Mystified by certificate renewal process

(deleted)

(deleted)

Oh wow, this took longer than I would’ve liked. Unfortunately, a litle something called WWDC got in the way (-;

You have to manage Developer ID signing identities carefully. I’ve collected together my thoughts on this topic into a new post: The Care and Feeding of Developer ID. Read this through and post back here if you still have questions.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi Quinn! It's that time again; I got the email I dread from Apple, "Your Developer ID Application Certificate will no longer be valid in 30 days". And as usual, I can't figure out what to do. Your new post, linked in your last comment, is great, but I remain mystified by the practical aspect of how to get things to work. If I look at my account on developer.apple.com, at the "Certificates" page, there are five "Developer ID Application" entries. I think I only need one; I'm a solo developer with no complexity to my situation whatsoever. I see no way, on that page, to delete the unneeded ones, though. So that's one question.

Another question is: the expiration dates for these are all in 2025 or 2026, except for one, which expires 2024/03/21. I guess Apple is warning me that that one Developer ID Application Certificate is going to expire; but the other four are not going to expire any time soon. So, is there a problem, or not? Should I just let four of them expire, until I'm just left with one? Or will that cause problems for me?

And then the third question is about Xcode. If I open Settings and click Manage Certificates, Xcode shows five Developer ID Application certificates – but none of them are the ones shown at developer.apple.com, and they are all expired. Four of them are dimmed, and say "Not in Keychain". One of them is not dimmed, and has an expiration date of 12/14/21 – the distant past. When I right-click on them, the context menu has a menu item, "Delete Certificate", but that option is dimmed for all five of these expired certificates. How do I get Xcode to bring itself up to the present? I tried downloading a Developer ID Application Certificate from developer.apple.com and dragging into that panel in Xcode, but the drag just bounces back.

And my fourth question is about what I see in Keychain for these certificates, which seems to be a morass of expired/invalid cruft. Should I try to clean it out? If so, how? Or is it OK that it is just gradually filling up with more and more stuff that seems to be broken? Is there a documented procedure for basically starting over from scratch, clearing out all the cruft, and getting a clean working configuration?

These are the sorts of questions that I always have, and I can never find answers to them in any of the info Apple has posted online, including your posts. All the info online seems to be at a pretty conceptual level, and I more or less get the concepts – for a solo developer like me, it's not really that complex conceptually – but getting it to actually work is a whole 'nother matter. I live in fear of these expiration emails from Apple, and I'm terrified that I'll somehow ***** up and won't be able to release software any more. You're the only person at Apple who seems to be willing to communicate about this stuff at all; I've tried the official developer support channels and their responses always basically RTFM, but TFM doesn't answer the questions I have. Help!

I don't have a solution, but I wanted to mention another complication: Another place you can see certificates is in the Keychain Access utility. I deleted an expired certificate there, but it still shows up in Xcode, with a status of "Missing private key". And the "Delete Certificate" contextual menu item is still dimmed.

So, is there a problem, or not?

Not to my mind.

One thing to note here is, historically, the expiry of a Developer ID Installer certificate would cause problems for folks using your installer package. That’s no longer the case [1], but it might explain these enthusiastic warnings.

Should I just let four of them expire, until I'm just left with one?

That’s what I’d do.

Remember that the Developer website limits the number of (non-expired) Developer ID certificates you create, so it’s best to limit yourself to just one and keep the other ‘slots’ in reserve in case something weird happens.

How do I get Xcode to bring itself up to the present?

I don’t have a great answer for that. My advice is that you divide your certificates into two groups:

• Those that are precious

• Those that are not

For the precious ones, most notably Developer ID, manage things by hand and keep backups, as discussed in The Care and Feeding of Developer ID.

For the non-precious ones — including Apple Development and Apple Distribution — just sit back, relax, and let Xcode do its thing. If it does something silly, you can always fix that [2].

Should I try to clean it out?

That’s largely a matter of personal preference. Historically I used to be very obsessive about this. Now I reserve such obsessiveness for the precious stuff.

If so, how?

I’m not aware of any documented process for this. If I were doing this I’d approach it as follows:

1. Understand the difference between a digital identity and a certificate. I go into this in some detail in TN3161 Inside Code Signing: Certificates.

2. And that multiple digital identities can ‘share’ a private key.

3. In Keychain Access, identify all the digital identities you want to clean up.

4. Export each one to its own .p12 file. This makes it possible to undo the next step.

5. When you’re done, delete those digital identities (both the certificates and the private keys).

6. Repeat steps 3 through 5 for certificates, except this time you’re exporting a .cer file.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Despite what it says on Developer > Support > Certificates. I’m working to get that fixed (r. 90418064).

[2] Assuming you have access to the Certificates, Identifiers, and Profiles section of the Developer website.

Folks using a Personal Team need to be a bit more careful due to the limits imposed there. I’m happy to report that we now publish info about the Personal Team limits. See Developer > Support > Choosing a Membership. Finally!

Hi Quinn! Thanks very much for the reply. It is reassuring to know that I can let the older certificates expire, as long as I have a newer one. That has been the source of considerable confusion – I wasn't sure whether that would cause my existing (released) apps to stop working, so I kept making new certificates, and I guess ended up with way too many. :-O

I'll try cleaning out my Keychain Access stuff some time when I'm feeling particularly brave. :-O

The remaining question I have is: is there any way to ever get Xcode's "Delete Certificate" menu item to be enabled so I can clear cruft out from there? I have literally never seen that menu item undimmed, and I have looked/tried many times. Should I file a new issue on this, do you think? Is this documented somewhere? (I've tried looking for it, to no avail.)

is there any way to ever get Xcode's "Delete Certificate" menu item to be enabled

I don’t use that UI very much — I stick to Keychain Access and the Developer website — but I had a poke at it just now and, like you, I always see Delete Certificates disabled.

Oh, wait, it turns out we recently updated the docs for this and that seems to cover it pretty well:

You can only delete certificates that you or a team member have revoked in the developer portal.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"