I have an iPhone app that uses the keychain for authentication-related storage.
I also had an expiring Provisioning Profile.
In the documentation for keychain access it states:
On iPhone, Keychain rights depend on the provisioning profile used to
sign your application. Be sure to consistently use the same
provisioning profile across different versions of your application.
Because my Provisioning Profile was expiring, I renewed it (in the provisioning portal), downloaded it, and double-clicked it which "installed" it into XCode's organizer.
After submitting an update to the app to the app store, I'm basically seeing an empty keychain (user's are being asked to log in again).
My question is: does renewing the provisioning profile used to sign an app affect keychain access when the renewed profile is used to submit an update to the app? The docs just say to use "the same provisioning profile", but is unclear about whether a renewed profile counts as a different profile (as my experience described above suggests).
What gives?
Update
Solved with help from tc's answer. Looking at the embedded.mobileprovision file in each of the .ipas submitted to apple revealed that an expiring certificate and provisioning profile were used to sign version x of the app, and a different certificate and provisioning profile was used to sign version x+1 of the app (culprit: "Automatic Profile Selector" feature of XCode for the Code Signing Identity).
The 1st certificate and profile were leftover from when a developer used a different iOS Developer Program account to develop an unrelated app (on the same machine, with the same OSX user). Provisioning profiles across multiple iOS developer program accounts are apparently all stored together in ~/Library/MobileDevice/Provisioning Profiles, so they are all candidates for XCode's automatic profile selection feature.
I changed the code signing identity by selecting a totally different distribution profile that I mistook as a renewed/valid version of the expiring distribution profile, and submitted an update. Same app, different cert, different provisioning profile == empty keychain. D'OH.
The keychains you're allowed to use is determined by keychain-access-groups in the entitlements, which is limited to a subset of the keychain-access-groups in the provisioning profile, which is determined by the "bundle seed"/"prefix"/ (ApplicationIdentifierPrefix in the provisioning profile), set in the "App ID".
Assuming you've kept the old submitted app (or have the .ipa from iTunes, which is just a zip), look at embedded.mobileprovision in both the old and new apps (less Foo.app/embedded.mobileprovision in a terminal should do the trick, or you can open it in a text editor although sometimes they'll pick the wrong line endings). You're looking for something like this (you may see extra keys for push/iCloud):
<key>Entitlements</key>
<dict>
<key>application-identifier</key>
<string>A1B2C3D4E5.com.example.MyApp</string>
<key>get-task-allow</key>
<false/>
<key>keychain-access-groups</key>
<array>
<string>A1B2C3D4E5.*</string>
</array>
</dict>
You can also view the actual entitlements your app was signed with:
codesign -d --entitlements - Foo.app/Foo | vis
IIRC the keychain access groups default to e.g. A1B2C3D4E5.com.example.MyApp, but you can set this to anything you want provided it matches A1B2C3D4E5.* (Xcode 4 even has a nice GUI entitlements editor). If the bundle prefix is different, that'll cause the problem you're seeing. I think you can change it back provided you haven't enabled push/Game Center/etc.
As long as your app's bundle id doesn't change there won't be any issue with the keychain.
Considering that we all have to renew our certificates and distribution profiles every year, it would be chaos if doing so broke the keychain access for our apps.
I have one app that's been in the App Store for over 4 years. It uses the keychain. It has been updated several times over the years, many times with an updated provisioning profile. There have been no keychain issues.
For anyone else searching, I had a different issue. The manual steps I followed to resign the ipa resulted in it having no entitlements, which means no keychain access. So I created a script to resign the ipa but keeping the entitlements from the original. I posted it at http://baltaks.com/2013/08/resigning-enterprise-ios-apps and will keep that updated if required.
Related
I have a Watch-App and by creating a Distribution provisioning profile a few weeks ago, there was an option to enable HealthKit.
Now it turns out that I do not need HealthKit in the Watch App.
(and therefore did not activate it inside WatchKit Extension's - Target's - Capabilities as the following picture shows):
So far so good.
But now Xcode keeps giving me these 2 Warning messages (obviously since the original provisioning profile includes HealthKit but the settings in Xcode don't)...
Code Signing Warning: Provisioning profile "iOS Team Provisioning Profile:
bundleID.watchkit.extension" for "MyApp WatchKit Extension" contains
entitlements that aren't in the entitlements file:
com.apple.developer.healthkit.access. To use these entitlements, add them to
your entitlements file. Otherwise, remove unused entitlements from your
provisioning profile.
I tried to follow the Apple manual and there is says that under The developer portal (Certificates) one should be able to change the options a provisioning profile consists of.
So I did go there and pressed "Edit" on my provisioning profile of choice:
But here the bad surprise:
Unless the explanation in the manual - THERE ARE NO LONGER ANY SETTINGS-SWITCHES THERE ANYMORE WHERE TO CHANGE THE HealthKit ENABLE/DISABLE STATE !!
What is there to do in order to disable HealtKit ?
Also: Removing the old provisioning profile and trying to create a new one does not work - SINCE THIS PROVISIONING PROFILE CREATION MASK DOES NOT SHOW ANY ENABLE/DISABLE SWITCHES ANYMORE (NOT LIKE A COUPLE OF WEEKS AGO....!!!)
Delete the provisioning profile in the Apple Developer Portal then create a new one
On Apple Developer Account > Identifiers section, select your app bundle ID, then here you can untick HealthKit-related capabilities. Once this is done, you can regenerate the matching Provisioning Profile, and it should no longer have HealthKit.
I have an application already in the store that use Keychain to store passwords.
I want to publish an update of the application, the problem is that I don't have the original certificate anymore (it was expired and I created another).
Reading Apple's documentation it says:
Note: On iPhone, Keychain rights depend on the provisioning profile
used to sign your application. Be sure to consistently use the same
provisioning profile across different versions of your application.
If I edit my provisioning profile with a different certificate, will my users lose their passwords when I will upgrade the application?
Thanks
if you can upload the app into the store (so update the old one), the users will not recognize anything of this ;)
What's saved in their keychain will be bound to the Bundle an stays at least until the application is deleted.
You can revoke and re-create your cert, and assign it to your provisioning profile without any further consequences.
I archived my app and then put it through validation. a window came up titled "Choose an application record and an Identity to sign with" and then a yellow triangle and the message "No identities are available for signing" was displayed and options for Downloading Identities and Import Developer Profile.
I chose Download Identities and received the message after it logged into my IOS Dev Center account "An administrator must request identities before they can be Downloaded".
codesigning error warnig http://imageshack.us/a/img824/4080/validate2.gif
I then chose the "Import Developer Profile" and it and was also unsuccessful.
I checked the code signing and got noticed the error warning no profiles currently match and that and that the application identifier com.jarrahbridges...... profile doesnt match application identifier com.jarrahBridges........
In organiser my provisioning profiles state they are Valid Profiles all my certificates in my key chain (numbering 6) are all valid.
Any direction on this would be most appreciated
I was having the same problem and the problem was my Distribution Certificate was created it on another Mac. Here are more details:
http://spacetech.dk/ios-development-error-no-identities-are-available-for-signing.html
Create AppStore provision profile at the Developer Portal, then update xCode profiles (xCode -> Preferences... -> Accounts).
Create an achieve and press "Validate"
You now are able to validate the archive agains you Distribution Certificate and AppStore Provision profile
Don't know is it a bug or feature, though.
Try following these instructions. Basically there are multiple places where you have to tell Xcode what your bundle identifier is and what the provisioning profile is. I can't believe this stuff is totally overlooked in the iOS Developer Distribution Guide by Apple.
http://anthonytietjen.blogspot.com/2012/08/overcoming-trouble-validating-your.html
Also, go into Build Settings for your project and go to Code Signing. Make sure the Code Signing Identities are all set to the iDevice Distribution App ID you created in iTunes Connect as well as the Provisioning Profile set to the Provisioning Profile you painstakingly created in the iOS Development Center as well (that Ad Hoc provisioning profile file you created and downloaded into Xcode.)
Apple was great at walking you through creating the Distribution Certificate and Ad Hoc Provisioning Profile, but when it comes down to getting things bundled up in Xcode, they left a lot out.
https://developer.apple.com/library/IOs/documentation/IDEs/Conceptual/AppDistributionGuide/Introduction/Introduction.html#//apple_ref/doc/uid/TP40012582-CH1-SW1
I would say that if you still can't get it working with an Ad Hoc provisioning profile, try generating an App Store Distribution Provisioning Profile within the "Certificates, Identifiers, and Profiles" portion of the Development center , import it into Xcode (by refreshing the provisioning profile list under Xcode->preferences->accounts->details->refresh button) and go through the validation process of your archive again. I'm not sure if it's because Xcode can't validate an Archive with an Ad Hoc profile or what, but it seems to pick up the Distribution Provisioning Profile just fine and allows you to validate. Don't worry, even if you don't validate the archive with the Ad Hoc provisioning profile, you can still create the .ipa for your archive by hitting the Distribute button in Organizer->Archives and choosing the Ad Hoc profile so that you can beta test it.
I am currently about to start work on an iOS app for somebody but they have there own Apple Developer account which they would like to us. How do I go about setting my MAC up so that I can use their account to build, develop and test their app on my Devices?
I am assuming that I will need to create a separate user account on my MAC. I have done this but when I try to install the certificates that they have created I get errors such as "Valid signing identity not found".
Why could Apple not make this process simple, I am always having to refer back to the documentation and still get confused just to start creating a new app!
You do not have to create a new user account on your Mac for this, but I know some developers prefer to have separate accounts when they are working with more than one developer account, for ease of development & distribution provisioning profiles.
If your client adds you (by Apple ID --> email address) as a team member to their account (assuming their account belongs to a company and not an individual) then you can start the development process by requesting and later receiving a signed development certificate. You'll then also need the required provisioning profile(s) to develop/distribute builds of the app.
No, you won't need to create separate account. Xcode provide the facility to use several provisioning profile and certificate at the same time.
For more information check this thread - Multiple Certificates/Provisioning Profiles in one Xcode organizer?
First of all you don't need to create new account on your Mac to develop iOS application. In Xcode 4 it become very easy to start developing and signing application. All you need to do is go to Organizer (most right button on Xcode toolbar). In Provisioning Profiles section you can see Refresh button on the botoom of the screen. When you click it ask you about your developer account information such as account name and password. Then it tries to install all profiles and certificates to your Mac automatically. Then you could select your profile and sign your app. If automatically install fails, check yourself that you download all you need for this.
Create keys on your mac and submit to Apple.
Download your certificate and WWDR certificate. Two!!!!
Add your device to the devices section and create Development certificate (Distribution as well ). Download it manually or via refresh in Xcode Organizer.
Hope it helps. Sergey!
Once you have your Apple Developer Account Credentials, You can follow gist I have created:
Apple's Code Signing Process
I want to update an existing App in the App Store, but the profile I used expired (I'm not sure, if it has something to do with the corresponding certificate which also expired..). Since Apple tells me in the How-Tos:
Use the same Distribution Provisioning
Profile to build each new version of
your application
I don't know, what to do. Can anyone help?
The important part is keep the same bundle id.
If your provisioning profile has expired or you has to generate another certificate, it doesn't matter.
Get anew version of you provisioning profile, build your app and it should be fine.
If the profile is expired, simple renew it or generate a new one. I did it yesterday, my dist profile was expired and I simply deleted it and generated a new one.
Once a new one certificate is generated, download it, delete the old one from your keychain and add the new one.
After that, try to build your app. (Sometimes restarting Xcode is required)
Every profile and every certificate will expire. As long as the developer account is still the same, simply creating a new distribution cert should do the trick.
You need to keep exactly two things the same: the enrolled iOS Developer account you use, and the Target Identifier Property in Xcode (becomes the Bundle Identifier in the app). Do that, and the result will be an update to the same app in the App store.
Everything else you can renew, recreate in the portal, install on a new Mac, etc., including App IDs (wildcard on not) created in the portal, Developer or Distribution certificates, and provisioning profiles in the portal, installed in Xcode or on the iDevice. You can also change the Bundle display name (under the icon), the Product name, the Target name in Xcode, and maybe even the name of the app as it appears in the App store (if it's not misleadingly different).
Renew your certificate and provisioning profile at the iOS Developer Portal.