NOTE: You might want to check out my guide to fix code signing problems.
I am getting tons of reports of developers who had to renew their expired certificates and who now find their new profiles unusable. Also affected a developers who had to add new devices to their ad-hoc profile.
Even though everything is done by the book, they are get a “A signing identity matching this profile could not be found in your keychain”.
I experienced certificate expiration first hand, but that was some time before WWDC and so I had no problem creating new certificates and provisioning profiles. But last week, right after WWDC, Apple amended the online process to accommodate new provisioning profiles for push-enabled apps. You have to create a new app id and thus provisioning profile for each and every push-enabled app you want to distribute.
It currently seems as if this change to the process causes non-push-enabled profiles to be faulty in a way that even though the poor developers do everything right they still wind up with the above error message and no way to fix it. Not even my handy guide on how to fix code signing errors helps. I know because I went through it together with several affected developers.
So far we were unable to find a method to make XCode recognize the valid signing identity being present in the login keychain.
Regarding this error Apple has updated Technical Note QA1618 on May 29th. Of the mentioned 4 possible causes only the last one was new to me.
- Your Keychain is missing the private key associated with your iPhone Developer or iPhone Distribution certificate.
- Your Keychain is missing the Apple Worldwide Developer Relations Intermediate Certificate.
- Your certificate was revoked or has expired.
- Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL) are turned on in Keychain Access preferences.
If you are one of the unlucky ones who are affected, please let me know if a solution presents itself. I guess all you can do is call Apple and demand that they fix it. Otherwise this is a major failure on their part.
UPDATE: GGG reported that Apple has acknowledged the problem as being on their side:
This is a follow up to Bug ID# 6975707. After further investigation it has been determined that this is a known issue, which is currently being investigated by engineering. This issue has been filed in our bug database under the original Bug ID# 6975258. The original bug number being used to track this duplicate issue can be found in the State column, in this format: Duplicate/OrigBug#.
Thank you for submitting this bug report. We truly appreciate your assistance in helping us discover and isolate bugs.
UPDATE: If you open such a non-working provisioning profile with any text editor you might find when comparing it to a working on that the <key>DeveloperCertificates</key> is missing. This usually contains references to developer certificates. This has been acknowledged by an Apple employee on the official forum:
Yes. This is a known bug that was reported last night (rdar://6975258/)
We non-Apple folk cannot open those bugs with the rdar URL. But the “Yes” tells the whole story.
UPDATE: A workaround has manifested for people with expired certificates. Last time my certificates expired I was able to continue to use them for a while by setting back the system clock by a day. Loungefan tested it using the magic of his timemachine and reports success:
You are a genius! I also love my time machine. I had been messing up with both my key chain as well as my provisioning profiles in XCode. I restored a bunch of files from the following locations using time machine’s copy of yesterday morning (which is before I started changing things):
~/Library/MobileDevice/Provisioning Profiles/<everything in here>
~/Library/Keychains/login.keychain
After restoring the above items using time machine, I dated back my computer to before the expiration (Jan 16, 2009). Now I can build and deploy into my device again. I don’t have a 3.0 device yet but at least things have started working again. I am using XCode with the latest GM SDK seed. So the problem is not XCode.
Thanks…
UPDATE (the next morning): Developers are reporting that after a downtime the creation of provisioning profiles started functioning again. Apple has silently repaired it without further ado. There was no official announcement but only developers telling other developers the good news via their social media of choice.
Categories: Apple
This problem bit my team last night; 2 people wasted about 3 hours going through all the steps multiple times, from scratch, making sure they were doing everything right. How did Apple possibly push this live with it *leaving out developer certificate references* from the profiles? That seems like maybe an important, integral part of the profiles?
Well Jordan, so far your team is leading the pack in being the first ones to have wasted time on this. and 2 guys times 3 hours is around $600 lost in my book. So you are also the first to admit having lost money over this.
I absolutely agree with you. I thought that’s why you should do regression testing on new releases, so that you don’t f*cking break thousands of peoples’ processes.
Thanks for the information about this issue and the updates.
So, it looks like developers are dead in the water until they fix the provisioning profile generation process. I completed testing of my app and I was planning to build and and submit my app to iTunes today. Guess I’ll find something else to do for the day(s) until this is resolved.
Has anyone found a way around this?
Last time I had the problem of an expired certificate I was able to set the system clock back a day and then my certificate worked again. That might be a useful workaround until the proplem gets fixed.
I’ve wasted about $300 on this so far. I’m relatively new to iPhone/cocoa development so I always assume “it’s my fault”. It’s nice to know that this time it isn’t 🙂
I just went through the entire process of requesting/installing certificates and updating/downloading/installing provisioning profiles 3 times, double- and triple-checked all keys, read all the help and info on the program portal, searched on the internet etc. with no luck.
They better fix this fast or I won’t be the only one who’s a bit pissed… 😐
Well, I spend 3 hours on this so far, looking for the problem finding the reason and now one hour telling people that they can stop searching because it’s Apple’s fault. 🙂
There is a workaround available for people with expired certificates. I updated the blog post with it.
unfortunately I need to add new devices to a provisioning profile. nothing I can do, it seems… At least now I know that it’s not my fault… I would have gone on forever… 😉
Looks like we’re back in business. I was just able to create a new provisioning profile for both development and distribution builds.
same here. all my profiles had been set to invalid this moring, I renewed – downloaded – installed – and it works again! yay!
still a bit angry at Apple though… They show too much of their _let’s pretend it never happened_ attitude these days…
Im still stuck on this problem , same message on the Organizer > Provisioning Profiles .
The problem started today , after upgraded the SDK to the 3.0
I made all the way back as you done , new CSR , aproved new certificate downloaded it , new provisioning profile, cleaned the iphone dev profile … (Empty caches, clean all on build)
No way , always the same message in the Provisioning Profiles.
Is there anyone with a helpfull ideia of want am I missing here?
Thanks, Diogo Serra
Im writting this as a reply , because I resolved my problem. I readed again the Message on the Organizer > Provisioning Profiles and it was saying :
– “A VALID signing identity matching this profile could not be found in your keychain ”
which is DIFFERENT from yours:
– “A signing identity matching this profile could not be found in your keychain”
So i went again to keychain to check my certificate i discovered that if i double click on the certificate to add it to keychain it goes to Microsoft_Entity_Certificates (and no my Kechain Default is LOGIN).
So i just grabbed the certificate and dropped it on the Login (is i tried Import items > and choose login but no luck too ) and my problem is SOLVED. Next time i went to Organize everything was ok no message and i coulg Build and GO to my iphone…
Sorry if the explanation of the solution is a bet summarized. If you can’t solve your problem please leave a message here with your question and i will be notified by email so i can try to be more accurate to answer you
Hi Digas,
I get the message “a VALID signing identity matching this profile could not be found in your keychain”.
When I doubleclick the .cer file (which I downloaded with the “invalid” provisiong profile) the certificate is being added to login/certificates, but I see nothing happening at login/keys (I recall there was a developers public & private key pair prior to 3.0).
Any ideas with that maybe? :/
Sounds like your keys are incorrect. you need to make sure you get the proper private/public key pairs first before everything else.
Oh sorry, I figured it out myself. I didnt have the private key in certificates. I remade all the certs and now this part is working. I just dont have a clue where I can find MY “yourcompany” string. I dont know what I used when I set up my account. 🙁
Sorry to bother again. I really cant find the “yourcompany” string for the Identifier. I have been looking around my developers account and tried Google, but had no success. So building is failing telling me “a valid provisioning file matching the applications Identifier ‘com.blabla.appname’ could not be found’ where blabla is the part I cant figure out through my dev account. Do you probably have any hints for that? 🙂
The bundle identifier in the info.plist needs to match the part after the alphanumeric key you set as app id. I usually use only * as App ID on the website and my bundle identifiers look like this: com.drobnik.geocorder
Thanks for the hint, trying that with a new appid and provisioning profile then. But what puzzles me is that I see the Provisioning Profile in Organizer at the device, but in Library/MobileDevice/Provisioning Profiles I don’t see a file at all.
Never mind, I had to manually copy the .mobileprovision file into ~/Library/MobildeDevice/Provisioning Profiles and now it works even if I leave the Identifier unchanged. Thanks a ton for the help!
I also experienced this problem, however my solution was very simple. All my keys and certs are on the login keychain. However, I started to setup file vault, but decided not to. This created a new “DEFAULT” keychain for file vault. However since I did not encrypt my home folder, no keychain was created. I just had to set my default keychain back to login and everything works as before.
2 bugs as I see it. File vault should not change the default keychain until complete and XCode should allow you to look at other keychains other than default.
Hope this helps!
I will be posting more at my blog:
http://ricks-rantings.blogspot.com/
Tìoraidh!
Well, I just upgraded to 3.0, and I’m broken. I’ve tried everything but I just get this error over and over… New profile, same error…
Checked all the settings in keychain etc…
Cannot test my app on hardware now… I had an expired certificate, and went and got a new one… yes it has public and private keys…
Is there anything else that can be done?
John,
you might have to redo the link between certificate and provisioning profile. All I know is in this article. I can only offer that we recheck the whole procedure togehter via Skype screen sharing. On skype I’m TheDrops.
I’m not as much an expert as John, but also , as i had the same problem i can help you too with Skype rechecking all the process again.
In case you need mail me to diogo.serra AT gmail.com
My thanks to you both… I will ping you later personally…
BTW – specifically how does one “re-do the link” between certificate and provisioning profile? That’s worth a try before anything else I’d guess…
When you Open Xcode > Organizer , did you already imported the Profile to you iphone ?
If yes do you get any Yellow Warning on the Orgnaizer ?
Diogo Serra
Oh Yes – yellow warning triangle in the organizer for my profile. That’s what first gave me to know something was wrong…
I forgot to check “notify me of followup comments via e-mail” so I’m doing that with this post…
Should be noted I have the VALID problem mentioned by digas, but I looked at his solution and my certificate was already in login…
After trying everything I was still getting the “A VALID signing identity matching this profile could not be found in your keychain” error. Then (out of desperation) I deleted the provision file in Library/MobileDevice/Provisioning Profiles and replaced it manually with the one that I downloaded. This produced a much more descriptive error about the AppID which I was able to resolve. Then everything worked.
Also: For Ad Hoc deployments, it seems that you need to create an Entitlements.plist file and and uncheck the “get-task-allow” property.
It’s probably only me, but I encountered this same problem when I copied my project from iMac to Macbook Pro. I found out I didn’t have my private key installed on the Macbook. So I exported my private key, copied and installed it to the Macbook, and voila it works!
I’ve documented the information here: http://www.creatistblog.com/2009/09/iphone-developer-provisioning.html
I was having the same problems, I tried moving my cert from “System” to “login” in KeyChain Access and it is working now. (Recently upgraded my OS to Snow Leopard, my ipod touch to 3.0 and my cert is about to expire.)
After going over the replies again, I realized I missed one that says the same thing, please ignore my reply above. thanks.
Thank digas!
It works for me >:D<