Unable to find identity (but have private key and certificate)

The issue here is that your private key doesn’t match the public key that’s embedded in your certificate. So you have a private key and a certificate but they don’t form a digital identity.

I talk about how that matching is done in the Digital Identities Aren’t Real section of SecItem: Pitfalls and Best Practices. And there’s a lot more background to this in TN3161 Inside Code Signing: Certificates. And I show the commands require to investigate it in this post.

However, for an Apple Development signing identity it’s probably not worth digging into this that deeply. It’s often quickly to just delete everything and start again [1].

WARNING Do not do this for Developer ID signing identities. See The Care and Feeding of Developer ID for more on those.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi DTS Engineer,

I did already try removing the key material, and requesting a new certificate. I mentioned this in my previous message already. I'm not sure why, but this does not seem to help.

Here is a screenshot:

I also tried to read the links you sent, but they don't seem to be relevant in this case? I am simply trying to run code on my own phone xcode's default setting on the boilerplate application.

How may I proceed from here? Is there anything else I should try?

Here is some more debugging: I think I do have a secret key matching the public key.

In order to check that, I have exported the secret key and the certificate in a folder, an then verified that the RSA moduli are the same:

% openssl x509 -inform der -in 'XXXXXXXX.cer'  -noout -modulus
Modulus=B733A4660568D43EC720768F661A5C05CAF92C0E976C53C175BD1264D0CB7ADB22B6E2D8934850AE40CC9B2725C395D1D955C449ECAFF0D58E29FDF90FF063342E74C3312EAE3CED33889E3D8A10BB5409BA4D4D33E149CACB27C4D3EE7A7D27C743B0BDC0DECB19DF961371511F3F20B3776C98C1EA197B120E094FA7784365A81147393635CC1D56AB56932D67C75986118AA5A86548C0B843C12DC0814B04CBEAAC474DCC4DCDCD34A1B5B837EFA9BF6441CBAE2A5F0AB248A1F94EF05E1FC6A16A9A210DD9640E63A4FB1DD8D0815326150BC65C9294541219A1F746154045CBD0811E25A33CBFD58E46CBAA2534E65F593658D203498F77D5BD55748749
% openssl pkcs12 -in 'Apple Development: XXXXX.p12' -passin pass:foo -nocerts -nodes | openssl rsa -noout -modulus
Modulus=B733A4660568D43EC720768F661A5C05CAF92C0E976C53C175BD1264D0CB7ADB22B6E2D8934850AE40CC9B2725C395D1D955C449ECAFF0D58E29FDF90FF063342E74C3312EAE3CED33889E3D8A10BB5409BA4D4D33E149CACB27C4D3EE7A7D27C743B0BDC0DECB19DF961371511F3F20B3776C98C1EA197B120E094FA7784365A81147393635CC1D56AB56932D67C75986118AA5A86548C0B843C12DC0814B04CBEAAC474DCC4DCDCD34A1B5B837EFA9BF6441CBAE2A5F0AB248A1F94EF05E1FC6A16A9A210DD9640E63A4FB1DD8D0815326150BC65C9294541219A1F746154045CBD0811E25A33CBFD58E46CBAA2534E65F593658D203498F77D5BD55748749

Where did Apple Development: XXXXX.p12 come from in your latest example?

I suspect you exported it from the keychain using Keychain Access. Is that right?

If so, that confirms that, yes, indeed, your private key and certificate match, because Keychain Access wouldn’t let you export it otherwise. So something else is going on. And it’s not at all clear what that is.

Let’s see if the issue tracks with your user account. If you create a new user account on your Mac [1] and then use Keychain Access to import Apple Development: XXXXX.p12 into the login keychain, what does security find-identity show?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Alternatively, if you have a VM handy, you could run the test there.

Correct, both were exported from the keychain with password "foo".

The key material added from xcode was not touched in any other way.

I have tried to create a new account "alias" on my macbook, have it import both keys.

The account is not associated with my iCloud.

I marked that certificate as trusted manually.

Can't get a valid identity from that account either.

I marked that certificate as trusted manually.

OK, that’s not good. In general, you shouldn’t override trust settings like this. The certificate should be trusted by default, and if it’s not you need to work out why (it’s usually because of a missing intermediate).

I talk about that more in Fixing an untrusted code signing certificate.

So, in your test user:

1. Remove your custom trust settings.
2. Add the WWDR intermediates.
3. And re-run the security find-identity test.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Dear DTS engineer,

I exported the intermediate certificates.

I can see it marked as "trusted" from the separate user.

However, no valid identity yet.

With reference to that screenshot, what happens if you switch to the My Identities tab in Keychain Access. Does it show the certificate and private key pairing up correctly?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

There is no "My Identities" tab in that screenshot, DTS Engineer.

Where are we going with this?

Sorry, I meant the My Certificates tab.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"