How to fix multiple signing identities?

Question

Created Aug ’18

Replies 3

Boosts 0

Views 6k

Participants 2

Xcode make it way too easy to create new signing identites.

In trying to fix a disk image signing problem, I now have several Developer ID Application certificates. This is causing the script that signs our distribution DMG file to fail. The command

codesign --sign "${CODE_SIGN_IDENTITY}" --verbose=3 "${DMG_FINAL}" >> "${TRANSCRIPT}" 2>&1

produces the output:

Developer ID Application: ambiguous (matches "Developer ID Application: James (XXXXXXXXH54U)" and "Developer ID Application: James (XXXXXXXXH54U)" in /Users/james/Library/Keychains/login.keychain-db)

It would seem that the obvious solution would be to simply delete the extranious certificates, but you can't seem to do that in Xcode. (The "Delete" menu item is always disabled.) I'm hesitent to delete anything directly from Keychain, becuase the last time I tried that it totally wrecked Xcode to the point that I had to delete everthing from Keychain and issue all new certificates.

Does anyone know how to resolve this?

Boost

Answer 1

dawn2dusk OP

Aug ’18

Continuing to search for a solution, I found that some people suggest that I should revoke some of the certificates. But according to Apple's Certificates Support document, that seems like a stunning disasterous move:

"If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate."

So I'm back to figuring out how to specify just one certificate in codesign and the Xcode build, or deleting the unused ones.

0

Answer 2

dawn2dusk OP

Aug ’18

I ultimately worked around this by editing my release build script to sign the disk image with a specific certificate:

codesign --sign 0102030405060708090A0B0C0D0E0F1011121314 --verbose=3 "${DMG_FINAL}"

In place of the certificate's name, you can specify its SHA-1 hash, so there's no ambequity.

I tried to get cleaver and extract the certificate's hash code from the executable that xcodebuild signed, but I eventually gave up. So for now, the disk image signing certificate is hard-coded in my release build script.

0

Answer 3

Steit OP

Nov ’24

I know it's an old thread but this may help other users. I find the first certificate's hash like this in fastlane

app_signing_identity = `security find-identity -v -p codesigning | grep -m 1 "Developer ID Application" | awk '{print $2}'`.strip

0