Revoke Developer ID Application Certificate

I've just upgraded my MacBook. I've downloaded my Developer ID Application Certificate to my new machine, and not surprisingly, it's missing a private key.

I can request a new certificate of course, but I have reached the limit of my Developer ID Application Certificates (I have 5). I cannot use any of these with my new machine however, as when I download them, they will all be missing private keys.

I need to revoke one of my old Developer ID Application Certificates, but I can't work out how to do this. Any advice?
Thanks.

See this thread.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Thanks eskimo, I've emailed support and requested that they revoke one of my developer ID certs, or increase my limit above 5.
Seeing as Apple are in no rush to help me fix this issue, I am going to have to create a new Apple ID, pay the $100 to create a new apple developer account, and sign my apps with this new apple ID/dev account.

My question is what could potentially go wrong with creating a new apple ID, then signing out of my apple ID on my mac, then signing in with the new ID? How does this impacts certs etc? Is it better to factory reset my mac then sign into it with my new apple ID?

How does this impacts certs etc?

Yes. Your code signing identities are tied to your team and thus you’ll need to redo those.

A bigger concern is the impact of this on your users. macOS typically identifies an app by its bundle ID. If you use a new bundle ID then you have a new app. That’s the safest approach here.

If you use the same bundle ID then things get complicated. That’s because the bundle ID isn’t the only way that macOS identifies an app. In certain circumstances, most notably the keychain, macOS will use your App ID (or its equivalent) to identify your app. Your Team ID is part of your App ID, so changing Team ID will cause code identity problems.

For example, the keychain uses an app’s designated requirement (DR) to track which keychain items belong to which app [1]. That DR embeds the Team ID. For example:

Code Block
% codesign -d -r - QProcessDock.app
Executable=/Applications/QProcessDock.app/Contents/MacOS/QProcessDock
designated => anchor apple generic and \
identifier "com.example.apple-samplecode.QProcessDock" and
(certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or \
certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and \
certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and \
certificate leaf[subject.OU] = SKMME9E2Y8)


If your Team ID changes then your DR changes and the keychain starts prompting the user to grant the app access to its ‘own’ keychain items.

This isn’t the only potential issue. There are numerous other subsystems within macOS that identify your app based on its App ID (or equivalent).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

[1] I’m assuming the old school macOS file-based keychain here. In the new iOS-style database keychain you’ll see a similar effect though, because your keychain access groups all use your Team ID as their prefix.
Revoke Developer ID Application Certificate
 
 
Q