Is there any way to deal with the mess I created with certificates?

Question

Created Jan ’23

Replies 8

Boosts 0

Participants 2

We use CircleCI, so of course I've been spending the past week trying to get new secrets, profiles, certificates, and passwords in place.

In the process, I went to generate a new Developer ID Application certificate. In the process of that I screwed up multiple times. So now I have four of them (five, actually -- one using the older cert so it expires Feb 1, 2027).

They all have the same name. When I go to create a provisioning profile, there is no way to tell which one is which. No way to tell if they're being presented in the same order!

Apple has told me they will not delete or revoke them, since it's not a security issue for these ones.

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’23

When I go to create a provisioning profile, there is no way to tell which one is which.

Do you still have all their private keys?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

kithrup OP

Jan ’23

I did eventually find the private keys. This took me several hours yesterday, because they were on different machines and accounts. (The problem I ran into was that it needed to go into the login keychain -- but several of my machines have project-specific keychains, so I can test behaviour when the certificates or passwords aren't there.)

I just filed FB11939267, begging for a way to at least identify them on the web portal.

0

Answer 3

kithrup OP

Jan ’23

I apparently typed too soon, and something is wrong -- I can build, but circleci can't, and I have no idea what I'm missing. Probably a root or immediate certificate, but I'm not sure how to tell. sigh.

0

Answer 4

kithrup OP

Jan ’23

My signing certificates do not have roots. On another machine, they do. I have no idea what's different between them.

0

Answer 5

DTS Engineer OP

Apple

Jan ’23

My signing certificates do not have roots.

Roots? Do mean mean that you’re unable to build a trusted path from your signing certificate to a built-in root certificate? If so, see Fixing an untrusted code signing certificate.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

kithrup OP

Jan ’23

security tells me 4 valid identities found. Trying to sign:

% codesign -s 'myidentifier' -f /tmp/mytrue
/tmp/mytrue: errSecInternalComponent

so it doesn't match. When I run the build on CircleCI, then codesign says it's a self-signed root and it refuses to do. When I look at the certificate in Keychain Utility, and evaluate it, on one machine it says it's fine, on another it says it's missing a root. I have compared the fingerprints of each of the intermediate certificates on the good machine to the certificates that are in the keychain on the machines that don't work, and those match. NB, I create a separate keychain for the certificates:

0

Answer 7

kithrup OP

Jan ’23

Well. I updated a laptop to macOS 12, and Keychain Utility doesn't complain when I evaluate the certificate.

0

Answer 8

kithrup OP

Jan ’23

But still doesn't work on CircleCI despite using macOS 12. sigh.

0