I have a self-signed certificate at the endpoint of my API. I'm trying to test some things using the simulator but am getting "untrusted server certificate".
I have tried to use safari on the simulator to download the .crt file, but that doesn't seem to work.
Where does iPhone Simulator get its keychain from? How can I add a trusted certificate so my application will work?
I got it to work by creating a CA and then adding a CA certificate using the iPhone provisioning tool. Then I was able to have a certificate signed by that CA certificate on the API server and the NSConnection just worked. I was not able to get it to work using a self-signed certificate for some reason. I need to re-attempt this using the provisioning software.
My real question is how do I get this to work on the simulator? I would think that the simulator uses the keychain of the actual computer.
Simply drag & drop your .cer Files into your running Simulator window. You'll see Safari flashing and then the import dialog for your Certificate (or Certificate Authority)...
Working for iOS 7 Simulator (and i Think did work for iOS 6 too).
For those who find that the dragging and dropping of the certificate on the Simulator isn't working, there was a recent change that adds an extra step.
The Simulator must be explicitly told to trust the root CA. Do this by going to:
iOS Settings > General > About > Certificate Trust Settings > "Enable Full Trust for Root Certificate" for your particular certificate
See the full answer here:
I had this same issue for months and today I FINALLY solved it with:
ADVTrustStore
You are going to want to use a project called ADVTrustStore from github. It does some fancy magic but it will correctly install certificates into your root trust-store on the simulator.
Steps to install a custom cert
# Clone the repo
git clone https://github.com/ADVTOOLS/ADVTrustStore.git
# Enter the repo directory
cd ADVTrustStore/
# Copy your .crt file
cp somewhere/something.crt my.crt
# conver to a .pem file
openssl x509 -in my.crt -out my.pem -outform PEM
# Install the pem in the simulators
./iosCertTrustManager.py -a my.pem
Using this process I was able to get GoogleStreetView images to render correctly while behind a corporate firewall using SSL resigning with self-signed certificates
Background
I was using CharlesProxy and i noticed it was correctly installing certificates into the Simulator but they did not show up in the Settings - Profiles section. Then after some searching I discovered this tool. There are probably a few other tools out there but in my case the drag-and-drop never worked correctly for all cases. Safari would be fine but not my applications.
For anyone use OS X Catalina, please check this : https://forums.developer.apple.com/thread/124056.
Catalina is currently blocking access to Desktop, Documents and Downloads folder.
I moved certificate files to Shared folder and drag and drop the files to simulator from there.
Take a look at the shell script Charles uses to install their self signed cert into the simulator's keychain. http://www.charlesproxy.com/documentation/faqs/ssl-connections-from-within-iphone-applications/
See also:
iPhone TrustStore CA certificates
http://redgreenrefactor.eu/blog/testing-https-on-iphone-simulator/
It looks like installing your own certificate in the simulator may require installing it on a device via Safari and then copying the resulting row from the device's TrustStore.sqlite3 into the simulator's.
Dragging and drop used to work but it didn't work on XCode 12 for me. What worked for me was opening Safari browser on Simulator and then typing the file URL for the .crt certificate file.
Ex.
file:///Users/[folder_path]/[certificate.crt]
After that you have to goto Simulator Settings and install the certificate by navigating into General > Profiles section.
For IOS14, after the dragging, you need go to:
General -> Profile -> select you profile -> install
and then:
General -> About -> Certificate Trust Settings -> "Enable Full Trust for Root Certificate" for your particular certificate
see also https://developer.apple.com/library/archive/qa/qa1948/_index.html
Using iPhone Backup Extractor, I copied my iPhone's TrustStore.sqlite3 into ~/Library/Application Support/iPhone Simulator/6.0/Library/Keychains, overwriting the existing file. I tried to only insert a single row with the following sqlite, but I couldn't get it working.
sqlite3 ~/backup/iOS\ Files/TrustStore.sqlite3
sqlite3>.mode insert
sqlite3>.output working.sql
sqlite3>select * from tsettings;
sqlite3>.quit
Now, working.sql has the entire contents of the tsettings table (in my case, 1 row).
sqlite3 ~/Library/Application\ Support/iPhone\ Simulator/6.0/Library/Keychains/TrustStore.sqlite3
sqlite3>INSERT INTO tsettings VALUES(X'...
sqlite3>.quit
Again, the above sqlite commands didn't work for me, but might be a good starting point for someone else. Copying the entire TrustStore.sqlite3 from the backup into the simulator worked just fine.
Take a look at the iostrust Ruby gem: http://github.com/yageek/iostrust
When I started I couldn't get "Enable Full Trust for Root Certificate" to show up. I was using the certs I generated for nginx with openssl.
What worked was exporting the development cert from Keychain Access and downloading that with Safari in the simulator. Then the "Enable Full Trust for Root Certificate" showed up and I was able to get my application working.
Also, like people above have said dragging and dropping the cert on to the simulator doesn't work anymore. You can download the cert with Safari.
Related
I am trying to add new provisioning profile to my Xcode, to test an app on the device. Here are the steps I followed:
Deleted all certificates and provisioning profiles
Create/Add IOS Dev Certificate
Add My IOS Device Online
Create IOS Provisioning Profile
Add IOS Provisioning Profile
Clean App
Build Then Run App
Set Codesigning nd Provisioning Profile In Build Settings
Lots of Googling > to no successes
Here is the error I get:
CSSM_SignData returned: 800108E6
/Users/alexpelletier/Library/Developer/Xcode/DerivedData/MyExpense-efnqzvoqwngzcmazaotyalepiice/Build/Products/Debug-iphoneos/MyExpense.app: errSecInternalComponent
Command /usr/bin/codesign failed with exit code 1
Open Keychain Access, then in the File menu select Lock All Keychains.
Then go back to Xcode and clean and rebuild. It will prompt you for your password again to unlock the keychain.
After this, assuming you have no other compile issues, it will succeed!
This occurs when the login keychain is locked. To unlock the login keychain, run:
security unlock-keychain login.keychain
If your keychain is password-protected, specify the password using the -p option:
security unlock-keychain -p PASSWORD login.keychain
If you're using a continuous integration system, you'll likely want to inject the password via an environment variable/token, which most CI systems offer in their settings.
The error code in question is described in Apple's docs as an internal error, so it's entirely possible this occurs in other cases too.
It seems like a bug in the code signing mechanism, restarting your mac should solve the problem
Had the same issue on High Sierra/Xcode 9.4.1, all attempts to sign ended in errSecInternalComponent
Go to Keychain Access
Go to the login keychain
Select the category "My Certificates"
Find the certificate you're signing with and expand it to see the key.
Double click the key
Go to the "Access control" tab.
Update key access control to "Allow all applications to access this item"
Alternatively:
run codesign command on mac terminal and "Always allow" /usr/bin/codesign access to key
If trying to sign from ssh/CI you also need to run
security unlock-keychain login.keychain
before trying to sign app bundle
I have met the same problem, I restart my macOS,and it works.
In China,we have a saying between developers:
Little problems,just restart.Big problems,should reinstall.
Sometimes,the above saying will greatly help you!
In case it helps someone else, I encountered an errSecInternalComponent error with codesign because I was running it over an ssh session to my macOS machine. Running the same command from a terminal window on the macOS machine itself worked.
Presumably this is because codesign needs access to the private key from the login keychain.
Running security unlock-keychain login.keychain (as explained by cbracken's answer) from the same session also should work.
As pointed out by #Equilibrium in one of the comments, if you are in command line env. like Jenkins(my case), you might need to pass the password to the security-unlock command mentioned in the solutions.
So instead of using,
security unlock-keychain login.keychain
use:
security unlock-keychain -p <login-keychain-password> <path-to-login-keychain>
where path-to-login keychain can be $HOME/Library/Keychains/login.keychain(my case) or simply login.keychain
for anyone that encountered this issue from jenkins and ssh:
high possibility that you have not granted access to the private key in keychain, i tried but not sure why all of these are not working:
security import .p12 file with -A or -T /usr/bin/codesign
security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{password} #{keychainPath}
change all provisioning profile to [UUID].mobileprovision and copy them to '~/Library/MobileDevice/Provisioning\ Profiles' on jenkins server
clean derived data and reboot jenkins server
make sure default keychain is login keychain and unlocked it.
finally resolved by:
1.ssh [user]#[jenkinsServerIP] -L 5900:localhost:5900, log into jenkins server
2.open 'vnc://localhost'
this will launch a remote screen, if your jenkins server allow this...
then open keychain.app to grant access of /usr/bin/codesign to the private key
good luck
Nothing work for me from the above Solution.
Fallowing Solution Work for me...
First Open Keychain Access
Then Select Login And click Certificates
Double click Apple Worldwide Developer Relations Certificate Authority
Open trust section, and set to "Use System Defaults" from "Always Trust"
Clean the build folder and run
I ran security unlock-keychain login.keychain and my login password didn't work. So I rebooted, and then just ran Xcode again and it worked. Running the command works as well. Strange issue.
If trying to sign from ssh run command:
security unlock-keychain login.keychain
before trying to sign app bundle
or from UI
Update key access control to "Allow all applications to access this item"
Thx to #Equilibrium and #Jon McClung
I had the same issue Found out the problem is with code signing the app.
Opened the developer account and accepted the updated agreement and it worked.
Right clicking on the private key associated with the codesigning cert in the keychain, and then clicking on 'allow all applications' instead of relying on a prompt fixed it for me, since the build was happening via ssh.
I had to:
1) delete the certificate associated to the project
2) Back to the Xcode and revoke the app certificate
3) The Xcode require a new certificate
4) Lock all KeyChain
5) Clean the project
6) Rebuild
That's it. Hope it helps to anyone.
If you get errSecInternalComponent after
Warning: unable to build chain to self-signed root for signer …
, you might have the wrong Apple World Wide Developer Relations root certificate in your keychain. In this case, make sure that you import the WWDR certificate with which your developer certificate was signed. I imported the WWDR certificate expiring in 2023 and two hours later finally realized that it didn't work because my developer certificate had been signed with the WWDR certificate expiring in 2030 (AppleWWDRCAG3.cer). Download page: https://www.apple.com/certificateauthority/
Posting a work-around that we finally had to resort to, in case someone else is running out of things to try...
After installing a new Apple Distribution certificate in our "login" keychain, our Jenkins job suddenly started to fail singning iOS apps with the same errSecInternalComponent error:
Command /usr/bin/codesign failed with exit code 1
Our build pipeline calls security unlock-keychain, and we have no problems with our Enterprise Distribution cert (which was coincidentally updated and installed in the same Keychain just a few weeks prior), where the unlocking works as expected.
After trying all the usual things mentioned in this thread and elsewhere, we ended up running codesign manually as the Jenkins user in a new Terminal window, taking the exact same command as found in the Jenkins log: /usr/bin/codesign --force --sign...
This prompted entering the password to unlock the Keychain, which we did, and then selected "Always Allow".
After that Jenkins manages to sign (as expected).
This is obviously a bit of a work-around since we might have to do this again when the cert has expired, and it's really strange that unlocking works for Enterprise certs, but not the cert used for distributing through App Store... They literally share the same pipeline.
Just try it once using mac terminal but not from ssh session
security unlock-keychain login.keychain
And choose always allow in the prompted dialog.
And then you could xcodebuild in the remote session.
The above methods are useless to me.
I resoled it by:
Open keychain access.
Click Login Menu.
Remove all personal certificates.
Clean the project.
Rebuild.
That's it. Hope it helps to anyone.
In my case, this solved.
xcode -> preferences -> accounts -> select the account -> manage certificate -> (+) in bottom left -> Apple development
Ref: https://stackoverflow.com/a/62646138/234110
In my case BUCK was trying to sign the IPA for development, but there were not any development certificates installed. Changing the build config to release (this is what I needed - to build for iTunes) fixed it for me.
Just wanted to callout if someone face similar issue what I did. In my case my apple dev and distribution certificates, keys and provisioning profiles where upto date. My iOS code build was working in user mode without any issue however it does not work due to code sign issue when the code build runs with root privileges i.e. % sudo or invoking the Xcode using sudo through command line.
So, I copied the corresponding working certificates and keys the login to the system location in the keychain tool. Then it started working without any code sign issue.
Similarly, we can export the required certificates, keys for build from the working machine and import those into non working machine's keychain tool may solve the issue.
For me, I was able to sign files when using the Mac directly or via VNC, but not via ssh. I figured it must be something to do with access to the certificate within the keychain. I was already doing a security unlock-keychain [keychain name] but this didn't appear good enough.
What finally fixed it for me was (within a direct/VNC connection, not ssh):
Make sure the keychain in which your certificate resides is locked. Close Keychain Access.
Open Terminal
Do not run security unlock-keychain [keychain name].
Run a signing process using codesign tool. You will be challenged for a password to the keychain.
Enter the password and click "Always allow"
From now on I was able to use codesign via ssh, so long as I included security unlock-keychain [keychain name] before the command.
If you have a code signing certificate with the same name in the keychain, make sure you remove it. I had one which XCode reported as "Missing private key". I had to remove it via Keychain Access before the correct certificate was used by codesign.
I already made iPhone application thanks to all certificates and so on.
Now, I'm installing a second mac to develop applicaions (the same applications) so :
I generated a Certification Signin Request (with keychain)
I didn't upload it but I downloaded the Distribution Certificate (that I generated before with the old computer), and install it (in keychain again)
I Downloaded the Distribution Provisioning profile
The last File , I installed it and in Organizer, the status of the file is "Valid Signing identity not found".
How can I fix that problem ?
This is common operations but I always have trouble with all those certificates :-)
Thanks
Export your existing certificate from your old machine to your new one. This will make you skip all other stuff to do and it's easy as 1,2,3.
Im having some trouble to get my app installed on my iphone just after I built my code in xcode. When the build has finished I get this error: "CSSMERR_TP_NOT_TRUSTED Command /usr/bin/codesign failed with exit code 1". My certs are ok, as I just re-downloaded from apple's site because Im working on a different mac.
I've tried a lot of solutions I found on google: changed form "always accept" to "system default" on the cert trust section, re donwloaded the certs, create a new project and start all over again but nothing seems to work.
However, I'm able to create an IPA file and install it on my iphone using iTunes, is this ok?? Also the certs were correctly installed on the iphone as on the organizer and the phone recognizes them.
I really appreciate any help! :)
In addition to the provisioning profile, you also need to download and install your developer certificate and the Apple WWDR intermediate certificate from the Provisioning Portal. Follow the instructions in the 'Certificates' section of the provisioning portal. You need to download your developer and intermediate certificates and drag them into the Keychain application.
I am attempting to deploy my first development iPhone app, and am running into some problems. I have successfully went though the online Provisioning Assistant, but now I am stuck. No matter what I do, I always get the following error.
/usr/bin/codesign failed with exit code 1
Anyone have any ideas why this is happening?
Update:
The Technical Note in my original answer is now deprecated. Apple posted a collection of code signing problems (and some solutions) in a new document: Technical Note TN2407 Code Signing Troubleshooting Index
Check the CODE_SIGN_IDENTITY property in your build settings. Is your provisioning profile selected there?
You also need to enter a valid bundle identifier in your apps .plist.
The identifier has to match the one you provided when generating the profile.
Apple has a technote about that here.
I just came across this error, and here's what I found out in case this helps anyone: I discovered that you can right click the error message in Xcode and choose expand to get more details, including a description of the problem.
In my case, I had two copies of my developer certificate with the same name in different keychain files, and Xcode couldn't figure out which one to use.
It might be strange answer for codesign issue in Xcode 9.0. I was receiving this error too and did not know what to be done, because everything was correct.
I went to the keychain, I had the login option "unlocked". I locked it and compiled my build again. Xcode itself asked me to open access keychain. I gave access and it worked.
Steps were:
Go to keychain
Lock it
Archive the code, build the project again
I had the exact same error, and tried everything under the sun, including what was elsewhere on this page, with no success. What the problem was for me was that in Keychain Access, the actual Apple WWDR certificate was marked as "Always Trust". It needed to be "System Defaults". That goes for your Development and Distribution certificates, too. If any of them are incorrectly set to "Always Trust", that can apparently cause this problem.
So, in Keychain Access, click on the Apple Worldwide Developer Relations Certificate Authority certificate, select Get Info. Then, expand the Trust settings, and for the combo box for "When using this certificate:", choose "System Defaults".
Others have commented that you may have to do this in System and login keychains for these errors.
There could be a lot of reason when you get this kind of error:
Check whether you have selected a provisioning profile which includes the valid Code Signing Identity and a valid Bundle Identifier in Settings. (Goto Build Settings->Signing->Provisioning Profile).
Open Keychain Access and click on lock icon at top left, so it will lock the login keychain and then again click to unlock.
Goto File->Project Settings->Derived Data and delete your project build folder. After that clean and build your app.
I had the same problem the distribution build. It just happened all of sudden. In fact I did not have this problem a few days ago and I had my Ad-Hoc version compile right. This issue came up because my certificate just expired today. So I went create a new provisional following Apple's guidance: (http://developer.apple.com/ios/manage/distribution/index.action).
After spending hours on the net and made sure I had not fallen for what could go wrong. Here is what save me as suggested by Tobias and Dan Ray:
"...discovered that you can right click the error message in Xcode to view details".
"...the issue was an expired certificate on my System keychain. Keychain Access doesn't, by default, show expired certs".
The detailed information told me about ambiguous matching two certificates. One of them happened to be an expired certificate in the System key chain. So I deleted the expired one then it worked! I also had a concern about what to enter in the "common name" when create the distribution certificate using the keychain utility: my name or my company name. In my case, I entered my name. I am guessing it is the same as the title that addressed by the developer's auto responder email.
Great help. Thanks.
If the error immediately preceding the codesign error says something like 'resource fork, Finder information, or similar detritus not allowed'
Then navigate to the .app file in Terminal and type:
xattr -cr < path_to_app_bundle >
ref: https://developer.apple.com/library/content/qa/qa1940/_index.html
What worked for me was adding --deep to Other Code Signing Flags in Build Settings.
More information here: Codesign of Dropbox API fails in Xcode 4.6.3: "code object is not signed at all"
Unfortunate that this ambiguous error condition has 400 different solutions, but I digress.
I had the same problem. In the end it turned out that my private key did not allow codesign to access it. One can see this in the info dialog in keychain application.
I have to agree with Tobias. The error is too generic. When the same thing happened to me I dug into the error message and realized I'd screwed up something in the build properties, but not the code signing. So yeah, I'd dig in to the details.
In my case error was due to the fact that I had two keys on the keychain with the same name. I deleted the old one and that solved the issue.
Going to the detail message show the real problem to me.
after hours of googling and trying out different things, this is what fixed it for me:
Make sure there are no certificates in the System > Certificates tab on Keychain Access. Remove all duplicate certificates from there.
Install the WWDR intermediate certificate under certificates from the provisioning portal, in addition to the developers certificates and make sure you see it in the Login > Certificates tab on Keychain Access.
hope this helps some of you!
Same issue with ambiguous (matches "iPhone Developer: [me] " and /// tweetdeck's library privatedata file. Fixed it by moving file to the trash and re-logging into Tweetdeck, setting up passwords again. What a pain.
I had the same problem but also listed in the error log was this: CSSMERR_TP_CERT_NOT_VALID_YET
Looking at the certificate in KeyChain showed a similar message. The problem was due to my Mac's system clock being set incorrectly. As soon as I set the correct region/time, the certificate was marked as valid and I could build and run my app on the iPhone
I was also getting this error ("/usr/bin/codesign failed with exit code 1"), and when I looked in Keychain Access my developer certificates were marked as "This certificate was signed by an unknown authority". I had recently upgraded to Mac OS 10.8 and have had a couple of other XCode (4.5.2) issues since then. It turns out I did not have the WWDR intermediate certificate installed. I downloaded that from the iOS Provisioning Portal, installed that in Keychain Access, and my project builds again!
When I got this error I wasn't even trying to sign the app. I was writing a test app and didn't care about signing.
In order to get rid of this message I had to select "Don't Code Sign" from Build Settings under Code Signing.
Sometimes your build folder simply needs cleaning - it certainly worked for me. Thanks to loafer-project for the solution.
One possible cause is that you doesn't have permission to write on the build directory.
Solution: Delete all build directory on your project folder and rebuild your application.
I just came across this error and it was because I was trying to write the build file to a network drive that was not working. Tried again from my desktop and it worked just fine. (You may have to "Clean" the build after you move it. Just choose "Clean all Targets" from the "Build" drop-down menu).
Tobias is correct though, dig into the details on the code by right-clicking it to see what your specific problem is.
One thing that you'll want to watch out for (it's a stupid mistake on my part, but it happens), is that the email address attached to the CSR needs to be the same as the email connected to your Apple Dev account. Once I used a new CSR and rebuilt all the certs and provisioning profiles, all was well in applesville.
Another reason,
Check your Developer account is connected with xCode
Kinda old question, but still happens it seems. Another solution:
Occurred for me after reverting a branch in git.
Tried cleaning, cleaning builds, deleting derived and restarting Xcode, but no luck.
Try rebooting the comp.
I had the same unknown error from codesigning that you mentioned. Similar to the answer provided (but a little different), I just locked my keychain access and unlocked it, and I was able to build and run to my device again. If anyone has the same issue, perhaps try that first before going through the trouble of modifying the keychain password.
Throwing my comments into the ring, I just came across this after attempting to refresh my development environment after clicking DENY accidentally on one of the application requests, after searching around I found a number of things that didn't seem to work. This is the full order in which I've attempted the fixes and whether there was a success:
1) Attempted to clear the DerivedFiles and restart XCode - no dice
2) Attempted to Log and Unlock the Keychain, then restart XCode - no dice
3) Attempted to refresh my developer account within XCode - no dice
4) Bit the bullet and just reset my entire keychain, after doing so my developer account was signed out (signed back in), then restarted XCode - no dice
5) Found an article on here that said that we needed to set the [login|local|System]/certificate/Apple Worldwide Developer Relations Certificate Authority to "System default". But in my case it was already set to system default - no dice
6) Then I looked at my actual developer certificate login/my certificates/Mac Developer: and when I looked in there it was correctly set to Confirm before allowing access BUT there was no entries in the lower section. There should be [Xcode, codesign, productbuild]. I deleted the certificate entry and restarted XCode - bingo
The certificate was added and I was then prompted. So what did I do, I pressed "always allow" and then just boned myself.
I had to go back and delete the certificate again, then go through about 20 allow dialogs during a clean build. Once completed, I was able to build completely.
In My Case, after a fews days of research,
All I did to revolve is listed below:
delete all the certificate on your keychain.
goto your apple account. a) download the specify certificate your want to install on your keychain. b)(Optional) Also create and download the require profile.
in Xcode, clean your project. This may take some time.
Build your project.
This should work for similar codesign issues.
Note, during this process the OS would ask for your credential validation.
I use Xamarin and for me this is what worked after trying everything else.
In Visual Studio for Mac I've opened a .xib file so it opens the project in Xcode.
Went to the project settings > Signing and Capabilities, selected the team and then fixed the Signing Certificate.
I think the issue is with the Keychain Access and certificate trust.
Try adding the following certificate Apple Worldwide Developer Relations Certification Authority from https://www.apple.com/certificateauthority/ (Expiry validity 2030)
The trust warning indicated in certificate will be fixed and then try building the iOS application again
Open the project path in terminal and enter the below commands in terminal
1) find . | xargs -0 xattr -c
2) xattr -rc .
This works for me.
I have created a new iPhone application.I have two mach machines. I have created the certificate for running application in iPhone in one mac. Can I use the other mac for running the application in iPhone. But when I try to do so I get an error "Codesign error:Code signing is required for product type "Application" in SDK Device iPhone OS 3.1.2. Please some one help me.
Regards,
krishnan.
Have you transferred your credentials to the second Mac? They are stored in your keychain.
You may need to read up on how Code-signing works: http://en.wikipedia.org/wiki/Code_signing
Here's an overview:
Developer creates a Certificate via a Certificate Authority (CA)
This certificate is used to 'sign' the binary, providing 'proof' of who created it
Developer then uses the Certificate to sign the binary (this is the step you're missing on the second MAC)
This is handled via xcode, assuming you've followed the detailed steps on http://developer.apple.com/iphone
Clients using the binary can now verify the Certificate against a known CA to ensure the integrity of the build.
Also check that you are code signing on the target as well when you do the Archive build
Spent hours to figure this out. Actually you need to click on Project --> Build Settings --> click target --> code sign..
THIS IS not apparent