Question about creating certificates

Code Signing General
christinagsu OP
Created Jan ’22
Replies 4
Boosts 0
Views 2.4k
Participants 3

Hello, I read on the Apple Support page that for iOS Distribution certificates, when they expire, "Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate."

We have 2 certificates that will be expiring soon, a Distribution certificate and an iOS Distribution certificate. I think this app is on the App store. I understand that some certificates can expire without having an affect on the apps; they just need to be updated in order to put a new version out there. I am trying to figure out if ours apply to that scenario or the one above where it will immediately affect installed apps. Any feedback on that?

The Apple support person I talked to said I would have to create the certificates before the expiration date, and I have to coordinate that with the release of an updated version of the app. So I believe I need to coordinate with the developer and create the certificate when he uploads a new version of the app.

Also, he told me that the iOS Distribution certificates and the Distribution certificates are created in different ways. I found this about creating iOS Distribution certificates: https://support.staffbase.com/hc/en-us/articles/115003458931-Creating-the-iOS-Distribution-Certificate Can all these steps be done ahead of time and I could send the certificate file to the developer? Is there a URL that shows the different way to create Distribution certificates?

Thank you. Any answers to these questions would be very helpful.

Answered by DTS Engineer in 702014022

If you only distribute your app via the App Store, you don’t have to worry about certificates expiry causing problems for your users. Once App Store Connect accepts your app, the App Store infrastructure re-signs it before distributing it to users. Those certificates don’t expire [1].

An easy way to see this in action is with a Mac App Store app [2]. Consider this:

% codesign -d -vvv "/Applications/Tap Forms 5.app"
…
Authority=Apple Mac OS Application Signing
…
TeamIdentifier=FXLPHZS84D
…

Note that the certificate in the signature is an Apple certificate, not the developer’s distribution certificate.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, they have an expiry date but it’s not relevant.

[2] The Mac App Store does not have exactly the same mechanics as the App Store on iOS, but they are well aligned in general and definitely behave the same way in this regard.

Replies  4
Boosts  0
Views  2.4k
Participants  3
DTS Engineer OP
Apple
Jan ’22
Accepted Answer

If you only distribute your app via the App Store, you don’t have to worry about certificates expiry causing problems for your users. Once App Store Connect accepts your app, the App Store infrastructure re-signs it before distributing it to users. Those certificates don’t expire [1].

An easy way to see this in action is with a Mac App Store app [2]. Consider this:

% codesign -d -vvv "/Applications/Tap Forms 5.app"
…
Authority=Apple Mac OS Application Signing
…
TeamIdentifier=FXLPHZS84D
…

Note that the certificate in the signature is an Apple certificate, not the developer’s distribution certificate.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, they have an expiry date but it’s not relevant.

[2] The Mac App Store does not have exactly the same mechanics as the App Store on iOS, but they are well aligned in general and definitely behave the same way in this regard.

0
DTS Engineer OP
Apple
Jan ’22

Also are there URLs that show the different ways to create Distribution certificates vs iOS Distribution certificates?

I don’t know what you mean by “Distribution certificate”. AFAIK we don’t use that as a specific term. That is, we might say “distribution certificate” to encompass various flavours of certificates that can be used for distribution, but none of those flavours use that spelling.

If you go to Apple > Developer > Certificates, Identifiers & Profiles and start creating a certificate you’re presented with many options:

  • Apple Distribution — Sign your apps for submission to the App Store or for Ad Hoc distribution. For use with Xcode 11 or later.

  • iOS Distribution (App Store and Ad Hoc) — Sign your iOS app for submission to the App Store or for Ad Hoc distribution.

  • Mac App Distribution — This certificate is used to code sign your app and configure a Distribution Provisioning Profile for submission to the Mac App Store.

  • Mac Installer Distribution — This certificate is used to sign your app's Installer Package for submission to the Mac App Store.

  • Developer ID Installer — This certificate is used to sign your app's Installer Package for distribution outside of the Mac App Store.

  • Developer ID Application — This certificate is used to code sign your app for distribution outside of the Mac App Store.

Are you referring to one of these? If so, which one? If not, please provide more details about what you mean by “Distribution certificate”.

Does this mean that if we also use Google Play store in addition to the App store, then in that case, those apps will stop working as soon as the certificates expire?

I can’t answer this; I’ve no experience with non-Apple distribution mechanisms.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DTS Engineer OP
Apple
Jan ’22

You seem to have misunderstood how certificate signing requests work. Lots of folks are confused by this, primarily because of poor terminology and opaque tooling. I just posted Certificate Signing Requests Explained in an attempt to clear things up. Please read that through before continuing here.

I created some certificates and uploaded them to Certificates, Identifiers, & Profiles.

So, to be clear, you did not create and upload certificates. Code signing certificates are always created by the developer web site. I presume you created and uploaded some CSRs.

my keychain says they aren’t trusted yet because they haven't been sent to the CA.

That’s not how this works. The certificates issued by the developer web site are trusted by Apple (unless they’re revoked). If they’re showing as untrusted an your Mac, that’s due to an issue local to your Mac. The most common causes are:

  • Missing WWDR intermediate certificate

  • Customised trust settings

See this post for further advice.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
DTS Engineer OP
Apple
Jan ’22

Does this mean we upload it to "Certificates, Identifiers & Profiles" on the developer site … ?

Correct. The specific scenario I’m referring to here is:

  1. You go to Developer > Account > Certificates, Identifiers & Profiles > Certificates.

  2. You click the add button.

  3. You select the type of certificate you want Apple to issue, for example, Apple Development, and then click Continue.

  4. The next page presents a file choice UI where you select a CSR to upload.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Question about creating certificates
First post date Last post date
 
 
Q