I got an email from Apple, "Your Developer ID Installer Certificate will no longer be valid in 30 days". So I went to my certificates page on developer.apple.com, and I see the attached photo.
Basically, yes, I have a Developer ID Installer Certificate that expires 2023/07/01; but I also have one that expires 2025/12/08, and one that expires 2026/01/09, and one that expires 2026/12/15, and another that expires 2026/12/16! Why do I have all these certificates? I have no idea. There is a "+" button to add a new one; but given that I already seem to have ones that won't expire for several more years, do I need to? There does not seem to be a "-" button, or any way to clear out this cruft.
I then recalled that perhaps I have managed my certificates in Xcode in the past, not on this page (or maybe I have done both, at different times?). So I went to Xcode, and things seem to be rather a mess there too, but in a different way (second image attached).
Here, I seem to have lots of stale certificates that are in gray and say "Not in Keychain" – how do I clear those out? Again there does not seem to be a "-" button. And the newer ones that I saw on developer.apple.com do not seem to be listed here, maybe – it's hard to compare, though, because on developer.apple.com it shows the expiration date but not creation date, whereas in Xcode it shows creation date but not expiration date.
What should I do? Note that I am not a member of multiple different teams, or anything like that; I'm a solo developer. This stuff is really confusing and does not seem to be well-documented anywhere that I have found. Am I just being dense?
So, is there a problem, or not?
Not to my mind.
One thing to note here is, historically, the expiry of a Developer ID Installer certificate would cause problems for folks using your installer package. That’s no longer the case [1], but it might explain these enthusiastic warnings.
Should I just let four of them expire, until I'm just left with one?
That’s what I’d do.
Remember that the Developer website limits the number of (non-expired) Developer ID certificates you create, so it’s best to limit yourself to just one and keep the other ‘slots’ in reserve in case something weird happens.
How do I get Xcode to bring itself up to the present?
I don’t have a great answer for that. My advice is that you divide your certificates into two groups:
-
Those that are precious
-
Those that are not
For the precious ones, most notably Developer ID, manage things by hand and keep backups, as discussed in The Care and Feeding of Developer ID.
For the non-precious ones — including Apple Development and Apple Distribution — just sit back, relax, and let Xcode do its thing. If it does something silly, you can always fix that [2].
Should I try to clean it out?
That’s largely a matter of personal preference. Historically I used to be very obsessive about this. Now I reserve such obsessiveness for the precious stuff.
If so, how?
I’m not aware of any documented process for this. If I were doing this I’d approach it as follows:
-
Understand the difference between a digital identity and a certificate. I go into this in some detail in TN3161 Inside Code Signing: Certificates.
-
And that multiple digital identities can ‘share’ a private key.
-
In Keychain Access, identify all the digital identities you want to clean up.
-
Export each one to its own
.p12
file. This makes it possible to undo the next step. -
When you’re done, delete those digital identities (both the certificates and the private keys).
-
Repeat steps 3 through 5 for certificates, except this time you’re exporting a
.cer
file.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Despite what it says on Developer > Support > Certificates. I’m working to get that fixed (r. 90418064).
[2] Assuming you have access to the Certificates, Identifiers, and Profiles section of the Developer website.
Folks using a Personal Team need to be a bit more careful due to the limits imposed there. I’m happy to report that we now publish info about the Personal Team limits. See Developer > Support > Choosing a Membership. Finally!