Unable to find identity (but have private key and certificate)

Code Signing Certificates, Identifiers & Profiles
gingerlemon OP
Created 20h
Replies 1
Boosts 0
Views 73
Participants 2

I'm unable to sign the an example application using xcode and "automatically manage signing".

The error I'm getting is:

CodeSign [...] (in target 'foobar' from project 'foobar')
    
    Signing Identity:     "Apple Development: [xxxx] "
    
    /usr/bin/codesign --force --sign 4ABB258102FF656E9F597546A49274C28D2B8B3E -o runtime --timestamp\=none --generate-entitlement-der [filename]

4ABB258102FF656E9F597546A49274C28D2B8B3E: no identity found
Command CodeSign failed with a nonzero exit code

However, I am able to see a certificate and a private identity on my keychain:

% security find-certificate -aZ | grep -i 4ABB258102FF656E9F597546A49274C28D2B8B3E
SHA-1 hash: 4ABB258102FF656E9F597546A49274C28D2B8B3E

and

% security find-key -s | grep -q 'Apple Development' && echo YES
YES

what is puzzling is that security does not find an identity:

% security find-identity -p codesigning

Policy: Code Signing
  Matching identities
     0 identities found

  Valid identities only
     0 valid identities found

but XCode claims that everything is working fine.

Anybody knows what might I be missing? I tried logging out, requesting new certificates, rebooting, moving them to another keychain, and asking to developer friends.

Answered by DTS Engineer in 865525022

The issue here is that your private key doesn’t match the public key that’s embedded in your certificate. So you have a private key and a certificate but they don’t form a digital identity.

I talk about how that matching is done in the Digital Identities Aren’t Real section of SecItem: Pitfalls and Best Practices. And there’s a lot more background to this in TN3161 Inside Code Signing: Certificates. And I show the commands require to investigate it in this post.

However, for an Apple Development signing identity it’s probably not worth digging into this that deeply. It’s often quickly to just delete everything and start again [1].

WARNING Do not do this for Developer ID signing identities. See The Care and Feeding of Developer ID for more on those.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  1
Boosts  0
Views  73
Participants  2
DTS Engineer OP
Apple
11h
Recommended

The issue here is that your private key doesn’t match the public key that’s embedded in your certificate. So you have a private key and a certificate but they don’t form a digital identity.

I talk about how that matching is done in the Digital Identities Aren’t Real section of SecItem: Pitfalls and Best Practices. And there’s a lot more background to this in TN3161 Inside Code Signing: Certificates. And I show the commands require to investigate it in this post.

However, for an Apple Development signing identity it’s probably not worth digging into this that deeply. It’s often quickly to just delete everything and start again [1].

WARNING Do not do this for Developer ID signing identities. See The Care and Feeding of Developer ID for more on those.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Unable to find identity (but have private key and certificate)
First post date Last post date
 
 
Q