8

I started getting a codesign error after a certificate expired. I have an updated certificate and the expired one has been deleted. But somehow, Xcode sets EXPANDED_CODE_SIGN_IDENTITY with the SHA-1 of the expired certificate. Where does it get this value? I assume it must be cached somewhere because there is no certificate in the keychain with the SHA-1 it is trying to use for code signing. I searched the pbxproj file and did not find it, nor did a recursive grep starting from the project root yield any results.

Here are some details about my configuration:

  • There is no account set up in Xcode
  • Instead of a developer account, I am using the exported certificate from the Team Agent
  • Xcode version is 6.1.1
  • OSX version is 10.10.2

The project identity is set up in Xcode like this: enter image description here

When I check the keychain, it finds the correct identity:

$ security find-identity -p codesigning
Policy: Code Signing
  Matching identities
  1) F1326572E0B71C3C8442805230CB4B33B708A2E2 "iPhone Developer: XXX XXX (C395QGL4DK)"

In the build output I see the environment variable set incorrectly:

    export EXPANDED_CODE_SIGN_IDENTITY=9F5616A53464FC5C003847ED620357A7BC72ABB1

I have tried to fix it with the following:

  • Delete the certificate from Keychain Access and re-add it
  • Set the Access Control of the private key to allow all apps
  • Delete all provisioning profiles and re-add the one I am using
  • Delete everything under ~/Library/Developer/Xcode/DerivedData
  • Delete everything under ~/Library/Caches/com.apple.dt.Xcode
  • Restart Xcode
  • Reboot the Mac

I have now run out of ideas for things to try. There are two other developers I work with, and both of them experienced the same problem initially. However, they are working again after doing some of the same steps that I have tried. We are all using the same certificate, the same provisioning file, and the same project settings. It must be a setting or lingering cache that is on my system, but I have not been able to find it.

If I could find out where Xcode sets this environment variable, I can clean it up and everything should be fine again.

Mattie
  • 2,868
  • 2
  • 25
  • 40
Todd J.
  • 457
  • 1
  • 5
  • 8

2 Answers2

3

I was having the same issue and for me the answer was fairly simple: I was trying to use a provisioning profile that was tied to the old certificate (my guess is that EXPANDED_CODE_SIGN_IDENTITY is pulled from the profile you are trying to use).

Anyway, after creating a new profile on the dev center tied to the new certificate, this stopped happening.

Spacey Andy
  • 176
  • 1
  • 4
  • In the absence of anything documented that I can find, I believe you are correct. I opened the provisioning profile in a text editor and found two references to developer certificates. I copied the text for each, base 64 decoded them and then sent them as input to openssl. One had the same SHA-1 as the "bad" certificate, and the other matched the "good" cert. I'm not sure why Xcode is selecting the bad one, but the original question has been answered. – Todd J. Mar 12 '15 at 23:56
1

if it helps, I'm using jenkins to build app, so all commands run from console... So i've turned off CODE_SIGNING_ALLOWED and "overrided" EXPANDED_CODE_SIGN_IDENTITY_NAME and EXPANDED_CODE_SIGN_IDENTITY. For some reason it helped me to build app with proper identities.

xcodebuild -project my.xcodeproj/ -sdk iphoneos \
CODE_SIGNING_REQUIRED=YES \
CODE_SIGNING_ALLOWED=NO \
CODE_SIGN_IDENTITY="My Identity" \
EXPANDED_CODE_SIGN_IDENTITY_NAME="My Identity" \
EXPANDED_CODE_SIGN_IDENTITY=<CODE_SIGN_IDENTITY>

Last one could be obtained with

security find-certificate -a -c "My Identity" -Z|grep ^SHA-1|cut -d " " -f3|uniq
Alex thunder Shevchenko
  • 117
  • 6