Andreas asks:
With Device | Debug and Code Sign “iPhone Developer” I have no problems getting my app onto the device, but with all other configurations I get this strange error message in XCode Organizer.
That’s a weird error that most of us have encountered one time or the other. Here are my hints how to get it fixed.
Step 1 – Check your Certificates
Make sure that the Login keychain is set to be default. There are applications like supposedly Adobe AIR that change it literally over night. Then you get a message “A valid signing identity matching this profile could not be found in your keychain” in Organizer. Go into keychain access, right-click on the Login keychain and save as default. The message in Organizer should disappear right away.
If you select the Login keychain and “My Certificates” below you want to see your “iPhone Developer” and “iPhone Distribution” certificate with private key attached and valid. The root certificate for these “Apple Worldwide Developer Relations Certification Authority” you want to be present in the system keychain.
Check if XCode is allowed access to the private keys dangling below your certificates. Right-Click on the private key, Get Info. I have it on “Confirm before allowing access” and the following applications are set to always being allowed: codesign, Certificate Assistant (2), Mail, iChat and racoon. I never had to change anything there but it cannot hurt to check.
In Technical Note QA1618 Apple also states that Online Certificate Status Protocol (OCSP) or Certificate Revocation Liste (CRL) might cause problems and recommends leaving them in the default OFF position. Keychain Access – Preferences – Certificates. Again, I never had to change anything there.
Step 2 – Check your Profile
This error means that for some reason the iPhone mobile installer cannot verify the signature of the app. So, first make sure that you actually have a suitable ad-hoc profile loaded onto the device. You can either look in organizer …
Or check on your iPhone itself under General – Profiles:
Several times it happened to me that I was totally sure that I had the correct profile only to find after intensive search that I had not added the device to the ad-hoc profile. I had added my iPhone, but I forgot about my iPod Touch.
If you are uncertain, it does not hurt to quickly check on the dev program portal if your profile includes:
- your device amongst all the others you might have added
- an asterisk or the appropriate bundle identifier prefix
- the correct certificate
Step 3 – Check Your Build Settings
Now that you are sure all is correct with the provisioning profile you need to check if you are using the correct Code Signing Identity. Be sure to check both the project root build settings as well as the settings specific to your target. They might be different!
In the latest version of XCode I found this useful automatic setting. If you choose “iPhone Distribution” it will automatically match your ad-hoc profile. This might also work on earlier versions of XCode but if you want to make absolutely certain that a specific certificate is used then select it there.
Step 4 – The Secret Ingredient!
If you read the documentation on the program portal you know about this step, but Andreas did not. For some esoteric reason for ad-hoc distributions you are required to create an entitlements file in your project and add “Entitlements.plist” in the build settings under “Code Signing Entitlements”.
Add – New File – Code Signing – Entitlements. Make sure the file looks liks this:
In the above build settings you did not see it, I have only added it in the build settings of my target. Right-Click on your target, Get Info.
For Debug and App Store Distribution builds this file and setting are ignored. I have several apps in the store which still have the Entitlements.plist file present, so you don’t need to worry about it. Only for ad-hoc it is mandatory.
Step 5 – Check Your Build
Now you also want to make sure that both the correct certificate is used and the embedded. I routinely Build – Clean All Targets when I am ready to do the finaly build for a release. If you don’t the embedded.mobileprovision file might not get packaged in and without it the app might get rejected right away by the submission process.
Start the Build and switch to the Build Results screen. Switch to text mode by clicking on the small button in the lower left hand corner with the lines.
Check for:
- your ad-hoc mobile provisioning profile turns into the embedded.mobileprovision
- the Entitlements.plist gets packaged in
- your correct certificate is used for signing
Step 6 – Did You Reboot Your Computer?
If you still get the error you can try out the option to “Empty Caches” under the XCode menu item and build again. I’ve seen that fix the problem a couple of times before.
If all of the above fails you might tap into ancient IT wisdom and do what fixes more than half of IT problems: reboot your iPhone. Don’t laugh, I have seen this fix this error on numerous occasions.
In the end the iPhone is just another computer, sometimes processes might get stuck in a weird state, especially if you do advanced stuff like debugging over USB. A quick reboot and all is well.
NB Entitlements.plist if only required for Ad Hoc provisioning and not for App Store Distribution. However the rest of the steps can be used if you have the same issue when building for a distribution build.
Thanks for the note, I added it in the text.
This code signing is a madness, it really is… This morning I had the problem you gave a solution for in Step 1: the Login keychain stopped being default in my system, no idea why… I was lucky to find your blog, it saved me a few frustrating hours…
Thanks!
Glad to be of service!
Allow me to direct your attention the following methods how you can return the favor:
– notice the advertisings on this blog
– get the fastest mobile report downloader: MyAppSales
– get AntiCrack, taking the pain out of copy protection
– donate any small dollar amount to PayPal oliver@drobnik.com
– or use my tipjoy Tip Jar
Or:
– request a public report downloading API from API via my petition
– spread the word about parts of my output which you found useful
Hello,
I am stuck with the code signing problem, since I download SDK 3.1.3. I cannot push my application to the iphone. In the Organizer, I still have the message: “A valid signing identity matching this profile could not be found in your keychain” and I cannot find, as you suggestion “Set as default” in the Keychain Access. The only choice I found is “New/Add/Delete/Lock Keychain” or “Change Settings or Password. I am also generated a new certificate, but still same result. Could you help me?
Hi,
which of the keychains is typed in bold? You can right-click on a keychain and make it default it is not so already. If you need more help then we need to to a desktop sharing conference where I walk you through all the checks I can think of.
Hi,
“login” Keychain is in bold. I guess it’s already the default one. But I still get the error “A valid signing identity matching this profile could not be found in your keychain”. Is there another way to get rid of this message?
Unfortunately, I am not allowed to make a desktop sharing conference, as my company works with secure informations.
André
Then this guid is all the information available to help you solve the problem. I suggest you walk through it.
Hi Dr,
I am also having the “A valid signing identity matching this profile could not be found in your keychain” problem. My keychain was already set to default so changing the default keychain to something else and back again has done nothing…
I have previously been working fine but after my last certificates expired – my new ones refuse to work. Have you any other ideas for solving this? Any ideas would be gratefully received! I’ve created and installed so many new certificates in the last couple of days (and matching profiles) I’m going nuts.
Thanks, Craig
Craig,
did you check if the Apple root certificate is still valid? Did you remove and reinstall the appropriate provisioning profiles? Did you select the new provisioning profiles for ALL debug/release/distribution ?
I can only think of looking over your shoulder in screen sharing and we go through all the pieces together. Maybe 4 eyes see more than 2.
regards
Oliver
Thanks for the quick reply. Yes – installed new Apple Worldwide Developers Relations Certificate and re-installed prov profiles..
Can’t actually select the new profiles in the Target settings because of the error. In Organizer I get warning triangles on the Prov Profiles…
Would love to have you check it through with me.. if you’re kind enough to do that and have the time… let me know what to do..
Thanks, C
One more thing to check. Have a look at the access control for your private key. Get Info – Access control. How does this look?
New evidence has appeared that actually you where one of the first to stumble on a new bug on the Apple website! New provisioning profiles are currently missing a vital section. See my new blog post here.
I finally find out the problem. I just renewed my license and everything get solved at its own. That’s strange, because my old license was still valid…
André
I need your help on this… hjsqueiroz at gmail dot com
Thanks,
Hermano
Just to add my fix…
Use right click on a target to edit the provisioning profile used. Targets can be seen on the left of the Project window.
DO NOT USE the menu item Project->Edit Project Settings
Hi,
I am new to this iPhone Development and am part of a small team. Did the right steps (I think) but when I drag-and-drop the provisioning profile and activated the approved certificate I get the dreaded “A valid signing identity matching this profile could not be found in your keychain” banner. Are you able to assist in any way?
JN
Step #1 – How do you add codesign if its’ missing?
Also, I have 5 pairs of public/private keys. How do I know which ones are being used. Should I delete 4 sets?
Step #5 – My build text doesn’t look anything like yours. I don’t have a Provisioning or Codesign paragraph …
Thanks for your help. Great article.
Brooks
#1 you choose a provisioning profile in the build settings for either the whole project or individual targets. You set a different profile for each build type.
you should remove all keys and only have the certificates “iPhone Developer: Your Name” and “iPhone Distribution: Your Name” with private keys attached.
#5 because you have not chosen to sign your app as mentioned in #1.
Thank you very much…. i got crazy after my certificates expired….