Since the Apple Worldwide Developer Relations Certification Authority expired on February 14th, I need to install the new one. In order to do so, I have to delete the old one from both System and Login tabs in my keychain.
Removing it from the login tab was easy and instantaneous. But removing it from the System tab is impossible. I can see it in my system tab, stating that it is expired:
When I try to delete it, I'll get the following error:
I need to delete it so I could upload apps to the appStore. Meanwhile, I am stuck and can't do anything. What can I do to delete it!?
This is what I always get if I try to unlock the Systems Tab:
This is what Xcode gives me:
The answer for any future developers having the same problem is really simple :
Restart your Mac
While restarting hold on Command + R , this will boot up your mac in the "sudo" mode, allowing you to write bash command. Please note that writing the following command is really safe and risk free, but as always while dealing with systematic commands, make sure your backup is near by!
When loaded, go to utilities, terminal.
First, write : csrutil status . This will show you the status of SIP. Your goal will be to disable the SIP ( System Integrity Protection ). After checking the status, most likely you will find the status Enabled.
When you find it enabled, write : csrutil disable . This will disable the SIP.
Restart your mac, open keychain, and you will be capable of deleting any stuck certificate, including the expired WWDR.
Hope it will help someone in the future!!
Try to install new certificate from link below.
https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
This worked for me.
I hope this will help you.
You go to Keychain access and right click on Apple Worldwide Developer Relations Certification Authority now click on delete.
If this is not working then just click on System from left side top and do the same after that drag drop the new certificate that is found : https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
Related
We used to have a binary running in user space built with VC++ /integritycheck flag which sets IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY flag on executable (see more here and here). We signed it with our old certificate and it run smoothly. Now we were given new certificate and binary is blocked by security check (defender prompt + log in event log).
Yes, we added certificate to our trusted store.
Yes, we used page hash (/ph) switch while signing.
New cert running fine if we enable test sign on a platform (through bcdedit)
The major difference seems to be that new certificate is not cross signed by Microsoft. Cross signing is no longer supported so maybe anyone knows if there's alternative or how to workaround it? Maybe /integritycheck flag for user space code is no longer valid?
Same issue we found at MSFT forum https://learn.microsoft.com/en-us/answers/questions/348812/signed-file-fails-to-start-because-of-bad-signatur.html. Still no precise answers how to solve it.
I'm not entirely sure how I get into this situation, but fastlane_tmp_keychain-db becomes my default keychain after a build, and I can't figure out how to un-set it.
There are no options here to change the defaults. Why did fastlane do this and how do I undo it?
It's definitely the default; I get "Spotlight wants to use fastlane_tmp_keychain-db" on login.
Took me longer to figure out than I care to admit, so I'm documenting this here also for my own reference...
Open up Keychain Access, select the fastlane_tmp_keychain-db keychain on the left and then select Edit > Delete.
In the following dialog choose "Delete Keychain File" to permanently delete it.
This should fix it.
The fastlane_tmp_keychain-db shouldn't be there in the first place. It's temporary and supposed to be deleted automatically after the lane is executed. However, judging by the number of reports and questions on this topic lately, it seems to have broken recently. Deleting it should fix any issues you might have with your Mac and shouldn't affect your Fastlane project in any way.
It happened for me as well and I found this thread. But the solution of André does not work for me, Delete action is grayed out and disabled in Edit menu.
But I found another solution to delete the keychain:
fastlane run delete_keychain name:fastlane_tmp_keychain-db
and set login keychain as default again:
security default-keychain -s ~/Library/Keychains/login.keychain-db
you may have to restart 'Keychain Access' to show changed default keychain
Finally managed to get rid of if using the following. Add this to your fastlane file;
desc "delete created keychain"
lane :delete_chain do
delete_keychain(name: "fastlane_tmp_keychain-db")
end
Then run sudo fastlane delete_chain. Note: This will (likely) destroy anything that has been saved into the keychain while it was considered the default. Therefore consider backing it up first.
I am attempting to setup signed VBA Projects so that I can find the right balance between security and useability.
Currently my end users are instructed to just hit "Enable Content" on Microsoft Office to allow running of the Macro's.
Obviously this is a security issue as it's a blind approval, they should in fact be told to never hit "Enable Content" and the goal is that Word will automatically run the documents because the VBA Projects are digitally signed.
I have made a cert using "SelfCert.exe". Imported it into the "Trusted Root". It shows as trused. I opened VB Edited and applied this to my document, changed Word Trust Security Center settings to "Disable all except digitally Signed". But, I still get the warning and can't figure it out. Is this a glitch? Am I doing something wrong? Looking for help from somebody with experience with this issue.
The issue was I hadn't added the key under "Trusted Publishers". I still have some gripes about how hard that was to do/figure out and also I wish there was a Macro setting of "Disable all Macros WITHOUT notification except digitally signed ones", but thats another thread.
Anyone else getting this error when trying to download an app from the new Apple Mac App Store?
INSTALL_ERROR_DISTRIBUTION_SIGNED_BY_APPLE
I just ran into this problem while trying to update an application, but my problem was not an unsynchronized clock (ntpdate -q time.apple.com showed a maximum offset of 0.022479).
I found a hint in an a thread on one of Apple’s discussion forums that the problem might be related to certificate status checking settings. Modifications in this area resolved the problem for me. In the Keychain Access application, after selecting the Keychain Access menu > Preferences… menu item, and switching to the Certificates tab (close this preferences window when done making any changes), I ended up changing both my OCSP and CRL settings from “Require if Cert Indicates” (which seemed like a useful, “strict” setting to me), to “Best Attempt” (the Priority remained “Require Both”).
It seems that the “Require if Cert Indicates” and “Require for All Certs” options are normally grayed-out (I originally set them back on a machine running Tiger, which was migrated to this Snow Leopard machine). I found that you can hold down Option while clicking on the popup button (a.k.a drop-down list) to enable and select these options though. I may go back and try to determine which setting (OSCP or CRL) was strictly necessary.
I got the same error because my OS time/date was not correct.
I'm going crazy! I'm trying to upload the binary of my first application but I have always the same error!
"The binary you uploaded was invalid. The signature was invalid, or it was not signed with an Apple submission certificate."
I did everything, EVERYTHING!!
I created the request for the certificate, used it for both developer and distribution certificate, created the provisioning profile (12 times!!!) always cleaning my keychain and my Xcode deleting the old certificates and profiles..
I reboot the machine, reboot Xcode, the log is correct, but... I can't upload my app!!!!
Checked if my iPhone is connected (i tried with iPhone disconneted too).
I checked the certificate in both my project settings "Distribuition" Configuration (duplicate of "Release" configuration) and in my target settings.
Reveal in finder, compress the app and sent the zip...
I tried with Application Loader and iTunes connect online..
but nothing! NOTHING!!
I've spent 8 hours! And again i can't have my app uploaded!!!
I'm really going crazy!
Can anyone help me pleeease?
Thx!
It seems like there are a LOT of causes for receiving this cryptic and mostly unhelpful email. Even after verifying the use of distribution certificates, cleaning & rebuilding my project, and checking with codesign from the command line (and following instructions from the email), no errors showed up—-but I'd get the "invalid signature" email right after uploading. All the solutions seem anecdotal and obviously depend on what secret error is causing the problem. I've spent the last week pulling my hair out, trying to figure it out for my app—-and finally got it successfully submitted today—so let me share my story and see if it's relevant to your situation.
In my case, I seemed to have a complex cause of having my Entitlement.plist set with an incorrect variable along with the holdover of an old provisioning profile (from a previous Xcode version?) buried deep in the project.pbxproj component of my Xcode project file.
The "aps-environment" variable in my Entitlements.plist was set to "distribution" instead of "production" (I swear I read somewhere in the developer docs that it was supposed to be "distribution"!) But fixing that alone wasn't enough to get my app through. (I must have submitted 100 different combinations of app configurations trying different variables!) Starting with the helpful suggestions from this post on another forum, I dug through the distribution profile and found duplicate entries for some variables. The duplicates had empty quotation marks (i.e. nothing set for the variable) or strange variables or old provisioning profiles which seemed to be causing problems (somehow). Cleaning this up and removing the duplicate lines with bad variables worked in my case. YMMV. But carefully examining the project files ("show contents" on the Xcode project file in finder) seems like a good idea for diagnostics. Good luck!
Been there - done that.
Make sure your certificate is in the "login" keychain, and that that i the default keychain (highlighted bold) in Keychain Access
Make sure you have both the private and public keys for your certificates and that they are valid. You will also need the Apple Worldwide Developer Relations Cert Authority installed.
I assume you have dragged the profile into xcode - easiest to drop them onto the xcode icon on the dock.
Make sure as Paul says, that the bundle identifiers all match up
You say you checked the certificate in the distribution configuration. Its not the certificate you need to concentrate on but the provisioning profile.
Select your Release config top left, click on the project under groups & files and do cmd I. Select build tab and then pick distribution in the top left. Then look at the Code Signing Identity. Pull down the dropdown list and make sure you have the right application identifier, the right profile and the right certificate. Don't use the Automatic Profile Selector.
Hope one of those steps helps!
I was getting the same error when I tried to submit a version update from the Organizer. What solved my issue was using the Application Loader found in the directory /Developer/Applications/Utilities. You'll need to compress your .app file and send the corresponding .zip file. I used this for my initial submission as well, I just thought I'd try the new way. What a pain! Go with Application Loader.
Best solution:
Revoke Distribution Certificate
Create new AppStore provisioning profile
This solved my problem. Spent 4hrs+ :( :)
I just had this problem. I resolved it, after hair-pulling, by going back into Keychain Access one more time and discovering the "Show Expired Certificates" menu item. When I did that, one more expired cert of the kind I had (so far, unsuccessfully) replaced showed up! I had deleted a couple of expired certs already, but this menu item caused another to show up, and after deleting it, my upload worked. I was previously aware that expired certs can get in the way of valid ones, and I STILL wasted a lot of time. Hopefully, this helps some people.