Re: When distribution profiles expire and the employee who created them has left.
Re: When distribution profiles expire and the employee who created them has left.
- Subject: Re: When distribution profiles expire and the employee who created them has left.
- From: Matt Neuburg <email@hidden>
- Date: Fri, 16 Nov 2012 13:35:53 -0800
I've no Enterprise experience, but I am on a team where I'm the sole developer but not the agent, and in general my experience is that the agent must do all work related to distribution certificates. What I usually do is get on iChat with screen sharing and guide the agent through creating the certificate on the Portal, downloading it, and sending it to me. If I remember correctly, the agent must also export and send me his identity certificates from his keychain.
This isn't exactly relevant, but in general I have found the moment of profile expiration to be a nightmare every time it has happened to me. Not coincidentally, it just happened to me today - and it was a nightmare:
* Xcode doesn't clarify *what* precisely it is that's expiring. The key problem seems to be not the provisioning profiles for distribution or development, but my identity itself.
* Despite claims to the contrary, I found no automated way to get a new identity. I can see my identities in Xcode but I can't select or manipulate them in any way. So I had to do the whole certificate-request thing, starting in my keychain, exporting the request, finding that file while talking to the Portal, and downloading the resulting certificate.
* Even when you've got a new identity certificate your troubles are not over, because the old one is still in your keychain - and Xcode will complain, if you try to develop / distribute an app, that "There Can Be Only One."
* You might think you could solve the preceding problem by deleting the expiring identity certificate from your keychain. But there's a problem with that: Xcode will put it back again! I don't know how Xcode knows about the expiring identity certificate, but every time I launch Xcode it somehow recreates the expiring certificate and puts into the keychain. So even though Xcode says There Can Be Only One, Xcode itself creates a second one, so that there is no longer Only One.
* In order to try to solve the preceding, I deleted *all* my profiles from Xcode. However, Xcode then bolluxed me by downloading them all from the Portal again.
* So, in the end I had to delete *all* my expiring profiles from the Portal, and *then* delete *all* my expiring profiles from Xcode, and *then* delete all expiring identities from the Keychain.
* After that, it was pretty much smooth sailing, except that I could no longer run my apps on a device, because I no longer had a Team Profile. If you go to the Portal, it tells you that the Team Profile is managed by Xcode. If you go to Xcode, there's no command for asking for a Team Profile. In the end I solved that by selecting a device and choosing "Add Device to Provisioning Portal" - even though I had already added it just a couple of days before, and even though that's not what I really wanted to do. It did work, though: it caused a team development profile to be returned to Xcode, and after that, things really *were* smooth sailing.
m.
On Thu, 15 Nov 2012 12:58:36 -0500, Alex Zavatone <email@hidden> said:
>Just trying to make sure I am reading in to this situation correctly.
>
>The enterprise distribution profile that is expiring for our app was created by an employee who is no longer on the team. I've created and installed Enterprise distribution profiles in the past with success, but am unable to issue an certificate signing request for this certificate, with Apple's page reporting that my CSR is simply "Invalid Certificate" when I follow the messages in the URL below:
>
>Your current distribution certificate is about to expire. Please request a new one. ( Request Certificate )
>
>https://developer.apple.com/ios/manage/certificates/team/createDistribute.action
>
>Now, I am a member of two dev teams, so I select the team in my Keychain (which the instructions should tell you to do), then request a certificate against the desired login keychain for the Enterprise account, save it to the desktop, in web page choose the file from the desktop, click submit and again, the web page displays "Invalid Certificate" with no other information that might help resolve this.
>
>When I evaluate my certificate for code signing in the keychain, its status is "Good" but with no root cert found.
>
>Does anyone here know if the problem that there is no root cert, or that I am not the person who created the original distribution profile? My Apple WDRC is installed.
>
>Do I need to be the team Agent to do this? If I need to be, why does the text not state, "Your current distribution certificate is about to expire. Please have the Team Agent request a new one. "
>
>If that is the case, it would be REALLY nice if a proper error message was displayed to indicate what the error is and who needs to create the certificate.
--
matt neuburg, phd = email@hidden, <http://www.apeth.net/matt/>
A fool + a tool + an autorelease pool = cool!
Programming iOS 5! http://shop.oreilly.com/product/0636920023562.do
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden