Xcode developer certificates and multi-boot

Is the keychain per-machine or per machine-OS-Xcode combination, for purposes of Xcode developer certificates?

I'm dual-booting my M1Max studio with Ventura and Sonoma on external drives, each at times running both Xcode-released and Xcode-beta (on Ventura+beta just for swift 5.9). After switching, with automatic code signing Xcode complains there's no certificate and wants to revoke it and create another. I do, but I'd like to avoid that. I seem to now have 4 developer signing certificates.

Is there any way to avoid this, e.g., somehow selecting the certificate Xcode uses?

I'm suspecting not, and that the keychain access is per-application-certificate but XCode is using a key common to any Xcode, so I'm essentially hashing all 4 scenarios into one slot, with each collision requiring revoke+recreate.

Documentation pointers welcome. (Search function not working on forums?)

  • XCode enforcing only one certificate per machine?
    • revokes one from last boot
  • So unable to switch from Ventura to Sonoma
Answered by DTS Engineer in 757424022

Is the keychain per-machine or per machine-OS-Xcode combination, for purposes of Xcode developer certificates?

The macOS keychain is complicated. See TN3137 On Mac keychain APIs and implementations for the full backstory. In summary:

  • The data protection keychain is per user, stored in your home directory.

  • The default file-based keychain, the login keychain, is per user, stored in your home directory.

  • There is also a system file-based keychain, stored on the system volume.

  • If you use another file-based keychain, it’s stored wherever you store it.

After switching, with automatic code signing Xcode complains there's no certificate and wants to revoke it and create another.

I generally avoid this problem by exporting my signing identity from one context and then importing it into the other. If Xcode finds a valid signing identity, it’ll use it regardless of where it came from.

Make sure to export the digital identity, not just the certificate.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

Is the keychain per-machine or per machine-OS-Xcode combination, for purposes of Xcode developer certificates?

The macOS keychain is complicated. See TN3137 On Mac keychain APIs and implementations for the full backstory. In summary:

  • The data protection keychain is per user, stored in your home directory.

  • The default file-based keychain, the login keychain, is per user, stored in your home directory.

  • There is also a system file-based keychain, stored on the system volume.

  • If you use another file-based keychain, it’s stored wherever you store it.

After switching, with automatic code signing Xcode complains there's no certificate and wants to revoke it and create another.

I generally avoid this problem by exporting my signing identity from one context and then importing it into the other. If Xcode finds a valid signing identity, it’ll use it regardless of where it came from.

Make sure to export the digital identity, not just the certificate.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Many thanks for a quick reply!

Make sure to export the digital identity, not just the certificate

I interpreted that to mean using Keychain Access app to export "My Certificate" labeled Apple Development {name} ({id}) to a .p12 file, copy file and import into KeyChain on the destination User/OS, and then validate in Xcode:

Given configurations:

  • source: machine & user
    • with xcode account for the developer id
    • with e.g., Apple Development signing cert in keychain
    • app using that developer id (signing cert)
  • destination: same, without cert

In the source configuration:

  • in Keychain Access application, login keychain, My Certificates table
  • find Apple Development: {name} (Id) (same as Xcode signing for app)
  • Select and use context menu to export to .p12 file
    • Create password (used just for export and import of that file)

In the destination configuration:

  • Copy exported .p12 file to dest machine
    • e.g., drag via Handoff to machine (but cannot drag directly to keychain)
  • In App Keychain Access, login keychain, My Certificates table
  • Drag file into table to import (giving same password)
  • In Xcode with associated developer account, select Team and Manage Certificates...
    • You should see the id enabled

Xcode then signed my app successfully.

Xcode developer certificates and multi-boot
 
 
Q