certificates expired, created new certificates and missing Mac App Distribution

My certificates expired and I created new ones.

How? Using the Developer website? Or using Xcode? Because…

How to fix the missing private key?

The way that you create a signing certificate determines where your private key ends up.

For most certificates it’s just to just revoke stuff and start again, and that’s often the easiest way to resolve issues like this.

WARNING That’s not the case for Developer ID certificates. For those, see The Care and Feeding of Developer ID.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

When trying to upload with transporter I get:

Validation failed (409) Invalid Provisioning Profile. The provisioning profile included in the bundle com.gsequencer.GSequencer [com.gsequencer.GSequencer.pkg/Payload/com.gsequencer.GSequencer.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal. (ID: 089e7659-c30c-470e-b66e-8afc63234f12)

I would expect to be able to add "Mac Application Distribution" in Xcode "Manage Certificates", but it is missing.

There are only 5 options available:

• Apple Development
• Apple Distribution
• Mac Installer Distribution
• Developer ID Application
• Developer ID Installer

I have created all new certificates and updated profiles, excepted "Distribution Managed" and "Development" with platform "All", because they didn't expire yet.

Further the "Distribution Managed" has no download button on developer.apple.com by "Certificates, Identifiers & Profiles".

I think I have a little mess and some certificates are duplicated, but I am unsure about this.

I … uploaded a Certificate Signing Request using web form.

Did you create a new CSR? Or re-submit an existing one?

What about the provisioning profile?

Provisioning profiles authorise, amongst other things, specific code-signing certificates. If you create a new certificate, you need to regenerate your profile.

If you’re curious how this actually works, see:

• TN3125 Inside Code Signing: Provisioning Profiles
• TN3161 Inside Code Signing: Certificates

I would expect to be able to add "Mac Application Distribution" in Xcode "Manage Certificates", but it is missing.

Indeed. And you should choose Apple Distribution.

Historically we used to issue separate iOS and macOS code-signing certificates. There are still bits of that past world lurking in various subsystems, but in most cases these days you want to use the generic stuff, meaning Apple Development and Apple Distribution.

Further the "Distribution Managed" has no download button

Right. Certificates whose names end with Managed are associated with Cloud Signing. You can’t do anything useful with them — because you never got the private key — and thus the Developer website won’t let you download them.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Hi,

Did you create a new CSR? Or re-submit an existing one?

I run openssl and then on apple developer I have edited the certificate and submitted the new CSR.

openssl genrsa -out ALDencryption.key 2048
openssl req -new -key ALDencryption.key -out csr2048ALDEncrypt.certSigningRequest -subj "/emailAddress=****, CN=****, C=CH"
openssl genrsa -out ALDsigning.key 2048
openssl req -new -key ALDsigning.key -out csr2048ALDSigning.certSigningRequest -subj "/emailAddress=****, CN=****, C=CH"

Then I downloaded the certificates and installed them.

Provisioning profiles authorise, amongst other things, specific code-signing certificates. If you create a new certificate, you need to regenerate your profile.

Xcode generates usually the embedded provisioning profile, but my Xcode setup isn't working. The archive action fails.

I build from my makefile all dependencies so there are build directories for arm64, x86_64 and the final universal app build from make.

I am unsure what Xcode actually does? Last build it complained about duplicated files, although they were just for different architectures.

Just now I build using universal destination, might be it helps.

As long the archive build fails I won't get the new provisioning profile.

regards, Joël

Hi,

I was able to build a minimal workspace, but with transporter I still get:

Validation failed (409)
Invalid Provisioning Profile. The provisioning profile included in the bundle com.gsequencer.GSequencer [com.gsequencer.GSequencer.pkg/Payload/com.gsequencer.GSequencer.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal. (ID: 713c80c4-ea99-4bb4-8e31-fb84909c0a67)

regards, Joël

Hi,

I just did a backup of some keys and certificates in my local keyring. Then I removed expired certificates and keys without certificates.

As reading about Certificate types, I think this certificate is missing:

Mac App Distribution - Sign a Mac app before submitting it to the Mac App Store.

https://developer.apple.com/help/account/certificates/certificates-overview/

This is the missing certificate I need, howto get it?

I looked at the provisioning profile and it contains a new date, thats fine.

Further I have checked my keyring and I think it is missing there, too.

What is with these 2 files?

• csr2048ALDEncrypt.certSigningRequest
• csr2048ALDSigning.certSigningRequest

Do I need to run the certificate assistant with it?

I just created these 2 files without any further actions.

You are right these are the 2 certificates used:

• Apple Distribution
• 3rd Party Mac Developer Installer

I have removed all duplicated certificates but I still get:

Validation failed (409)
Invalid Provisioning Profile. The provisioning profile included in the bundle com.gsequencer.GSequencer [com.gsequencer.GSequencer.pkg/Payload/com.gsequencer.GSequencer.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal. (ID: d7657aba-1015-4489-b046-5fa5251449d2)

As reading about Certificate types, I think this certificate is missing:

No. As I mentioned above, that platform specific distribution certificate type is no longer relevant. It’s been subsumed by Apple Distribution, which works for all platforms.

What is with these 2 files?

You’re asking me?!?

Seriously though, Apple’s standard processes don’t use openssl. If you go down that path, you won’t find any help from Apple sources.

And I think that speaks to the main issue you’re having here:

• Apple’s code-signing infrastructure relies on digital identities in the keychain.
• A digital identity is the combination of a certificate and the private key that matches the public key in that certificate. Both of these have to be in the keychain.
• The openssl sequence you posted above doesn’t add the private key to the keychain. It just leaves it hanging around in PEM files (.key).

So, for code signing to work you need to import these private keys into the keychain [1]. Or you need to use a mechanism, like Certificate Assistant or Xcode, that generates these private keys in the keychain.

For more background on this, see Certificate Signing Requests Explained and the expanded discussion in TN3161 Inside Code Signing: Certificates.

Taking a step back, I think you should go back to basics and get your code-signing identity sorted out. Consider this:

% cp "/usr/bin/true" "MyTrue"
% codesign -s "Apple Distribution" -f "MyTrue"
MyTrue: replacing existing signature

This makes a copy of the true tool and re-signs it for App Store distribution [2]. You should try this. If it works, your code-signing identity is copacetic. If it doesn’t work, you need to sort that out first.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] That in and of itself is tricky. Keychain Access won’t import a private key PEM (it can use PEM, but only for certificates). The only way around this that I’m aware of is to use openssl to combine the private key and certificate into a .pk12 and then import that.

[2] This is a very unrealistic example. The whole point is to illustrate this type of code signing in action.

Output from my shell script that produces the application and the package installer:

/Applications/com.gsequencer.GSequencer.app/Contents/MacOS/com.gsequencer.GSequencer.AudioUnitTest: replacing existing signature
/Applications/com.gsequencer.GSequencer.app/Contents/MacOS/com.gsequencer.GSequencer.AudioUnitTest: signed Mach-O universal (x86_64 arm64) [com.gsequencer.GSequencer.AudioUnitTest]
/Applications/com.gsequencer.GSequencer.app/Contents/MacOS/com.gsequencer.GSequencer: replacing existing signature
/Applications/com.gsequencer.GSequencer.app/Contents/MacOS/com.gsequencer.GSequencer: signed app bundle with Mach-O universal (x86_64 arm64) [com.gsequencer.GSequencer]
/Applications/com.gsequencer.GSequencer.app: replacing existing signature
/Applications/com.gsequencer.GSequencer.app: signed app bundle with Mach-O universal (x86_64 arm64) [com.gsequencer.GSequencer]
productbuild: Adding component at /Applications/com.gsequencer.GSequencer.app
productbuild: Signing product with identity "3rd Party Mac Developer Installer: Joel Kraehemann (****)" from keychain /Users/joelkraehemann/Library/Keychains/login.keychain-db
productbuild: Adding certificate "Apple Worldwide Developer Relations Certification Authority"
productbuild: Adding certificate "Apple Root CA"
productbuild: Wrote product to /Users/joelkraehemann/Desktop/com.gsequencer.GSequencer.pkg
productbuild: Supported OS versions: [Min: 11.0, Before: None]

Output from Transporter:

Validation failed (409)
Invalid Provisioning Profile. The provisioning profile included in the bundle com.gsequencer.GSequencer [com.gsequencer.GSequencer.pkg/Payload/com.gsequencer.GSequencer.app] is invalid. [Missing code-signing certificate.] For more information, visit the macOS Developer Portal. (ID: d7657aba-1015-4489-b046-5fa5251449d2)

I copied the provisioning profile from fresh built minimal Xcode project consisting only of main binary and helper program.

This used to work.

I back up my keys and import the missing certificate and key.

Could it be that I have messed up apple developer?

Under Generate a Provisioning Profile I see 5 certificates:

• **** (Mac App Distribution)Jan 13, 2027
• **** (Distribution)For use in Xcode 11 or laterJan 13, 2027
• **** (Distribution)For use in Xcode 11 or laterJan 13, 2027
• **** (Mac App Distribution)Jan 13, 2027
• **** (Distribution)For use in Xcode 11 or laterJan 16, 2027

Which do I need to configure? Maybe time to revoke?

One moment, I have a private key and what happens when I import another?

Backup is recommended I think.

In Xcode there is a download dialog available if you disable automatic signing.

It says no eligible profile available.

Transporter upload seems to work, after selecting the correct certificate on apple developer.

Build again, new provisioning profile and it works.