Re: Trouble with code signing and app store submission
Re: Trouble with code signing and app store submission
- Subject: Re: Trouble with code signing and app store submission
- From: Quincey Morris <email@hidden>
- Date: Fri, 30 Mar 2012 00:28:23 -0700
On Mar 29, 2012, at 23:41 , Martin Hewitson wrote:
> According to Keychain Access, all my certificates have a private key. At least I can expand the certificate and see the private key. Do I need to do something to tell Xcode about these? I followed the usual steps of installing certificates, and as I said, this computer was able to submit app updates, the last time using Xcode 4.2. So something seems to have broken during a recent Xcode update.
I don't think anything got broken, but it seems that codesign (or perhaps a different tool, but this detail is perhaps not important) started being stricter in 4.3 about detecting problems in your keychain. Unfortunately, it seems that Keychain Access can mask the problem which makes finding and fixing them difficult.
In my case -- which is not your case -- codesign kept telling me that I had multiple signing identities, when Keychain Access was clearly showing that I didn't. It eventually turned out that my Login keychain had the proper certificates (Mac development and installation) and the private keys, but my System keychain *also* had the private keys, though no certificates. Keychain did not reflect this (invalid) configuration correctly, which meant I couldn't see or fix the problem until I lucked into the answer.
Here's what I suggest you try:
1. Use Keychain Access to export your Mac development and installation private keys (2 keys). You want to do this anyway, because if you ever lose your keychain, there's no way to re-create the same private keys. The keychain export function should produce a '.p12' file which contains both keys.
2. Delete the Mac development and installation keys and certificates from your Login keychain (2 keys, 2 certificates).
3. Examine your Login and System (and any other) keychains carefully for any private key or certificate remnants. (In my case, the spurious System private keys didn't show up until step 3.) You might also want to run Terminal and try examining the keychains using codesign directly -- there's a command for displaying identities. (That's how I eventually found out what was wrong.)
4. When you've eliminated any secondary traces of the original Mac development and installation identities, re-import your private keys from the '.p12' file, which IIRC also re-imports the corresponding certificates. With a bit of good luck, you should now be able to codesign again.
Of course, there's a certain amount of risk to this, because you're deleting things and more-or-less hoping you can put back what you need.
Worst case (as far as these 2 identities are concerned), you can go to the developer site and revoke your certificate, and create new ones along with new private keys. However, if your keychain is still subtly messed up in some way, this might not resolve your original problem.
In the extreme (as far as the keychain is concerned), you might consider deleting and re-creating the entire Login keychain, but that brings the inconvenience of having to re-authorize all the other things you were keeping in there.
Disclaimer: I'm no expert on this subject, just a codesign victim who got lucky finding the way out. As usual, if I've got things wrong, smarter people will likely jump in and correct me.
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden