential(withProviderID: "apple.com",
idToken: idTokenString,
rawNonce: nonce)
//Auth.auth().createUser(withEmail: T##String, password: T##String, completion: T##AuthDataResultCallback?##AuthDataResultCallback?##(AuthDataResult?, Error?) -> Void)
// Sign in with Firebase.
Auth.auth().signIn(with: credential) { (authResult, error) in
print(Auth.auth().currentUser?.uid ," credential = OAuthProvider.credential ", error)
Hi to all,
a few years ago I worked with PhoneGap developing apps. As for then I did all the deploys so never got the need to have the answer to my current issue.
The problem is.. we have a 3rd party company developing us a Flutter App and we want for some of our company's members to test it by being them to deploy using our certificates so the tests can be done. However generating the development certificate always makes it's name to be the same that belongs to the account that generated it.
I believe it would work but how could I make it more manageable by setting it's name as the 3rd party company's name (let's say company's name is "XPTO")?
Is there a better way to accomplish this, deploying to testflight so our colleges can test it?
Hi,
I'm trying to sign an App (original python compiled for MAC) and the codesign process is failing with error:
The command from terminal that produced the error was:
codesign --sign "$devID" $file2sign
Warning: unable to build chain to self-signed root for signer "Apple Development: ..."
errSecInternalComponent
I have both a dev certificate (current, just downloaded a couple of days ago) and the intermediate certificates.
When I run the command
security find-identity -v -p codesigning
I can perfectly see my dev cert, but only listed as "valid identities" nothing is listed as "matching identities"
Any help will be highly appreciated!
(I posted this in the "Distribution >> App Submission and Review" forum 2 days ago but it has not received a response. Trying here...)I had to rebuild my iMac a few months ago and I restored from my Time Machine backup.I now need to make a change to an app but what used to compile without error is now failing at the codesign step with:Signing Identity: "-"As far as I can see, all of the account profiles are valid with expiry dates in the future. The only 'odd' thing is that some have a 'Download' button in the 'Action' column of the 'Provisioning Profiles' seciotn of the account details - when I select the "Download All Profiles" button, they turn grey but never seem to download or disappear (even after aiting for several hours!). Looking at the 'developer' web page, all of my certificates and provisioning profiles are all active.Any ideas welcomedThanksSusan
I hope the pending antitrust suits force Apple to allow us to sign and provision our own apps for more than a week. For the price paid I should be able to write my own apps and use them without restriction outside of Apple services such as iCloud and so on. I understand distribution restrictions but please kill that 1 week annoyance, give me some level of freedom over my own apps on my own device.
Or I hope it’s forced.
Cheers and Thanks in advance.
I'm trying to generate a Pass Type certificate.
In my request, I specifically specify the hash type as Sha256. However, when upload the request file, and generate the certificate on the apple developer site, the cer file states it is SHA1 (which has been depreciated).
Any help would be greatly appreciated.
Xcode Cloud always exports archive using ad-hoc, development and app-store profiles. This uses up 5-6 more minutes always for my app. How to disable and allow export only in single distribution profile
We will soon be transferring our MacOS Electron app to a newly-created company. The app uses electron-builder and electron-updater (which in turn uses Squirrel.Mac). We distribute the app ourselves. (That is, it is not distributed in the App Store.)
If the new company signs the app with their certificate, I assume that updating from the version signed with the old company's certificate won't work. For Windows, it seems that I can provide both the old and new company names when building the app and then a subsequent update will work if the code is signed with either company's certificate. I haven't been able to find a similar process that will work on Mac.
I found this article, which doesn't offer much help: https://developer.apple.com/forums/thread/669350
But would a valid solution be to transfer the old company's developer account (or at least the Team ID/App ID Prefix) to the new company? Is that possible? And if so, and the Team ID/App ID Prefix remains the same, would the app be able to update even though the Bundle ID changes?
Thanks.
The certificate used in the app published earlier is showing as invalid or not considering in the provisioning profile now.So please help us how to resolve this issue with same certificate to publish an update for the app.
I recently began work on an app that uses push notifications and the app already has a version in the store. I no longer have access to the original development and distribution certificates. I know I need to generate new certs. However, will the new certificates work with the existing APN key, or will I have to generate a new APN key as well? Any links or info will help. Thanks.
When the beta was installed, the installer asked me if I wanted to use the new versions, I said no and now they never load and I can't use the token with the authenticity certificate.
I am sure I am missing a pretty elementary step - but - I'm at a loss.
I can build a certificate using KeyChain Access, upload the CSR, download the Certificate from the developer portal website and sign Apple Wallet Passes all day long.
No Problem.
So I thought I'd try to automate some processes with the AppStoreConnectAPI.
I want to download the certificate from the app store and use it to sigh passes instead of file on the disk.
So I find the right certificate from the API, and one of the token in there is a big byte stream called "certificateContent"... which I assumed would be the same binary data as what I uploaded (and whats on disc).
But it doesn't work - it "fails to sign".
I must be missing some step that is preventing me from being able to use that key. I have a feeling the a key or something is missing from the certificate I download from Apple's API.
Any ideas?