Cloud Signing via Developer ID doesn't seem to work with Admin API Keys

Code Signing Certificates, Identifiers & Profiles
erdeszbalazs OP
Created Mar ’25
Replies 4
Boosts 1
Views 643
Participants 2

Hi,

I'm having a really hard time figuring out why I cannot perform cloud signing via Developer ID with xcodebuild.

I have a macOS application, which I can perfectly cloud sign the following way:

  1. Sign into Xcode with my Admin + Account Holder Apple ID.
  2. Delete my Developer ID Application certificate from Keychain Access.
  3. In Xcode, click Archive.
  4. When archived, click "Distribute App" in Xcode Organizer.

The app is cloud signed. I prove this by extracting the certificate codesign --extract-certificates -- /path/to/app.app then locate the 1.2.840.113635.100.6.1.32 bit mentioned by Quinn in this post. I however do it by simply opening the certifiacte with Keychain Access, where I can investigate the content of the certificate, rather than use that tool he does.

Then, I do the following to attempt to cloud sign via xcodebuild:

  1. Create an API Key for the whole team in Users and Access > Integrations > App Store Connect with the "Admin" role selected.

  2. Download the private key .p8 file to ~/Downloads.

  3. Sign out of my Apple ID in Xcode by removing the account in Settings > Accounts.

  4. Create an archive:

    xcodebuild archive -scheme "<redacted scheme name>" -archivePath ~/Downloads/archive.xcarchive -authenticationKeyIssuerID <redacted issuer id> -authenticationKeyID <redacted key id> -authenticationKeyPath ~/Downloads/AuthKey_<redacted key id>.p8 -allowProvisioningUpdates

    The archive is successfully created, with a new "Apple Development: Created via API (TEAM ID)" naming.

  5. Export the archive:

    xcodebuild -exportArchive -archivePath ~/Downloads/archive.xcarchive -authenticationKeyIssuerID <redacted issuer id> -authenticationKeyID <redacted key id> -authenticationKeyPath ~/Downloads/AuthKey_<redacted key id>.p8 -allowProvisioningUpdates -exportOptionsPlist ~/Downloads/exportOptions.plist -exportPath ~/Downloads

which then fails:

2025-03-07 10:27:58.706 xcodebuild[2152:40704] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/tn/yy7ynz3d0yb4p3sd_5q_wl0h0000gn/T/<redacted app name> macOS_2025-03-07_10-27-58.706.xcdistributionlogs".
error: exportArchive Cloud signing permission error

error: exportArchive No signing certificate "Developer ID Application" found

** EXPORT FAILED **

Opening the distribution logs, I find this in the Provisioning Log:

2025-03-07 09:09:58 +0000  2025-03-07 09:09:58 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:58 +0000 IDEProvisioningRepair(<redacted app name>.app): Sending request 84E57539-BC1D-407A-8402-7BCE9F2FD100 to <https://appstoreconnect.apple.com/xcbuild/v1/certificates> for session DVTServicesTeamBasedSession <issuer: <redacted issuer id>; key identifier: <redacted key id>>.
Method: POST

Headers:
{
    Accept = "application/vnd.api+json";
    "Accept-Encoding" = "gzip, deflate";
    Authorization = "Bearer <redacted bearer token>";
    "Content-Length" = 116;
    "Content-Type" = "application/vnd.api+json";
    "User-Agent" = Xcode;
    "X-HTTP-Method-Override" = GET;
    "X-Xcode-Version" = "16.2 (16C5032a)";
}

Payload:
{"urlEncodedQueryParams":"teamId=<redacted team id>&filter%5BcertificateType%5D=DEVELOPER_ID_APPLICATION_MANAGED&limit=200"}

2025-03-07 09:09:59 +0000  2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): Received response for 84E57539-BC1D-407A-8402-7BCE9F2FD100 @ <https://appstoreconnect.apple.com/xcbuild/v1/certificates>. Code = 0

2025-03-07 09:09:59 +0000  2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): 2025-03-07 09:09:59 +0000 IDEProvisioningRepair(<redacted app name>.app): Response payload: {
  "errors" : [ {
    "id" : "3d09690a-e26f-497f-b576-25104064387e",
    "status" : "403",
    "code" : "FORBIDDEN_ERROR",
    "title" : "This request is forbidden for security reasons",
    "resultCode" : 7495,
    "detail" : "You haven't been given access to cloud-managed distribution certificates. Please contact your team's Account Holder or an Admin to give you access. If you need further assistance, contact Apple Developer Program Support at https://developer.apple.com/contact/."
  } ]
}

Which is really weird, since I am using an API key with Admin rights. If I create a new key, and use it only for this command, App Store Connect does show the "Last Used" date as today after running the command.

I thought some time might need to pass, but the issue has been persisting since yesterday.

What could be wrong here? I do have a managed Developer ID Application certificate showing in my account but I still can't retrieve it with an Admin right imbued API key.

Answered by DTS Engineer in 829272022

@erdeszbalazs

Thank you for filing your Feedback report. Your issue is a known bug. You can't cloud sign with a Developer ID cert when authenticating with an App Store Connect API key. If you have a Developer ID certificate installed in Keychain, Xcode selects it to upload instead of accessing the cloud managed Developer ID certificate.

Replies  4
Boosts  1
Views  643
Participants  2
erdeszbalazs OP
Mar ’25

I've been looking at this issue more and what's even more interesting is that if I'm using an iOS app, the whole process works. An Apple Distribution (Managed) certificate appears in my account.

I did check and as account holder and single user developer program member I have both Distribution and Developer ID cloud certificates enabled (I can't even turn them off).

0
erdeszbalazs OP
Mar ’25

This issue has been filed in Feedback Assistant: FB16835802.

0
DTS Engineer OP
Apple
Mar ’25
Accepted Answer

@erdeszbalazs

Thank you for filing your Feedback report. Your issue is a known bug. You can't cloud sign with a Developer ID cert when authenticating with an App Store Connect API key. If you have a Developer ID certificate installed in Keychain, Xcode selects it to upload instead of accessing the cloud managed Developer ID certificate.

0
erdeszbalazs OP
Mar ’25

@DTS Engineer

Thank you for your reply. Using the individual certificates locally is indeed my current setup.

However, the reason why I want to switch is that cloud signing would vastly decrease the complexity of my signing processes, as I currently need to juggle many different certificate types on my CI/CD systems (e.g. Apple Development, Apple Distribution, Developer ID Application, etc.) - downloading them one by one from a secret storage.

If I understand correctly, this exact case would be one of the largest advantages of cloud signing: having the cloud server sign artifacts removes the need for manually making certificates available on the CI/CD runner mac that needs to sign the apps.

I trust this bug can be corrected in time, as it's a rather major selling point of cloud signing. It's one of its two main uses - safe distribution outside of the App Store (the other being distribution inside the App Store).

1
Cloud Signing via Developer ID doesn't seem to work with Admin API Keys
First post date Last post date
 
 
Q