Lost Developer Certificate - How to Proceed?

In addition to my primary Intel computer used to code sign and notarized all apps released to the public, I have a second mini-Mac M1 for testing. This machine is set up for dual-boot into either Big Sur (latest release) or Monterey 12.1 beta 3.

I strongly suspect that Monterey corrupted my Big Sur partition making it impossible to boot from it. Regardless of the reason, I ended up with little choice except to do a fresh install of Big Sur and Monterey. However, I did not back up the public and private keys for my Developer ID Certificate before I reinstalled both operating systems.

I've been developing on macOS for 30 years, but I really don't get some of the ins and outs of certificates. So I'm a bit embarrassed to ask these newbie-esque questions:

  1. When I open Xcode 12.5.1 I and go to Preferences > Accounts > Manage Certificates, see the certificate for the old Big Sur partition prior to the fresh install. It's listed there in grey with the old name of the computer. But I don't see any way to get it. Is there a way? (I changed the computer name to match the old name, btw.)

  2. I did actually export my Developer ID Certificate from the old Big Sur partition to a .p12 file so that I could add it to the keychain on the Monterey partition. (Is this the public key, the private key, or both?) Should I try to import that into the Keychain on the freshly installed Big Sur and Monterey partitions?

  3. Or should I just generate and import a new certificate for the Big Sur partition from my developer account? (I would also then export it to a .p12 and import it into the Monterey partition as I did before.)

Finally, what actually is the best practice here? I thought that the certificates generated from my developer account were related to the hardware (computer) on for which I generated them, and they couldn't be used on a different piece of hardware Is that true?

If not, could I export the public and private keys for the Developer ID Application certificate from my main development machine (Intel Mac), and install those on every development system I use (e.g., the miniMac M1)?

Thanks for any expertise and wisdom you can share.

Best Wishes, Mark

Up vote post of Mr. Fantatsic Down vote post of Mr. Fantatsic
1.4k views
Posted by
Mr. Fantatsic
Reply
Add a Comment

Replies

In most cases it’s safe to throw away and regenerate signing identities. The one exception to this is Developer ID signing identities. These are precious, as I discuss in this post and various follow-ups on that thread.

I did actually export my Developer ID Certificate from the old Big Sur partition to a .p12 file so that I could add it to the keychain on the Monterey partition.

Cool.

(Is this the public key, the private key, or both?

A .p12 can contain a variety of credentials but in this case it contains a digital identity, that is, a certificate and the private key that matches the public key embedded in that certificate. This is, in fact, exactly what you need.

Should I try to import that into the Keychain on the freshly installed Big Sur and Monterey partitions?

Yes.

Or should I just generate and import a new certificate for the Big Sur partition from my developer account?

For other types of signing identities, that’s fine. For Developer ID, it would be much better for you to recover your existing one.

Finally, what actually is the best practice here?

For other types of signing identities, it’s fine to discard and regenerate them as necessary (-: For Developer ID, see the post referenced above for my advice.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

@eskimo

First, to be clear: I am sure the old certificate is not compromised. I had to erase my entire system after MacOS Monterey corrupted my entire system. (See this post: https://developer.apple.com/forums/thread/694991) This is not my main development machine, and not the machine on which the code signing and notarization for my released software was done.

Problem is, I can't remember the password I used when exporting the file -- it was simply done to be able to move the certificate to the Monterey partition. I'll keep guessing.

But if I can't remember it, should I go ahead and create a new developer ID application certificate?

Or should I export the certificate from my main development machine (a physical separate Intel machine) and import it on this M1 machine? I assume that doesn't work because the machine has totally different hardware. Please let me know if that's how I should handle this.

Posted by
Mr. Fantatsic
Up vote reply of Mr. Fantatsic Down vote reply of Mr. Fantatsic
Add a Comment