Certificates, Identifiers & Profiles

RSS for tag

Discuss the technical details of security certificates, identifiers, and profiles used by the OS to ensure validity of apps and services on device.

Certificates, Identifiers & Profiles Documentation

Post

Replies

Boosts

Views

Activity

Signing applications with jpackage: Is a distribution certificate sufficient, and, if so, how do I use it?
I've developed a Java application for ad hoc distribution, not intended for the Apple Store. Using the jpackage utility and the parameters... --mac-sign --mac-signing-keychain --mac-signing-key-user-name ...I'm able to point the software to a signing certificate. My problem is that jpackage requires a certificate with a "Developer ID Application" type/prefix, and I'm not authorized to create a certificate of this type, as "This operation can only be performed by the account holder." I thought it might be sufficient to create a "Distribution" certificate, since this allows a developer to "Sign your iOS, iPadOS, macOS, tvOS, watchOS, and visionOS apps for release testing using Ad Hoc distribution or for submission to the App Store." However, there doesn't appear to be any way to get jpackage to accept anything other than a "Developer ID Application" -prefixed certificate. I gather from this, and the fact that the Developer ID Application certificate is described as "This certificate is used to code sign your app for distribution outside of the Mac App Store," that this is the only type of "legitimate" security certificate Apple will accept when launching out-of-store apps. I'm not certain of this, however, and I'd like to be certain before pestering my client about it. My questions are: Is a "Developer ID Application" certificate specifically required, or can I sign the app using, e.g., a "Distribution" certificate without issues? If a "Developer ID Application" certificate is required, is it possible for my client (the "Account Holder") to grant me access to download it and use it? If a "Developer ID Application" certificate is required, what exactly is a "Distribution" certificate good for? Why isn't it sufficient to distribute software? If I can sign the app using a Distribution certificate, is there a way to force jpackage to do this, or do I have to it manually using, e.g., codesign ex post facto? Note that this issue has cropped up before on this thread, but the developer there ultimately found his developer ID certificate and the discussion was abandoned before any answers were forthcoming.
2
1
1.1k
Jan ’24
Code signing on macOS using com.apple.webinspector.allow entitlement
I'm working on a macOS app that uses a JSContext and I want to debug it with the Safari Web Inspector. According to Session 402 at WWDC 2016 the following entitlement is required: <key>com.apple.webinspector.allow</key> <true/> This is easy enough to add, but it causes the app to crash at launch with a code signing issue. The console shows that taskgated-helper is reporting just before the crash: Unsatisfied entitlements: com.apple.webinspector.allow For anyone who finds this, here's what you need to know: https://webkit.org/blog/13936/enabling-the-inspection-of-web-content-in-apps/ Basically, there's now a inspectable property on both the WKWebView and JSContext. Unfortunately, there's no mention of the old entitlement in the WebKit blog post, so it's impossible for folks using the old technique to find. Hopefully this post will bridge this gap. It also might be something for @eskimo to add to his (always helpful) code signing documentation. -ch
1
0
500
Jan ’24
Certificates : Problem with Convert a CER file to a P12 file !!
I have a strange problem and I don't know what's causing it A year ago, I purchased this account and created a certificate and it was working successfully, but its time expired on 1/8/2024, and I want to create a new one in order to update my applications. So I went to create a new certificate of type (iOS Distribution) and it was downloaded successfully, and when I called it in the (Keychain access) program in order to convert it to (.P12) instead of (.cer). But the program refuses to recall it, and I choose the (Local Item) section. thus : But when the file is dragged or double-clicked while I am standing in the (Login) section, the certificate is summoned successfully, and here the real problem begins. It is assumed that in order for me to convert the certificate from (cer) to (p12), there must be an arrow next to the certificate so that the key appears so that it can be pressed. Right-click, then we choose Export, and then we choose (p12). This happens because there is no arrow next to the certificate, and also when I By clicking on the certificate to export it, I am not allowed to choose (p12). How can I convert the file successfully because I want to update my applications, which is very important.
2
0
3.3k
Jan ’24
How backup certificate
Hi, I have upgraded my Mac to Sonoma and for some reason I get lost now when backup up a certificate. As I wasn't able to import my old certificate (exported as p12, but this is another issue) I started from scratch. I have created from KeyChain a new CertificateSigningRequest. Then I've uploaded it to the Apple Developer Portal and created a new certificate, that I have successfully downloaded as cer file. Now, I would like to save the certificate, including the private key. From KeyChain, I don't get a Reveal option to be able to export the private key of my certificate. Was it available in old versions of KeyChain, and now not anymore? Or my certificate doesn't have the private key? (imo this doesn't make sense at all) So I right click on the certificate but I can't export as p12 file, with the private key: Can please anyone refer me to the official documentation about this? (I have searched for it, but unable to find anything)
2
0
669
Jan ’24
Xcode: Generating a profile without a real Apple TV device?
I’m developing this tvOS app, and it builds and runs fine locally in Simulator. However, when I do Product > Archive (so I can upload it to app store later), it fails with error in the screenshot. Looks like Xcode is trying to sign the app with a certificate, but could not find a valid profile to do so. Since I don't have a physical Apple TV device, I'm unable to add an Apple TV to the Devices list on developer.apple.com, thus unable to create a profile. Is the any way around this issue to archive my tvOS app?
2
0
733
Jan ’24
Difficulty debugging a Provisioning problem
I am stuck. I have an iPadOS app that installs and calls a DEXT. I have a provisioning file for the DEXT and another for the app. Xcode shows me that the respective provisioning files match the bundle ids and that the entitlements and provisions match up. I have a developer certificate (two, actually) on the iPad. Xcode shows me, via "Devices" that the provisioning files are installed. When I try to run the app, I get: 0x16d3db000 +[MICodeSigningVerifier _validateSignatureAndCopyInfoForURL:withOptions:error:]: 78: Failed to verify code signature of /var/installd/Library/Caches/com.apple.mobile.installd.staging/temp.vyncZ7/extracted/USBApp.app/SystemExtensions/w1ebr.MUUI.ipadOS.driver.dext : 0xe8008015 (A valid provisioning profile for this executable was not found.) I don't know what to check next.
10
0
1.2k
Jan ’24
Cannot open the app received via TestFlight on macOS
I send a macOS app build to appStoreConnect. The app is displayed inside TestFlight but when I click on it to open it, two modal appear. The first one: the application "AppName" can't be opened. -10673 The second one: "AppName" No longer Available. The beta app, AppName, is no longer available. The provisioning profile is invalid. I followed the following step before uploading the app archive: I made sure to purge my Mac from all the old provisioning profile having all my provisioning profile from my apple developer account valid retrieve provisioning profile Xcode settings > Accounts to export an archive. I choose TestFlight & App Store to send the Archive. I am still no understanding which part of my provisioning profiles are not valid, I would love to have insight about it or a way to fix the issue.
0
0
612
Jan ’24
Xcode Cloud - Problem with the request entity...No signing certificate "iOS Development" found
Hi, Xcode Cloud just started failing with with this error. I can archive builds just fine locally in Xcode. Using Xcode 14.3.1. All my certs on my developer portal are current. 2024-01-02T16:26:44.707563433Z Error Domain=DeveloperAPIServiceErrorDomain Code=5 "There is a problem with the request entity" UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription=There is a problem with the request entity, NSLocalizedRecoverySuggestion=You already have a current Development Managed certificate or a pending certificate request.} 2024-01-02T16:26:44.707568258Z 2024-01-02T16:26:44.707575827Z error: exportArchive: No signing certificate "iOS Development" found The post at https://developer.apple.com/forums/thread/734179 is similar but without a resolution. Any help would be appreciated. Thank you.
4
2
1.9k
Jan ’24
Having some difficulties with signing the App with Certificate
Hello, I am rather new at publishing apps for Iphone and I am facing some difficulties. Maybe someone could point me what I am not understanding. I am having some issues handling the usage of the Development Certificate . I have created a CSR, supplied it at apple.developer system to get a development certificate. I downloaded such a certificate and installed it. When I try to use it I get this status saying it is not trusted : The result is this when trying to use it: " /Users/eao/build/dev/aquila_companion.xcodeproj: error: Missing private key for signing certificate. Failed to locate the private key matching certificate "Apple Development: Tiago DAagostini (GDH9UYDL8A)" in the keychain. To sign with this signing certificate, install its private key in your keychain. If you don't have the private key, select a different signing certificate for CODE_SIGN_IDENTITY in the build settings editor. (in target 'appaquila_companion' from project 'aquila_companion') " What am I missing? Where this p12 key should be? And is that related to that image where the Certificate is deemed not trusted?
1
0
667
Dec ’23
Encountering Difficulty Importing Developer ID Application Certificate into iCloud Keychain
Hello fellow developers, I've come across a bit of a challenge and would appreciate some insights. I successfully backed up my Developer ID Application certificate as a .p12 file and smoothly imported it into my login keychain. However, when attempting to import it into my iCloud keychain for an added layer of backup security, I encountered two error messages: "One object could not be imported." "The selected keychain could not be found." Any thoughts or suggestions on resolving this hiccup would be greatly appreciated! Thanks in advance for your expertise!
1
0
687
Dec ’23
TestFlight app became invalid when testers upgraded to OS 14.2
We've got 3 MacOS apps on TestFlight that all suddenly became unusable to our testers who upgraded the OS to 14.2. The error message says: "The application can't be opened. -10673" But also there was another window that opened up stating "The beta app, , is no longer available. The provisioning profile is invalid" The provisioning profile doesn't specify OS versions - it's signed with distribution and installation certificates for AppStore. These apps have been used that's been successfully provisioned, uploaded, downloaded and tested by various testers prior to now. Each app has an explicit Apple ID and provisioning profile - all still valid. What would cause this? How can I fix this?
1
1
647
Dec ’23
0 valid identities found setting up signing certificates
I'm trying to setup a new build machine and I can't seem to get the signing certificates detected by the security tool with "0 valid identities found" My id is linked to a team but my role is "app manager". In my console I can see the certificates but cant download the developerID installer cert. In Xcode no ceritifcates show up for that team ID in the list. The certs were generated by the developer console. I had to get the client to insecurely send me the certs because of this restriction. I imported them into the keychain but the tool still won't show anything. Is this another problem not having the correct root certificate installed ? I had all this setup in a VMWAre which was working before I lost all data due to a crash so setting it up fresh on a mac mini. I should be able to have just synced the certs through xcode and start signing installers. I researched hundreds of pages and no answer for my problem.
1
0
1.1k
Dec ’23
Verify Developer Certificate
Hi there :) We are trying to install our application from Xcode to an iPhone 14 Pro. After building the app, we need to go to General -> VPN & Device Management to trust the certificate. Unfortunately, the certificate is not showing on the iPhone, and we can not install the app. Does anyone know how we can solve this problem? Thank you very much in advance for your help!
9
0
3.6k
Dec ’23
Verify that the Developer App certificate is verified on your device
Hi there :) We are trying to install our application from Xcode to an iPhone 14 Pro. After building the app, we must go to General -> VPN & Device Management to trust the certificate. Unfortunately, the certificate is not showing on the iPhone, and we can not install the app. Does anyone know how we can solve this problem? Thank you very much in advance for your help!
1
1
590
Dec ’23
Certificate Trust Settings - IOS requirements on CA-certificates?
Dear Users, I'm unable to mark an imported internal CA-certificate as trusted in latest IOS. The certificate does not show up in Certificate Trust Settings, however i was generally able to import and enable it. Where can i find technical specifications on what IOS requires? All i found was this article for IOS 13[1] however my root-certificate fulfills all requirements. I attach[2] the root-certificate for testing purpose to this post, so it can be tested & analyzed. Thank you. [1] https://support.apple.com/en-in/103769 [2] http://plzk.de/ROOT_CA.crt
2
0
431
Dec ’23
Profil provisionning impossible to Install
Here are the actions I performed on my developer account: 1 - I created an IOS Development certificate. 2 - I registered my device: IPhone 10 IOS 16.7.2 3 - I created an identifier for my application4 - I cannot generate a correct provisioning profile to debug my application on my iPhone:Review Provisioning Profile Name: ProfileProvisionIPhone10 Status: Active Platform: iOS Expires: 2024/12/09 Type: Development Created By: Michel Poulet Enabled Capabilities: In-App Purchase App ID: AppIdGenTurfEvo (com.companyname.GenTurfEvo) Certificates: 1 total Devices: 1 totalWhen I import my provisioning profile to my iPhone with Xcode, I get the following error: Failed to install one or more provisioning profiles on the device. Please ensure the provisioning profile is configured for this device. If not, please try to generate a new profile. Do you have an idea of ​​the problem ? Thank you in advance for your help.
5
0
803
Dec ’23
Codesigning/Testflight differences for macOS distributed apps for macOS 12 and 13/14
We have run into a very unique situation with codesigning and testing the apps under TestFlight under macOS 12 and macOS 13/14. We have existing apps on the macApp store and we are trying to basically update them. When we run the newly updated versions via Testflight under macOS 12, everything is working. However, the same apps under macOS 13/14 and Testflight crashes and we have narrowed it to a codesigned dylib issue of ours. We are getting a invalid code signature message when we try to load a dylib under macOS 13/14 and the app crashes as we cant get the dylib code pointer. Basically CFBundleGetFunctionPointerForName returns an invalid value. Just to explain we build our dylibs/bundles and codesign them outside - as these are built at the command line level and finally we package these within our apps under XCODE and go through the whole app building/archiving, code signing, validation and uploading that to the appstore. The crash log shows - Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 501 Date/Time: 2023-11-28 23:31:11.9903 +0900 OS Version: macOS 13.6 (22G120) Report Version: 12 Anonymous UUID: Time Awake Since Boot: 370000 seconds System Integrity Protection: enabled Crashed Thread: 7 Exception Type: EXC_BAD_ACCESS (SIGSEGV) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000 Exception Codes: 0x0000000000000001, 0x0000000000000000 Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11 Terminating Process: exc handler [91418] VM Region Info: 0 is not in any region. Bytes before following region: 4368842752 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> __TEXT 104674000-1047f0000 [ 1520K] r-x/r-x SM=COW ...essional 2017 Thread 0:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x195a83de4 _kernelrpc_mach_port_deallocate_trap + 8 1 libsystem_kernel.dylib 0x195a85270 mach_port_deallocate + 28 2 QuartzCore 0x19d0cc458 CA::Context::destroy() + 512 3 QuartzCore 0x19d22135c invocation function for block in CA::Context::commit_transaction(CA::Transaction*, double, double*) + 100 We have double checked/triple checked the certificates and profiles and everything is valid. What is strange is that it works under macOS 12 and Testflight but not under macOS 13/14. For both Intel/Arm. Any ideas anyone?
1
0
510
Nov ’23
CSSMERR_TP_NOT_TRUSTED for Developer ID certificate
Hey everybody, We're trying to migrate from one CI to another and we've met a problem. Our setup is mostly Fastlane+match so there are little build changes in terms of CI, but the same certificate we used on prev CI doesn't work on the new one (we have both CIs now and the same commit passes on the old one and fails on the new one). Two steps from the match with installing certs: Output of security find-identity These are virtual machines.
1
0
1.2k
Nov ’23