12

I recently did some work for another company, building an iPhone app for them. As I split development time between their offices, using their computers, and my office, I generated a key and had it signed as part of their iPhone Dev Center "team."

I already had an existing Dev Center account and my own developer certificate. After importing the certificate for the client project, signing that application gives me a warning from codesign that it finds multiple certificates matching "iPhone Developer: Steve Madsen", but it chooses the correct one and signs the binary.

I am now going back to one of my older projects, using my own developer certificate. Codesign is telling me it can't resolve the ambiguity between my certificate and the one used for my client:

iPhone Developer: Steve Madsen: ambiguous (matches "iPhone Developer: Steve Madsen (9E69FVL37K)" and "iPhone Developer: Steve Madsen" in /Volumes/Users/steve/Library/Keychains/login.keychain)

The client certificate is the one with (9E69FVL37K), which I presume is how codesign is able to figure things out in my client's project.

How can I configure the Xcode project to use the correct identity? Picking a specific one (not the automatic profile selector) under the target build settings does not help.

Better yet, while Apple anticipated that a developer could be a member of multiple teams, I have found no documentation on how a developer such as myself should set up my environment. Generating a second key/certificate seemed the only way to make this work, as provisioning profiles must be associated with certificates under one team's Program Portal. Does anyone have good advice on how to make this process work smoothly?

Steve Madsen
  • 13,465
  • 4
  • 49
  • 67
  • 1
    Picking a specific identity instead of the automatic selection should work - it does for me. – Till Nov 12 '09 at 20:44
  • Ow, make sure it the identity properly selected in both; the Project Properties as well as in the Target Properties! – Till Nov 12 '09 at 20:45
  • That doesn't make a difference. The problem is that both keys have the same prefix, and the key I want to use is, in its entirety, a prefix of the second (client work) key. Codesign doesn't have a mode to say "the identity is exactly this, don't try to be clever about it." – Steve Madsen Nov 12 '09 at 22:23
  • funny thing is now I do have the very same problem - will try to revoke everything and see what happens. – Till Jun 03 '10 at 15:07

3 Answers3

5

I took the plunge this evening and decided to revoke my old certificate and generate a new one. My guess was correct: Apple is now issuing all certificates with a (hex-string) suffix.

Xcode is smart enough to do the right thing. I select "iPhone Developer" (automatic selection) in the target settings. It determines which of my keys should be used to sign the binary based on the provisioning profile, then tells codesign to use exactly that identity by including the (hex-string) suffix.

My bet is that newer iPhone developers won't ever see this problem, because they generated their first certificate after Apple started adding the suffix.

A reminder to anyone else that has to do this: you need to fix all your existing provisioning profiles, too, and reinstall those.

Steve Madsen
  • 13,465
  • 4
  • 49
  • 67
0

I have been working on 3 teams so far and have been using 3 separate iTunes accounts, one for each (so 3 separate email addresses). I know this doesn't sound like the optimal situation, especially if you are working on more teams than that.

However, I am wondering if there can be another way. Because if you can associate your iTunes account (iPhone dev centre user) with more than one teams, then what happens when you sign in to the Dev Centre? You get multiple options to enter the multiple "iPhone Developer Progrma Portals"?

Dimitris
  • 13,480
  • 17
  • 74
  • 94
  • 1
    that is exactly what is happening - you are asked which team you want to work on when logging in. – Till Nov 12 '09 at 20:42
  • Guys, these aren't answers to my question. Comments belong up above. – Steve Madsen Nov 12 '09 at 22:09
  • Steve, this was my answer, my way of doing it for a year now without a problem. "Till" thank you for letting me know that there is another way! – Dimitris Nov 12 '09 at 23:52
  • I appreciate that, Dimitris, but I'm not talking about iTunes Connect accounts, I'm talking about code signing certificates. iTunes Connect account names, email addresses, team names, etc. don't comes into the picture for certificate selection. Are all of your certs in the same keychain? Are you doing anything special to pick one versus another in your projects? – Steve Madsen Nov 13 '09 at 01:27
  • I have 3 accounts and several certificates for each of them. All in the same keychain (also on multiple computers). And I just select the right certificate for the build configuration i need "CompanyA dev", "CompanyB distribution" etc. And it works without a problem. The only thing I need to take care of is maintaining only the certificates I need on my Xcode Organizer so that I don't get duplicates when I modify certificates. – Dimitris Nov 13 '09 at 10:33
  • It sounds like you're not following Apple's recommendation to use your name for the developer certificates. Is that correct? If so, that's why you're not having any problems with ambiguity. – Steve Madsen Nov 13 '09 at 16:34
0

Thanks to Steve Madsen for pointing it out.. Apple now issues all certificates with a (HEXSTRING) suffix. This means if you have a certificate for RUPERTO DE GUZMAN before, you will need to REVOKE this from PROGRAM PORTAL -> CERTIFICATES. Then create a NEW certificate. Your new certificate will now be RUPERTO DE GUZMAN (EZxxxxxxxx).

Now, codesign would not be confused with the prefixes anymore because we have:

BEFORE:

RUPERTO DE GUZMAN

RUPERTO DE GUZMAN (89xxxxxxx)

AFTER:

RUPERTO DE GUZMAN (EZxxxxxxx)

RUPERTO DE GUZMAN (89xxxxxxx)

iwasrobbed
  • 46,496
  • 21
  • 150
  • 195
rup3rt
  • 373
  • 2
  • 4
  • 13