Is the keychain per-machine or per machine-OS-Xcode combination, for purposes of Xcode developer certificates?
I'm dual-booting my M1Max studio with Ventura and Sonoma on external drives, each at times running both Xcode-released and Xcode-beta (on Ventura+beta just for swift 5.9). After switching, with automatic code signing Xcode complains there's no certificate and wants to revoke it and create another. I do, but I'd like to avoid that. I seem to now have 4 developer signing certificates.
Is there any way to avoid this, e.g., somehow selecting the certificate Xcode uses?
I'm suspecting not, and that the keychain access is per-application-certificate but XCode is using a key common to any Xcode, so I'm essentially hashing all 4 scenarios into one slot, with each collision requiring revoke+recreate.
Documentation pointers welcome. (Search function not working on forums?)
- XCode enforcing only one certificate per machine?
- revokes one from last boot
- So unable to switch from Ventura to Sonoma
Is the keychain per-machine or per machine-OS-Xcode combination, for purposes of Xcode developer certificates?
The macOS keychain is complicated. See TN3137 On Mac keychain APIs and implementations for the full backstory. In summary:
-
The data protection keychain is per user, stored in your home directory.
-
The default file-based keychain, the login keychain, is per user, stored in your home directory.
-
There is also a system file-based keychain, stored on the system volume.
-
If you use another file-based keychain, it’s stored wherever you store it.
After switching, with automatic code signing Xcode complains there's no certificate and wants to revoke it and create another.
I generally avoid this problem by exporting my signing identity from one context and then importing it into the other. If Xcode finds a valid signing identity, it’ll use it regardless of where it came from.
Make sure to export the digital identity, not just the certificate.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"