Work-arounds for two iPhone dev accounts

Ok, maybe everyone else already knows this, but since it boggled apple dev support (the bug I wrote 6635822 and the duplicate someone else opened, 6229180 both seem to still be open) I thought I’d write about the work-around I figured out today:

First, the problems:

There are two related problems, with two related work-arounds.

Both problems arise when you have two iPhone developer accounts and the name on the keys for the certificates are the same (likely since you are required to use a person’s name and your real name when signing up with Apple, AND your name on the certificate request has to be the same as what you signed up with).

Problem 1: Xcode Organizer will tell you that the provisioning profiles for one of the accounts are invalid (this has to do with the order of creation of the keys in the Keychain Access utility, I forget now if it’s the last created or the first created that works). It shows a big yellow banner saying “A valid signing identity matching this profile could not be found in your keychain.”

Problem 2: Xcode codesign for the default project configuration fails with an error like:

iPhone Developer: Your Name: ambiguous (matches “iPhone Developer: Your Name” in /Users/dad/Library/Keychains/iphonedev.keychain and “iPhone Developer: Your Name” in /Users/dad/Library/Keychains/login.keychain)

or something even less helpful if you don’t have them in separate keychains (which is a hint towards part of the solution :)).

Second, solutions (well, work-arounds maybe):

Solution to Problem 1:

Put one of the sets of keys & certificates into a separate keychain using Keychain Access (I’ve already done that in the illustration of problem 2 above, “iphonedev” is the name of that keychain). Then using the contextual menu on that keychain choose the “Make keychain ‘iphonedev’ the Default”. The name of it becomes bold in Keychain Access. The provisioning profiles that need those signatures & certificates now will show up as good in Xcode organizer.

Solution to Problem 2:

Same first step as above, put one set of keys & certificates into a separate keychain. Then open the project which should be signed with those credentials and set the “Other Code Signing Flags” to be

    --keychain iphonedev.keychain

(or whatever you called your secondary keychain).

To use your other keychain credentials, just put the keychain they are in as the argument to –keychain. So in my case, my second set is in my “login” keychain so I use “–keychain login.keychain” (note that the quotes are not needed in the xcode panel, that’s just for the blog. Probably you’d need to quote keychain names with spaces in them, but I didn’t make any like that so I’m not 100% sure on that).

That makes it all work here. Hopefully this might help someone else out there in iphone developer land.

Update: See the first comment below, it contains the further learning that James and I figured out after way too much time today.

11 Responses to “Work-arounds for two iPhone dev accounts”

  1. Dad Says:

    Working with James Berry on this today when the above wouldn’t work for him we finally arrived at the following:

    In the login keychain (set as default):

    – developer key pair for each company
    – The iPhone Developer: certificate matching one of those.

    In a keychain named for each company, saved in ~/Library/Keychains:

    – the developer key pair for that company
    – The iPhone Developer: certificate matching that key pair.

    In the “Other Code Signing Flags” in each project:

    	--keychain NameOfCompanyKeychain.keychain
    

    Each developer on a project for a given company, then, needs to have an identically named keychain for the company, to match the –keychain spec in the project file.

    So basically, we put enough information in the (default) login keychain to get through the dependency checking stage of the build (all the developer keys and at least one developer cert), and we use the –keychain option to the codesign tool to disambiguate between the certificates in the multiple open keychains.

    Other notes:

    – To install a particular provisioning profile into xcode, you may need to temporarilly set the default keychain to the particular “company” keychain matching the profile.

    – (untested) It may also help to create a single provisioning profile that matches * (with no company prefix), so that you have a profile that will match any of the companies, even though this provisioning profile is never actually used.

    Thanks James for clarifying some details I hadn’t worked out completely.

  2. Dad Says:

    Related: If you have trouble importing .p12 or .pem files into a keychain using the Keychain Access application (I got errors), then you can use the ‘security’ command line tool thus:

      security import priv_key.p12 -k ~/Library/Keychains/login.keychain
      security import pub_key.pem -k ~/Library/Keychains/login.keychain
    

    or whatever keychain you want to use in place of “login.keychain” in the command above. Thanks to Dave K. for the tip.

    I have this problem and my bug report with apple got marked as a duplicate so someone else must have also. But another friend of mine does not have this issue.

  3. dad Says:

    Just one more tip: To do Ad-Hoc or AppStore builds you need to have the parallel stuff for distribution in the same places. So in the NameOfCompany keychain you need the public and private key for the company (this was created when you made the distribution certificate signing request to send to the iPhone dev portal), and then the iPhone Distrubution: CompanyName certificate that is generated.

    Obviously you’ll need the --keychain param in the distribution build configuration like you did in the debug one to get debugging on the device working.

    • nantas Says:

      Hi I’m trying to setup my second distribution certification and provision on the same Mac. So both provision share the same name “iPhone Distribution: MyName”, and when I add the –keychain param in “other code signing flags”, I always got the following error when build the project:

      iPhone Distribution: MyName : no identity found
      Command /usr/bin/codesign failed with exit code 1

      Also regarding the number after agent name, I think it’s only for iPhone Developer certification, the distribution certification still look all the same.

      Could you please give me more instructions? I’m really stuck here..

      Thanks a lot!

      • Dad Says:

        Hmm. Not really enough information to know exactly what’s going on for you. Did you unlock the keychain passed to the –keychain param? I’m wondering if the “no identity found” is suggesting that the private key associated with the distribution certificate isn’t in the same keychain.

  4. Sean Carmody Says:

    Thanks all. I just encountered this and although I’ve lost several hours, your recommendations have solved it for me. I really appreciate it.

    If it helps anyone, I had problem 2 above, and solution 2 solved it.
    – I created a second keychain, ‘NewCompany’, exclusively for the second company
    – Dragged my profiles for that company into that new keychain
    – Right-clicked on the new keychain name and chose “Make Keychain ‘NewCompany’ Default”.
    – Back in XCode, “Other Code Signing Flags” has a new entry: “–keychain NewCompany.keychain”

    After that I was able to Build to device. Obviously, I am now tied to switching keychains when working on apps.

    Recommendation 1: I left the company I do most work for in the default “login” keychain.
    Recommendation 2: If confused, look in the XCode Organizer to see which profiles are active. You will get an “!” when you are not logged into that keychain.

    • Dad Says:

      I think that you shouldn’t have to switch keychains except when you install a mobile profile onto a phone. That’s the idea anyway 🙂

  5. Dad Says:

    Note that Apple seems to have addressed this in a recent account I set up with/for a client; My certificate now has a number in parens after my name so that they are unique in the keychain. I’ll need to go back and recreate the signatures in one of the other accounts and see if that one gets a number appended to the name as well.

  6. Shiva Says:

    Hi,

    When we uploaded our .app file to first time to appstore we used one mac book. But when we are trying to update same app from iTunes, using different mac we are not able to successed. Saying “A valid siging identity matching this profile could not be found in your keychain.”

    I understood the problem is “we are not using the mac machine on which we created this distribution provision file using the keychain”.

    But right now we don’t have that mac. What will be the possible solution. Can I create a fresh distribution provision file using same app id in new mac using new keychain certificate?

    Please help…

    Thanks Shiva

    • Dad Says:

      Hi, The computer in question isn’t really important, but the digital signature and certificates on the keychain are which is why Apple tells us to back those up. If you have a backup of those items you can install them into the keychain of any intel based mac and things should ‘just work’.

      If you do not have a backup, or cannot get whomever has that computer to send them to you, it seems you will have to go and regenerate all your certificates/provisioning profiles including your distribution ones. I do not know for sure how this will effect your application submission. Ideally it shouldn’t cause even a bit of problem, in reality? not sure. Suggest you contact Apple Developer Support for clarification if your app has significant sales and the impact of a problem would be significant.

  7. Anne Says:

    thanks a bunch… the bit about setting the Other Code Signing Flags was the key for me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: