Assigning a private key to a developper certificate

Hi,

I’ve yet another issue with certificates. I discovered it last week when I could no longer sign iOS apps and I assume it was because I moved to Mac OS 15 (my experience being that all these certificates and profiles must be re-dealt with each time an OS change is performed, and that’s always a nightmare).

I’ve since deleted all certificates from all keychains, re-downloaded them from my developper’s account and double-clicked them to re-import them in the keychain. Then gone to XCode to download manual profiles and manage certificates (since I’m lost with these certificates confusions anyway, I try all the usual options…). XCode tells me many certificates have a missing private key.

I also checked in Apple Profile Triage, which only lists 4 certificates and a single item in the bottom list. Applications identifiers and devices are empty. That’s weird (I have filled my Apple Store API in preferences).
App Wrapper shows 18 warnings and won’t let me sign my desktop apps (no certificate seems valid). It also mentions missing private keys, but there doesn’t seem to be further help there either.

I know that a private key must be linked with a certificate, but I don’t know how I can create a new private key and associate it with the existing certificates.

What a mess… Advices would be really welcome.

Have you looked at this page of @Sam_Rowlands :

https://ohanaware.com/blog/202129/How-to-purge-and-re-install-code-signing-identities.html

I appeared to have certs with missing private keys, but perhaps the trick is to install the certs with Xcode (instead of Keychain). Perhaps what then happens is that by doing so, you are asking Xcode to generate a private key for each certificate that it installs. Otherwise I could not understand where the suddenly-existing private key came from.

Yes, I followed that page when removing all certificates from the keychains. However, these steps are outdated and the reinstall section is too different (I don’t have “create” or “reset” buttons (and have never seen them in XCode)).

So I tried your suggestion (removed all certificates from keychains and went to XCode; I clicked on “Download manual profiles” then “Manage certificates…”). XCode now shows the status of all the certificates as “Not in keychain” (obviously). XCode doesn’t seem to install the certificates automatically. I also tried drag&drop of the certificate files to XCode’s icon, but that is for viewing them. Am I missing something?

Thank you.

Best is to Revoke your certs and create new. This also resets the amount of certs you may create.

Note: sometimes you need to wait an hour or so before you can create new certs.

Of you do that, you will also need to regenerate and redownload all of your profiles because the certs are embedded in them.

That’s true but Xcode does that for you with one click.

Are you saying that there is a way of revoking “Developer ID Application” and “Developer ID Installer” certificates. Nothing I do seems to allow me to do that. Even contacting Apple fails to allow it to happen.

Of course that is possible. Always was

Thanks for your answer.
Is it really designed that way, where one has to revoke all certificates and start from scratch each time the OS/XCode is updated? Ironically, I don’t find it most useful…

But there’s no better way, is it?
Thanks.

Only revoke the certs you have trouble with.

Of some use would be a simple explanation of how a private key relates to a public one, how one generates a private key, and how that is then added to a certificate in such a way that teh certificate then “works”, whatever that may mean.

Further - if I create a certificate which has a public key, and then download it, what is to prevent someone copying it off my machine (by whatever means), putting it on their own machine, and adding their own private key to it? Voila! They become me.

You’ve got that backwards. The secret part is the private key. The public part is the part you can give away to anyone. They are a matched pair.

When you sign a piece of code, your system uses the private key to do that. The public key is embedded in your provisioning profiles so that the device (and Apple) can verify that the software came from you. That’s why certificates are in your keychain, to help prevent someone else from accessing them.

And yes, if someone stole both parts of a certificate, they could impersonate you.

If they are a matched pair, and if it’s there when I sign stuff, when did I generate it? I don’t recall doing that. And if it is there, why do certs end up on my machine without a private key? Whose job is it to add the private key to the cert? Why doesn’t keychain do that?

There are many undocumented reasons people lose their private key, the most common one I come across is when they migrate to a newer major release of the macOS.

If you get the certs from the web, you submit a CSR (IIRC) to Apple which I assume contains data used to generate a private key. I guess Xcode automagically handles this for you.

When you request a new cert, the privatekey is added when installed. Xcode does this.

You can easily make backups of private keys. But in my experience it is better to revoke and create new certs.

Sorry, is that in response to me (Are you saying that there is a way of revoking “Developer ID Application” and “Developer ID Installer” certificates.) because if so I can’t find any way of doing this. Nothing in the website account, nothing in Xcode and nothing in Keychain, other than deleting certificates, which just brakes the other two parts.

If you are saying yes, it is possible please say how. I would love to reset everything and start again.

I just started the process of adding certificate generation to APT and based on how the API works, I suspect the csr creation generates the private key, the csr is transmitted to Apple and then the registered public key is returned. The advantage being that Apple doesn’t need to ever hold your private key.

If anyone wants to try that out, it’s available in the latest 3.5 beta.