Re: Codesigning pain, god it hurts!
Re: Codesigning pain, god it hurts!
- Subject: Re: Codesigning pain, god it hurts!
- From: Quincey Morris <email@hidden>
- Date: Tue, 17 May 2016 20:29:55 -0700
- Feedback-id: 167118m:167118agrif8a:167118s68g6KHq55:SMTPCORP
On May 17, 2016, at 20:01 , Graham Cox <email@hidden> wrote:
>
> I have an apparently intractable problem with codesigning a Mac app. I don’t really understand the process very well, so when it fails to work I have no idea what the problem is, let alone how to fix it.
It doesn’t sound like a code signing problem. It sounds like an identity problem.
> Your account already has a valid Develoepr ID Application certificate. You have a valid Developer ID Application certificate in the Member Center, but it is not installed locally. If your signing identity is installed on another Mac, you can export a developer profile on that Mac and import it on this Mac. You can also reset your current certificate.”
My guess is that your keychain no longer has the private keys needed to sign an app with the Developer ID certificate, which is apparently OK in itself. Private keys are nowhere but in your keychain, for security reasons.
> So anyway, I go to the Member Center, and I can see a Developer ID application certificate, but the button to download it is greyed out, unlike all the other certificates.
It’s greyed out for me too. I have no idea why that should be so, but I would assume this isn’t part of your current problem.
> If I look in my Keychain, I can see the certificate is there anyway, so I don’t understand why a) it complains it’s not installed locally, when it quite plainly is, and b) why I can’t download it in the Member Center which it appears to require.
I believe it’s really complaining that it’s unusable, not uninstalled.
> I’ve tried deleting all the certificates from Keychain, an also in XCode, and it refetches them all again.
Jeez, don’t do that. You likely deleted the private keys along with the certificates. Refetching the certificates puts them back again, but not the private keys.
> Other than that I can’t see how to “start over”.
If you’ve deleted the private keys, you’re going to have to retrieve an older backup of the keychain file, open that in Keychain Utility, and export them as a .p12 file you can re-import into your current keychain.
> I’m reluctant to start revoking certificates in the member center, in case that has the effect of denying our users from launching our app, which was otherwise signed with these certificates when it was working.
You can’t revoke a developer ID certificate, because (in theory) there are users out there with apps that depend on the current one in order to run. You can create a new one if you need to (for example, if you cannot recover lost private keys), but keep in mind that you can only create 5 developer ID certificates total at one time, so you don’t want to create them indiscriminately. To delete them, you’ll have to wait 5 years for them to expire, or ask Apple, but Apple will only delete them for you if you can convince them it’s a security matter.
> Beyond this, I simply don’t understand the whole codesigning quagmire (other than its general principles). Between XCode, the Keychain, the Member Center and even System Preferences, it seems to be a remarkably Byzantine and opaque process.
Yes, it’s awful. My suggestion:
— Use Keychain Utility to examine the current developer ID certificate.
— Check that the correct one (the one with “Developer ID Application” and the name/number of your developer program identity) is there.
— Click the disclosure triangle to show the related keys, and make sure there’s an entry of “Kind” private key listed.
— If not, you need to retrieve your private keys from some kind of backup, or create a new certificate.
— If it’s there, go to your project’s General tab in Xcode, and set the code signing to none, then set it back to “Developer ID” and choose your developer identity. If Xcode says there’s something wrong, tell it to try to fix the problem.
— Then hope like hell it can.
FWIW, I once ran into a problem where my private keys were in the keychain, but Xcode couldn’t see them because the public keys were in there twice, once connected to the private keys and once not. I think I had to use the codesign utility to dump the entire keychain (because a filtered listing didn’t show the duplicates), and then to delete the duplicate public key entry. I don’t know if this can still happen, but you you may have to delve deep into your keychain to see what’s really going on.
P.S. Whenever you create any kind of certificate, via the certificate signing request process, always go to your keychain immediately after and export those private keys as a .p12 file, and keep this in a safe place. Also, export developer profiles from Xcode on a regular basis (I admit I don’t, but I should), on the more-forms-of-backup-are-better principle.
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden