Xcode developer certificates and multi-boot

Question

pde5i OP

Created Jun ’23

Replies 2

Boosts 0

Participants 2

Is the keychain per-machine or per machine-OS-Xcode combination, for purposes of Xcode developer certificates?

I'm dual-booting my M1Max studio with Ventura and Sonoma on external drives, each at times running both Xcode-released and Xcode-beta (on Ventura+beta just for swift 5.9). After switching, with automatic code signing Xcode complains there's no certificate and wants to revoke it and create another. I do, but I'd like to avoid that. I seem to now have 4 developer signing certificates.

Is there any way to avoid this, e.g., somehow selecting the certificate Xcode uses?

I'm suspecting not, and that the keychain access is per-application-certificate but XCode is using a key common to any Xcode, so I'm essentially hashing all 4 scenarios into one slot, with each collision requiring revoke+recreate.

Documentation pointers welcome. (Search function not working on forums?)

XCode enforcing only one certificate per machine?
- revokes one from last boot
So unable to switch from Ventura to Sonoma

Answered by DTS Engineer in 757424022

Is the keychain per-machine or per machine-OS-Xcode combination, for purposes of Xcode developer certificates?

The macOS keychain is complicated. See TN3137 On Mac keychain APIs and implementations for the full backstory. In summary:

The data protection keychain is per user, stored in your home directory.
The default file-based keychain, the login keychain, is per user, stored in your home directory.
There is also a system file-based keychain, stored on the system volume.
If you use another file-based keychain, it’s stored wherever you store it.

After switching, with automatic code signing Xcode complains there's no certificate and wants to revoke it and create another.

I generally avoid this problem by exporting my signing identity from one context and then importing it into the other. If Xcode finds a valid signing identity, it’ll use it regardless of where it came from.

Make sure to export the digital identity, not just the certificate.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Jun ’23

Accepted Answer

Is the keychain per-machine or per machine-OS-Xcode combination, for purposes of Xcode developer certificates?

The macOS keychain is complicated. See TN3137 On Mac keychain APIs and implementations for the full backstory. In summary:

The data protection keychain is per user, stored in your home directory.
The default file-based keychain, the login keychain, is per user, stored in your home directory.
There is also a system file-based keychain, stored on the system volume.
If you use another file-based keychain, it’s stored wherever you store it.

After switching, with automatic code signing Xcode complains there's no certificate and wants to revoke it and create another.

I generally avoid this problem by exporting my signing identity from one context and then importing it into the other. If Xcode finds a valid signing identity, it’ll use it regardless of where it came from.

Make sure to export the digital identity, not just the certificate.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

pde5i OP

Jun ’23

Many thanks for a quick reply!

Make sure to export the digital identity, not just the certificate

I interpreted that to mean using Keychain Access app to export "My Certificate" labeled Apple Development {name} ({id}) to a .p12 file, copy file and import into KeyChain on the destination User/OS, and then validate in Xcode:

Given configurations:

source: machine & user
- with xcode account for the developer id
- with e.g., Apple Development signing cert in keychain
- app using that developer id (signing cert)
destination: same, without cert

In the source configuration:

in Keychain Access application, login keychain, My Certificates table
find Apple Development: {name} (Id) (same as Xcode signing for app)
Select and use context menu to export to .p12 file
- Create password (used just for export and import of that file)

In the destination configuration:

Copy exported .p12 file to dest machine
- e.g., drag via Handoff to machine (but cannot drag directly to keychain)
In App Keychain Access, login keychain, My Certificates table
Drag file into table to import (giving same password)
In Xcode with associated developer account, select Team and Manage Certificates...
- You should see the id enabled

Xcode then signed my app successfully.

0