Its that time again

Apple gorram certificates and such.

I can build sign and notarise for web.
All my app store and iOS stuff expired in Feb.
I have requested new certificates, profiles etc, and I have a full set.
Every one of them says it is missing a private key and I have no idea how to get one.

Any ideas?
Building for iOS says I have no provisioning profile for the app I was shipping 2 months ago, despite me getting a shiny new one.

restart your mac completely after changing keys

Sadly, Nope.

Created, downloaded, installed…

You might need to download a new private key from apple dev, I have never done this as they have always been created by someone else’s account but this is from apple.

Revoke, edit, and download keys - Manage keys - Account - Help - Apple Developer.

Looks like you can download your private key once. Maybe renewing it created a new private key

Well, I managed to create a p8 file and downloaded it.
What to do with it ,is a mystery.
It won’t open with KeyChain, (and it only seems to allow services like Mapkit and a few other things I will never use.)

(It talks about being able to revoke an existing key, but there is no ‘revoke’ button on the screen it mentions).

Jobs died, and all his foundations proved to be false, or people at Apple destroyed his foundations.

“I love it when you can bring really great design and simple capability to something that doesn’t cost much. It was the original vision for Apple."

“It takes a lot of hard work to make something simple, to truly understand the underlying challenges and come up with elegant solutions.” As the headline of Apple’s first marketing brochure proclaimed in 1977, “Simplicity is the ultimate sophistication.”

– Steve Jobs.


Open it in a text editor and see whats inside, it is just a text wrapper apparently.

“To answer the question though, the .p8 key is simply a string of text identifying your private key. What you can do is open this with any raw text editor and then create a new password in your system keychain, name it something unqiue, then store the text as the password. This is really your only option for putting this into the system keychain, but depending on the environment where this exists, you might want to use a custom keychain and then reference that keychain specifically when working with the API or environment in which you are building to interact with the App Store Connect API”

Seems a bit odd

Seems a bit odd
Incomprehensible is a more accurate word, sadly

How do you manage your certificates requests, via Apples websites? This often results in missing private keys.
Using Xcodes Preferences is a better way to request new certificates…


Did you setup a new provisioing profile or updated the old one with the new certificate?

Yes, I got the certs from Apples website.

Did you setup a new provisioing profile or updated the old one with the new certificate?

The old one ‘vanished’ but may be on an older laptop.
I made a new one
How does one update one with a new certificate? Theres no mention of that on the Apple site.
Several options now say I have requested all that I am allowed to have.

At least, I get your pain. Whenever it’s time to renew my certificates, I know there will be weird errors, trials, and a graveyard of expired and incompatible certificates and ton of various kind of them (among possible valid ones, but who knows?). Just a mess (because Apple won’t care to document things for outside of XCode).
Each year, my keychain is filling with various certificates…

I went back and forth for months with the Apple Developers on this. I have dutifully backed up my certificates and moved to a new Mac, but it would not allow my certificates to be imported. I asked for them to clear my existing certificates, but they refused.

I asked what they would do if someone’s Mac was stolen or destroyed, but the lack of answer sounded like crickets.

My experience too.
Over the years I have swung back and forth between
‘Maybe if I set up a new developer account…?’
‘EFF it. iOS development in Xojo is a waste of time and a lot of money’

At this moment, using Sam’s App Wrapper Codesign checker, I can say that certificates obtained using Xcode’s manual download routine, show the inclusion of a private key in the certificate.
So anyone else reading this, DONT do the keychain request/ Apple site/ download route!

But incredibly, the things you can download inside Xcode are fewer than the types you can download from the Apple Dev site, and they have different names too.

In System, none of these have a private key (note the lack of > at the sides…)

In login:

The ones with > came from Xcode, have private keys, and App Wrapper likes those.

No sign anywhere on my machine of the provisioning profile for my app, and no download option for the same, inside Xcode.

Xcode can build happily using the manually created and downloaded profile I made, which now has a private key.

So the most infuritating aspect is this one:

because it suggests to me very clearly that Xcode could do its ‘internal magic’ if only Xojo passed this parameter to xcodebuild.
Am I Naive? Why isnt that the default if it would make things ‘just work’?
The profile exists.

Here in the profiles folder are two autogenerated ones by Xcode , and the manual one I put there with fingers crossed.

Have you tried the latest beta of my profile triage tool?

That’ll give you a good overview of what state your certs and profiles are in. Hovering over the profiles will tell you what’s wrong with them.

The Cleanup command is currently broken, but Download is working just fine. If you do that and then select, right-click and remove the ones that only exist on your computer, it may fix the issues you are having.

Edit > Profiles > Download

I’ll be back at my desk later this afternoon if you still need more help clearing this up.

Not 100% sure of what it is telling me. :slight_smile:
The one I am interested in appears OK:

There are a number of red ones… I’ll delete them and see what happens.

Thats kind. Im UK time, so I may be zzzzz by then. I’ll report back after testing.
3 red lines will not delete.

I may now have made progress with Greg’s app (thanks Greg), and will be testing more later.

My takeaways are this:
For use in Xojo, don’t rely on certificates and profiles generated on the Apple site.
They don’t get installed properly after you download them.

Do create certificates and profiles there, and make sure they include as many certificates as you are offered.
Create both Development and Distribution profiles for your app, because even if you have done with developing, it doesnt seem to allow you to build for App Store (Distribution), unless you also have a Development cert.

To get these to work / installed properly, you need to use Xcode rather than ‘double click a downloaded file’

  • Create a project with the same URL as your Xojo app (eg com.yourbusiness.yourapp)
  • Set automatic signing to false
  • Then download profiles for both debug and release

That puts certificates into the keychain, and profiles into the hidden folders that Apple uses.

Greg’s app identifies certs and profiles which have an issue, showing them in Red
By right clicking, you can remove the bad ones from keychain and Apple site, and/or from disc.
Stripping out the red ones helps avoid any possibility of confusion.

1 Like