Certificates, Identifiers & Profiles

RSS for tag

Discuss the technical details of security certificates, identifiers, and profiles used by the OS to ensure validity of apps and services on device.

Certificates, Identifiers & Profiles Documentation

Post

Replies

Boosts

Views

Activity

"How to" for dext distribution
I have a DriverKit system extension (dext) that uses PCIDriverKit. I would like to get the build environment straightened out to successfully distribute the dext and associated software to end users. There are three types of software involved: The Dext-hosting application - this is the application that must be installed to /Applications/, and will perform the registration of the dext. The dext is deployed "within" this application, and can be found in the /Contents/Library/SystemExtensions folder of the app bundle. The dext itself - this is the actual binary system extension, which will be registered by its owning application, and will operate in its own application space independent of the hosting application. Additional applications that communicate with the dext - these are applications which will connect to the dext through user clients, but these applications do not contain the dext themselves. There are multiple locations where settings need to be exactly correct for each type of software to be signed, provisioned, and notarized properly in order to be distributed to users: developer.apple.com - where "identifiers" and "provisioning profiles" are managed. Note that there are differences in access between "Team Agent", "Admin", and "Developer" at this site. Xcode project's Target "Signing & Capabilities" tab - this is where "automatically manage signing" can be selected, as well as team selection, provisioning profile selection, and capabilities can be modified. Xcode project's Target "Build Settings" tab - this is where code signing identity, code signing development team, code signing entitlements file selection, Info.plist options and file selection, and provisioning profile selection. Xcode's Organizer window, which is where you manage archives and select for distribution. In this case, I am interested in "Developer ID" Direct Distribution - I want the software signed with our company's credentials (Team Developer ID) so that users know they can trust the software. Choosing "automatically manage signing" does not work for deployment. The debug versions of software include DriverKit (development) capability (under App ID configuration at developer.apple.com), and this apparently must not be present in distributable provisioning. I believe this means that different provisioning needs to occur between debug and release builds? I have tried many iterations of selections at all the locations, for all three types of binaries, and rather than post everything that does not work, I am asking, "what is supposed to work?"
18
0
496
4w
Xcode not creating distributable archive
Hi all, I'm using xcode 13.2.1. I go to Product>Archive. The app builds and creates an archive, but there's no data for "version, identifier, type, team, architecture, etc." It's just creating a "generic xcode archive." When I go to "distribute content" it doesn't give the typical distribution methods like "App store Connect, Adhoc, Enterprise, or Development." What am I doing wrong? Thank you, Thomas
5
1
2.2k
Dec ’21
Distribution Certificate created without private key
I'm trying to renew our Distribution Certificate, but when I request a certificate from a certificate authority as described and create the certificate via developer.apple.com and install it, it is installed without a private key, so I can't export it to .p12. What am I doing wrong? Last year this went without any problems. Please help me out, because I have to renew the certificate before 12-12-2024.
1
0
91
4d
Keychain issues after installing backup on new Mac
After using backup to setup my new Mac Mini my xCode App projects run ok in the Simulator but fail to Archive or Analyze with the error: "The specified item could not be found in the keychain." The item is a provisioning profile. I was able to Run, Archive and Validate these projects on my old Mac Mini just before the final backup. Are there known problems in backup of provisioning profiles or keychains? I have tried creating new profiles etc without success for several days. I'm not an expert developer so I'm hoping there is a simple solution. Please suggest the best way to resolve and/or clarify this problem.
2
0
312
1w
Code Signing from a Makefile on macOS 15
Hello, my team is trying to fix a code signing issue with our app. Our production build works, but our debug build broke after upgrading to macOS 15. This is because our app contains an app extension that can no longer access our app group container after the upgrade to macOS 15. It looks like this is due to ~/Library/Group Containers being protected by SIP now. We were not code signing our debug app, and now security is stricter. Because of historical reasons, we need to use a Makefile to build our app instead of just using Xcode. We are trying to determine the best way to sign our debug app. It looks like our app extension is able to access our app group container if we sign the app with a developer certificate. However, we are wondering if the developer certificate is required. We see that Xcode can sign debug builds with the “-” code signing identity. We tried doing this from our Makefile in the same way we sign with the developer certificate, but it doesn’t work. Is this expected behavior?
1
0
168
1w
On Mac cannot open the application
Hello I build an application in Xcode for MacOS. But the exported app I cannot open on different Mac systems. I get the message 'The application X can't be opened'. I can only run the application on the Mac where Xcode is installed. I used different signing certificates: Apple Distribution, Developer ID application (this should be the one), Mac App Distribution. I archive the application, then use Direct Distribution, then after complished the notary service, I export the app.
1
0
116
1w
codesign use of Cloud-managed Developer ID
My non-cloud Developer ID certificate will expire soon, and my account also has a cloud-managed Developer ID Certificate. My Mac application build workflow uses Archiving, so the cloud cert should be fine for that. But my workflow also signs bundled apps, such as Sparkle framwork's Autodupate app, using the codesign tool. Is it correct that codesign only uses certificates from the local Keychain, and so cannot use a Cloud-managed Developer ID certificate? Before I manually renew the non-cloud Developer ID certificate, I want to make sure I'm not missing some easier method. Thanks.
1
0
132
1w
My new provisioning profiles are broken
I've updated Xcode to 16.1, then I've created a new provisioning profile in developer.apple.com, successfully built and signed my application. It was on monday, 2024-11-04. Two or three days later I was asked to add more devices and I had to create a new profile. I've noticed a new feature to control profile's name (yeah, cool!), had to accept new agreements. Then, have created a new profile, downloaded it, but could not add it with double-click to Xcode or import to Keychain Access - "Failed to install one or more provisioning profiles on the device". And whatever I tried, I couldn't register any new profiles since. Therefore, my app cannot be signed and tested anymore. This is quite weird as nothing has changed on the system throughout the week. Is this a known issue or is there any fix for that?
3
0
305
2w
errSecInternalComponent when trying to codesign an app through SSH
Hi, I'm trying to ssh into another machine, copy an app into that machine and codesign it using my "Dev ID Application" certificate, then copy it back to my original machine. I'm getting the "errSecInternalComponent" error when running codesign. This is the bash script I'm running: ssh ${REMOTE_SERVER} "security -v unlock-keychain -p <REDACTED> /Users/<REDACTED>/Library/keychains/login.keychain-db" ssh ${REMOTE_SERVER} "codesign -vvv --deep --force --verify --verbose --timestamp --options runtime --sign \"Developer ID Application: <REDACTED>\" \"/tmp/$BUILD_ID/ui-app/<APP_NAME>.app\"" ssh ${REMOTE_SERVER} "codesign -dv --verbose=4 /tmp/$BUILD_ID/ui-app/<APP_NAME>.app" I've tried to follow all the available info found online, managed to sign it successfully through the machine's UI, set the ACL of the private key to ALLOW ALL, restarted the keychain service, tried with the system keychain, approved all pop ups through the UI. Still with no luck through the SSH session. Any help would be greatly appreciated. Thanks!
2
0
169
1w
Couldn't download provisioning profiles
Hi! I'm having troubles to sign my Xamarin Forms application, im getting the following error "Error : Could not find any available provisioning profiles for MyProject.iOS on iOS.". I've recently cleaned my Provisioning profiles folder ~/Library/MobileDevice/Provisioning Profiles since it wasn't being updated with my latest provisioning profile for my app. But now my provisioning profiles are not being downloaded, I'm not getting any other error on downloading profiles. I've tried from Xcode -> Settings -> Account -> Download manual profiles. Tried too open the profile downloaded from the Apple Developer Portal, also tried copy manually the provisioning profile downloaded to the previous mentioned path, none of those works. The user that im logged in on Xcode is the admin/owner so is not a permissions issue. IDK what can be wrong or what can I try. So I'm going to be grateful for your help :(
3
0
272
2w
Failed Registering Bundle Identifier of watch app
Hi, after 2 years of not updating my app on appstore i wanted to submit an update for my iOS app which also containts a watch app target. When i try to submit it to upload it i get the following errors: Failed registering bundle identifier The app identifier "(myappBundleID).watchkitapp" cannot be registered to your development team because it is nit available. Change your bundle identifier to a unique string to try again. No Profiles for "(myappBundleID).watchkitapp" were found. Xcode culdn't find any iOS App Store provisining profiles matching "(myappBundleID).watchkitapp" Since i have my app already in store with that bundle identifier i don't know why it can not be registered to my team. Also i don't want to change the bundle identifier because then i can not publish it as update to store.
10
0
374
3w
Team ID suddenly changed
I developed it as Unity. Originally, I updated Unity to the latest version to fix the problem of not being able to log in to Apple. That's when I found out my team ID had changed. The current Apple membership team ID is HBEMGSUAQ3, When I check "Automatically manage sing" in Xcode Selected with the team ID "ESB392LR64". Where did this team come from all of a sudden? I've only used "HVEMGSUAQ3" for a very long time. The change in ID was a test build while developing another project yesterday, but it changed then. If I manually select the provisioning profile of my project "Failed to install embedded profile for : 0xe800801f (Attempted to install a Beta profile without the proper entitlement.)" This error appears and the test installation is not possible.. So I created a new certificate, identifier, and profile. However, it continues to be created with the ID of "ESB392LR64". Keychain registration is also naturally registered with "ESB392LR64" status. Again, my team ID is "HVEMGSUAQ3" and there is no way to check "ESB392LR64" on my dev page... This situation suddenly appeared when my certificates were updated with the ID of "ESB392LR64" on June 12, and What I suspect is that I updated my MacBook to the latest version of OS on the day of the issue. Please let me know what's going on. I'm hoping it's not a big deal....
10
0
731
Jun ’24
Does the Team ID on Apple Developer Portal need to match the one on Keychain?
Hello, I was trying to solve the error "Command CodeSign failed with a nonzero exit code" that occurs when I try to archive and publish my app. I realized the Team IDs on the Portal (To right corner next to my name eg "Pete Park - ABC1D2E334") and my Mac Keychain Acces (eg "Pete Park - XYZ9W8V776") do not match. The number on KeyChain Access, is that's a Team ID. (clueless self learner here) If yes, do they need to match? Any suggestion for the CodeSign error? Is "errSecInternalComponent" the error? Sorry if these questions are obvious or stupid. Thanks so much for any advice.
1
0
228
3w
TestFlight Removes my Embedded Provisioning File
Dear Support, I am trying to verify the installation of my macOS app via Test Flight. I have verified through code sign that it is properly signed and has all of the the required entitlements, including sandbox. The package uploaded successfully via Transporter, and the app installs with Test Flight. However, the app will not run. After numerous attempts, I discovered that the embedded.provisionprofile is missing from the Contents of the app bundle in the version that installs via Test Flight. If I install directly from the same PKG I uploaded to Transporter (that TestFlight is using for the build) I can verify that the embedded.provisionprofile is present. Why does uploading the PKG and installing through Test Flight result in the removal of the embedded provisioning file? Is this expected and/or could be another reason why my app is refusing to run? Much appreciated, ~Ross
2
0
216
3w
A Couple of Questions Regarding Certificates and Siging
Hello All, I am trying to do my research, but wanted to ask for confirmation and clarification on a couple of points. We are currently developing and app for a client, we would like to distribute the ipa to them via our own site, rather than running through the app store upload. It's not going to be a public facing app. We used to have access to the Enterprise side of things, but this was removed when Apple added the minmum employees restriction. I'm assuming that we would need to use the Developer ID Application certificate? But I was also wondering if more than one person can have this certificate on their machines to create builds? I appreciate that these may be obvious to some, but I'm fairly new to signing apps etc. Thanks for your help.
6
0
269
3w