Re: Code signing and provisioning hell
Re: Code signing and provisioning hell
- Subject: Re: Code signing and provisioning hell
- From: "Clark S. Cox III" <email@hidden>
- Date: Wed, 27 Jan 2016 11:23:59 -0800
Advise anyone on your team:
- If you refresh/create a distribution certificate, e-mail the private key to you.
- Install that private key in your keychain and you're all set.
> On Jan 27, 2016, at 11:01, Alex Zavatone <email@hidden> wrote:
>
> Wall of text explaining a distro cert issue that will commonly happen about every 10 months or so in teams that have more than one person who can distribute apps. (iOS)
>
> A summary for what happened was that a month ago, another person on our iOS team who is allowed to create distributables for their product found out that the Distribution certificate used in their distro profile was expired.
>
> This person is on the other side of the planet.
>
> They refreshed the cert on the dev portal and updated their app's provisioning profile.
>
> Then when creating the app distributable through Xcode they found out that they suddenly lost all code signing privs and their "cert was no longer found" on their machine, but that "your account has a valid distribution profile".
>
> They ended up clicking the Refresh button when exporting their archive as ad-hoc and provisioning from the Archive: Export window.
>
>
> Fast forward a month. My app needed the push entitlement added to it, so I added that and noticed that the distro cert used was expired, so I had the option of using the one that expired next week or using the one that expires in December.
>
> I used the one that expired in December.
>
> I did not create that cert. It is the one that was created by that other person on the other side of this planet. The cert doesn't tell us who created it.
>
> Naturally, I do not have the other person's private key installed on my Mac.
>
> I download and install the new Ad-Hoc profile, but Xcode wants to use an older one so, I delete all the profiles in the folder and then refresh and download all certs from the account window.
>
> I then try to export the archive with the new provisioning profile.
>
> Suddenly, I no longer have the ability to code sign my app, because "Your account has a valid distribution profile, but it is not installed."
>
> Whaaaaaaa? How did I lose all code signing privs? I have all the certs installed. I made them, WTF?!
>
> Fast forward 1/2 a late night of reinstalling developer profiles, and so on and an early morning text to the other side of the planet.
>
> What happened was that the new distribution cert that the other person refreshed ended up being the one that I included in the provisioning profile.
>
> ## This is a big issue, because each distribution cert in the developer portal doesn't tell you who made it. You assume that you have all the certs installed, because you made them. In this case, the error message in Xcode is really misleading. Honestly, the only reason I know this happened was because of a morning call I had with that other person a month ago.
>
> There was no way to know that the cert I was about to use wasn't one that I had the private key installed for.
>
> If I click Refresh in the Export dialog when the error appears, then this will work for me, but I create the very same problem for the other person when they need to refresh their profile in 8 months.
>
> Yes, if more than one person can create app distro certs, then we need to create the cert, export our private key and send this to all the other people who can have privs to create or refresh distro certs, BUT…
>
> this could easily have saved 5 hours stressful hours if each distro cert on the developer portal displays the user name of the team member who created (or refreshed) it next to the cert.
>
> Yeah, we can just click Refresh, but that passes the problem down the chain to the next developer unless we all expect to create refresh every time anyone runs into this.
>
> I do know that I created this very problem for the other team a month ago and this took up 2 man days of developer time for them when they couldn't figure out why their ad-hoc distribution profile privs suddenly stopped working and Xcode reported that their certs.
>
> If any of you out there have more than one person on a team who can create or refresh distro certs, please be aware of this.
>
> If any of you have a better and saner strategy to manage this, I'm all ears.
>
> Thanks for your time,
> Alex Zavatone
>
>
> On Jan 27, 2016, at 9:41 AM, Alex Zavatone wrote:
>
>> Found out why. This is a dangerous issue for any team who has more than one person responsible for creating distributables and will screw teams up at least once a year.
>>
>> Will reply with summary and details on process to manage.
>>
>> .
>> On Jan 27, 2016, at 9:29 AM, Alex Zavatone wrote:
>>
>>> iOS, Xcode 7.1.
>>>
>>> Is there any reason that anyone can think of why deleting the provisioning profiles from folder where Xcode downloads them would completely nuke my certificates for code signing all our apps???
>>>
>>> I get the dreaded "Your account already has a valid iOS Distribution certificate, but is is not installed" message.
>>>
>>> I've been the guy in charge of distributing our apps for the past year (on a nearly weekly basis) and now this happens right when we need to distribute to our CEO.
>>>
>>>
>>> What causes this hell?
>>>
>>> Any ideas?
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Xcode-users mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Xcode-users mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden