In our local test configurations, a developer can sign test apps for device installation using any key associated with the company team. However, if a developer accidentally chooses an identity from some other team, installation fails with no information about the problem. It just mentions that no provisioning profile could be found, leaving everyone in the dark about what is wrong.
Instead, we would like to pre-validate the selected signing identity by checking the team name or id. This could be done, for example, by extracting the x509 certificate from the signing identity and checking the "OU" field (which is set to the team id). However, none of the apple commands will divulge the x509 certificate from a developer id. So far our best options is to create a fake app, sign the app, then use command:
codesign --display --extract-certificates
This solution seems excessively serpentine. Is there no direct command that will accept the sha of a signing identity and return a nice .pem containing the associated certificate chain? Or, better yet, is there a command that takes the signing identity and simply returns the name or id of the associated team?
Something like this perhaps:
% security find-certificate -c "Apple Development: Quinn Quinn (7XFU7D52S4)" -p > cert.pem
% certtool d cert.pem
…
Subject Name :
Other name : UT376R4K29
Common Name : Apple Development: Quinn Quinn (7XFU7D52S4)
OrgUnit : SKMME9E2Y8
Org : Quinn Quinn
Country : US
…
Unfortunately it relies on the name. If you’re worried about duplicates, you can pass -a, which results in a PEM with multiple certificates. certtool won’t deal with that properly, but now that you’re in PEM format you can use openssl.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"