Broken signing certificates?

Question

Created Nov ’23

Replies 6

Boosts 0

Participants 2

I think there's something broken with certificates or Xcode that's preventing me to sign a new version of a Mac app I've made.

First, I know my "login" keychain password. I can use this password to export a .p12 file for my "Apple Development: {email} (CLW499436V)" item in my login keychain.

Second, I can use security find-identity -v -p codesigning to see my signing identities. It shows two of them. They have a different initial number, and then the same string "Apple Development: {email} (CLW499436V)".

The behavior using codesign -vf --sign SIGNING_ID ./test.app is different for each one of them.

One requests the signature with the following message: I can input my "login" keychain password, which I know, and all is good
The other uses the following message: It requires "the keychain password", which I have no clue what it is.

Now, in Xcode, if I go to the Build Settings/Signing, I can set my "Coding Signing Identity". Opening the dropdown I can see a section named "Certificates in Keychain", and there's one "Apple Development: {email} (CLW499436V)". I don't know which one is that. Anyways, if I select that, going to "Signing & Capabilities" I see an error that tells me to select "Apple Developer" in the previous setting.

When I do that, however, it seems Xcode is trying to sign the app with the certificate that request a password I don't know.

I don't think I had this problem in the past, so I'm not sure how I've reached this situation. I also don't seem to be able to remove certificates and create new ones because I'm not subscribed (paying) to the Apple Developer program. Maybe there's a way to remove them that I have missed?

How can I go back to having Xcode automatically sign my app?

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’23

These alerts are different because you’re triggering different access checks within keychain:

The first alert is an access control alert. codesign has found your signing identity in the login keychain and is trying to use it. codesign is not listed on the private key’s ACL, so you get this alert.

If you click Always Allow, the keychain will add codesign to the key’s ACL and you won’t see the alert again.
The second alert is a keychain unlock alert. You seem to have (at least) two keychains: One called login and another called Apple Development: …. codesign has found your signing identity in the that second keychain and is trying to use it. The keychain is locked, and so the system is prompting you to unlock it.

Honestly, I’ve no idea how you got into this state. Most folks have just a login keychain [1] and Xcode defaults to working with that. However, it should be feasible to fix it.

To start, let’s confirm the problem. What does this show:

% security list-keychains

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Well, and:

A System, which Xcode avoids
An iCloud Keychain, called Local Items if you don’t have iCloud Keychain enabled, which Xcode can use won’t use by defaults

If you’re curious about the various keychains on the Mac, see TN3137 On Mac keychain APIs and implementations.

0

Answer 2

dgrcode OP

Nov ’23

Here's what I get from running that command:

"/private/var/folders/rx/l1xnfmcd2452_3vtnr30pb7m0000gn/T/Apple Development: Daniel González Reina (Daniel González Reina)~~~vOqA6L/Apple Development: Daniel González Reina (Daniel González Reina).keychain"
"/private/var/folders/rx/l1xnfmcd2452_3vtnr30pb7m0000gn/T/Apple Development: Daniel González Reina (Daniel González Reina)~~~eop6Yd/Apple Development: Daniel González Reina (Daniel González Reina).keychain"
"/private/var/folders/rx/l1xnfmcd2452_3vtnr30pb7m0000gn/T/Apple Development: Daniel González Reina (Daniel González Reina)~~~xXdUwg/Apple Development: Daniel González Reina (Daniel González Reina).keychain"
"/private/var/folders/rx/l1xnfmcd2452_3vtnr30pb7m0000gn/T/Apple Development: Daniel González Reina (Daniel González Reina)~~~PGpNVn/Apple Development: Daniel González Reina (Daniel González Reina).keychain"
"/Users/daniel/Library/Keychains/login.keychain-db"
"/Library/Keychains/System.keychain"

And here's what I see in the Keychain Access app.

It looks like a few more have been created since I posted my question yesterday. I think they might get created when I go to Xcode preferences/Accounts/Manage Certificates... and I click on create a new one. I did that a few times yesterday trying to understand what was going on, but I got an error every time. Here's what I see under "Manage Certificates..."

manage certificates.png

How can I go back to a normal state?

0

Answer 3

DTS Engineer OP

Apple

Nov ’23

Yikes! Something has badly wrong with your keychain here. Someone, presumably Xcode, is creating temporary keychains (hence the /private/var/folders/…/T/ path) and ‘leaking’ them into the keychain search list. I’ve never seen that particular pathology before.

I think a bug report is warranted here but first let’s try to isolate the issue. If you create a new user account on your Mac, log in as that, then run Xcode and sign in to your developer account, do you continue to see problems?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

dgrcode OP

Nov ’23

Here's what I get from running security list-keychains in the new account:

$ security list-keychains
  "/Users/test/Library/Keychains/login.keychain-db"
  "/Library/Keychains/System.keychain"

And these are the certificates I can see on Xcode after signing in to my developer account:

certificates from other account.png

0

Answer 5

dgrcode OP

Nov ’23

It looks like doing this has made some changes in my normal user. Here's what I see now running security find-identity -v -p codesigning:

$ security find-identity -v -p codesigning
  1) {SOME_NUMBER} "Apple Development: dangonrei@gmail.com (CLW499436V)"
     1 valid identities found

I used to have two here with a different SOME_NUMBER value and the exact same text.

Now my keychain looks like this:

update keychain.png

And here's my certificates within Xcode:

update certificates.png

So now, in Build Settings/Signing/Code Signing Identity, I can select Apple Development, and in Signing & Capabilities now I see the following:

update signing.png

When I archive the app, it now requests the password for the "login" keychain, and it looks like all the signing process is taken care of by Xcode successfully.

So, I think it's fixed?

The only two things now, which are more a housekeeping issue than an actual problem, would be to remove the certificate with the missing private key, and all the keychains in System named "Apple development:...". I have no clue how to remove the certificate, and the keychain has the "Delete Keychain ..." option greyed out, so I'm not sure how to do that either. How can I do it?

0

Answer 6

DTS Engineer OP

Apple

Nov ’23

So, I think it's fixed?

Well, it’s progress at least (-:

I have no clue how to remove the certificate

If you can see them on the website, you can revoke them there using this process.

If you can see them in Keychain Access, you can delete your local copies there.

the keychain has the "Delete Keychain ..." option greyed out, so I'm not sure how to do that either. How can I do it?

Are you sure you selected the keychain on the left? That’s all I need to do to enable the File > Delete Keychain command.

If not, quit Keychain Access and delete the keychains using the delete-keychain subcommand of the security tool.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0