Apple Developer Program membership is required to request, download, and use signing certificates issued by Apple. For developers part of a team enrolled as an organization, you must also be the account holder or an admin to request distribution certificates used for submitting apps to the App Store.
Using Certificates
In most cases, Xcode is the preferred method to request and install digital certificates for iOS and macOS. However, to request certificates for services such as Apple Pay, the Apple Push Notification service, Apple Wallet, and Mobile Device Management (MDM), you will need to request and download them from Certificates, Identifiers & Profiles in your account on the developer website.
For more information on how to use signing certificates, review the Xcode Help Guide.
Protecting Your Account and Certificates
Your Apple ID, authentication credentials, and related account information and materials (such as Apple Certificates used for distribution or submission to the App Store) are sensitive assets that confirm your identity.
- Keep your Apple ID and authentication credentials secure and do not share them with anyone. To learn more, see Security and your Apple ID.
- Do not share Apple Certificates outside of your organization. To learn how to securely share them with trusted team members within your organization, see Maintaining Signing Assets in Xcode Help.
Expired or Revoked Certificates
Check dependencies 20:28:53: Code Signing Error: No signing certificate 'Mac Development' found: No 'Mac Development' signing certificate matching team ID 'XXXXXXX' with a private key was found. Can you tell me why it is trying to find 'Mac Development' while building an iOS app? To be able to let PressMatrix sign your Apple iOS App for your organizations' App Store Account, the already created iOS Distribution Certificate or iOS Push Certificate including the Private Key needs to be provided to PressMatrix. For that you must use a P12 certificate file. You generate this file using your Mac.
- Apple Push Notification Service Certificate
You can no longer send push notifications to your app. - Apple Pay Payment Processing Certificate
Apple Pay transactions in your apps and websites will fail. - Apple Pay Merchant Identity Certificate
Apple Pay transactions on your websites will fail. - Pass Type ID Certificate (Wallet)
If your certificate expires, passes that are already installed on users’ devices will continue to function normally. However, you will no longer be able to sign new passes or send updates to existing passes. If your certificate is revoked, your passes will no longer function properly. - iOS Distribution Certificate (App Store)
If your Apple Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to upload new apps or updates signed with the expired or revoked certificate to the App Store. - iOS Distribution Certificate (in-house, internal use apps)
Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate. - Mac App Distribution Certificate and Mac Installer Distribution Certificate (Mac App Store)
If your Apple Developer Program membership is valid, your existing apps on the Mac App Store will not be affected. However, you will no longer be able to upload new apps or updates signed with the expired or revoked certificate to the Mac App Store. - Developer ID Application Certificate (Mac applications)
If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate. However, you will need a new certificate to sign updates and new applications. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. If your Mac application utilizes a Developer ID provisioning profile to take advantage of advanced capabilities such as CloudKit and push notifications, you must ensure your Developer ID provisioning profile is valid in order for installed versions of your application to run. Read more. - Developer ID Installer Certificate (Mac applications)
If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate. Previously installed apps will continue to run however new installations will not be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. - Apple Worldwide Developer Relations Certification Intermediate Certificate
The Apple Worldwide Developer Relations Certificate Authority issues certificates used by developers for signing third party apps and Safari Extensions, and for using Apple Wallet and Apple Push Notification services. We’ve issued a renewed certificate that must be included when signing all new Apple Wallet Passes, Apple Push Notifications, Safari Extensions, and apps for the App Store, starting February 14, 2016. Read more.
Note: Apple can revoke digital certificates at any time at its sole discretion. For more information, read the Apple Developer Program license agreements in your account on the developer website.
Compromised Certificates
If you suspect that your Pass Type ID certificate or Developer ID certificate and private key have been compromised, and would like to request revocation of the certificate, send an email to product-security@apple.com. You can continue to develop and distribute passes by requesting an additional certificate from your account on the developer website.
FAQs
I received an error message saying, 'Xcode could not find a valid private-key/certificate pair for this profile in your keychain.'
Mac App Downloads
This error message indicates that your system’s Keychain is missing either the public or private key for the certificate you are using to sign your application.
This often happens when you are trying to sign and build your application from a different system than the one you originally used to request your code signing certificate. It can also happen if your certificate has expired or has been revoked. Ensure that your app’s provisioning profile contains a valid code signing certificate, and that your system’s Keychain contains that certificate, the private key originally used to generate that certificate, and the WWDR Intermediate Certificate.
For instructions on how to resolve this error, review the Code Signing support page.
What happens to my applications signed with Developer ID if my Apple Developer Program membership expires?
If your membership expires, users can still download, install, and run your applications that are signed with Developer ID. However, once your Developer ID certificate expires, you must be an Apple Developer Program member to get new Developer ID certificates to sign updates and new applications.
-->This article explains how to create and export a certificate for app package signing using PowerShell tools. It's recommended that you use Visual Studio for packaging UWP apps and packaging desktop apps, but you can still package an app manually if you did not use Visual Studio to develop your app.
Prerequisites
A packaged or unpackaged app
An app containing an AppxManifest.xml file. You will need to reference the manifest file while creating the certificate that will be used to sign the final app package. For details on how to manually package an app, see Create an app package with the MakeAppx.exe tool.Public Key Infrastructure (PKI) Cmdlets
You need PKI cmdlets to create and export your signing certificate. For more information, see Public Key Infrastructure Cmdlets.
Create a self-signed certificate
A self-signed certificate is useful for testing your app before you're ready to publish it to the Store. Follow the steps outlined in this section to create a self-signed certificate.
Note
When you create and use a self-signed certificate only users who install and trust your certificate can run your application. This is easy to implement for testing but it may prevent additional users from installing your application. When you are ready to publish your application we recommend that you use a certificate issued by a trusted source. This system of centralized trust helps to ensure that the application ecosystem has levels of verification to protect users from malicious actors.
Determine the subject of your packaged app
To use a certificate to sign your app package, the 'Subject' in the certificate must match the 'Publisher' section in your app's manifest.
For example, the 'Identity' section in your app's AppxManifest.xml file should look something like this:
The 'Publisher', in this case, is 'CN=Contoso Software, O=Contoso Corporation, C=US' which needs to be used for creating your certificate.
Use New-SelfSignedCertificate to create a certificate
Use the New-SelfSignedCertificate PowerShell cmdlet to create a self signed certificate. New-SelfSignedCertificate has several parameters for customization, but for the purpose of this article, we'll focus on creating a simple certificate that will work with SignTool. For more examples and uses of this cmdlet, see New-SelfSignedCertificate.
Based on the AppxManifest.xml file from the previous example, you should use the following syntax to create a certificate. In an elevated PowerShell prompt:
Note the following details about some of the parameters:
KeyUsage: This parameter defines what the certificate may be used for. For a self-signing certificate, this parameter should be set to DigitalSignature.
TextExtension: This parameter includes settings for the following extensions:
Extended Key Usage (EKU): This extension indicates additional purposes for which the certified public key may be used. For a self-signing certificate, this parameter should include the extension string '2.5.29.37={text}1.3.6.1.5.5.7.3.3', which indicates that the certificate is to be used for code signing.
Basic Constraints: This extension indicates whether or not the certificate is a Certificate Authority (CA). For a self-signing certificate, this parameter should include the extension string '2.5.29.19={text}', which indicates that the certificate is an end entity (not a CA).
After running this command, the certificate will be added to the local certificate store, as specified in the '-CertStoreLocation' parameter. The result of the command will also produce the certificate's thumbprint.
You can view your certificate in a PowerShell window by using the following commands:
This will display all of the certificates in your local store.
Export a certificate
To export the certificate in the local store to a Personal Information Exchange (PFX) file, use the Export-PfxCertificate cmdlet.
When using Export-PfxCertificate, you must either create and use a password or use the '-ProtectTo' parameter to specify which users or groups can access the file without a password. Note that an error will be displayed if you don't use either the '-Password' or '-ProtectTo' parameter.
Password usage
ProtectTo usage
After you create and export your certificate, you're ready to sign your app package with SignTool. For the next step in the manual packaging process, see Sign an app package using SignTool.
Exportarchive No Signing Certificate Mac App Distribution Found
Security considerations
Top Mac App
By adding a certificate to local machine certificate stores, you affect the certificate trust of all users on the computer. It is recommended that you remove those certificates when they are no longer necessary to prevent them from being used to compromise system trust.