Last week we were doing some updates for a customer on a C++Builder Android and iOS app. The Mac that we were using to do the code signing for iOS hadn’t been used for this before, so we needed to setup the Certificates and Provisioning Profiles for the customer’s account.
I always dread this part, as I’ve found it always takes longer and is more complicated than you expect. I’ve done it enough times now though that I thought I’d struck all the issues, however this time I found a new one that I thought I should document for anyone else (or my future self) who strikes it.
If you’re not sure what I’m talking about, this is a requirement by Apple that any code that is to be deployed to the App Store needs to be code signed on a Mac, using certificates generated by Apple. RAD Studio does all the compilation on Windows, but needs to play by the rules and push the binary out to a Mac somewhere on the network to be signed. David did a video on setting this up awhile ago.
The Intermediate Certificates that Apple uses to sign your Developer and Deployment certificates expired earlier this year. That’s not the problem, they’ve had new Intermediate Certificates available for download for awhile now.
You’ll know you have this issue if you look at one of your Dev or Deploy certificates in KeyChain Access and see a message in red saying “This certificate has an invalid issuer”
Here’s the culprit:
If you can’t see the expired Apple Intermediate Certificate in KeyChain Access, select View | Show Invalid Certificates.
I’ve been through this before on other machines and thought I had it down pat. Delete the expired Intermediate Certificate, download and import the new one and you’re away.
This time, it didn’t work. So, thinking I’d mucked it up, I did the delete, download, import routine again. Nope, still not working.
After a reasonable amount of swearing failed to fix the problem, I dug deeper. The new certificate was not expired, so I assumed it was still finding the old one somewhere. Eventually I realised that KeyChain Access actually has two copies of it. One in the login keychain and another in the System Roots keychain. I was only deleting the one in the login keychain. If I’d used the Search box in Keychain Access, and searched on “Apple World”, it actually would have shown me both, but I didn’t do that, did I?
So, I deleted BOTH the expired ones, imported the new one and finally Apple deigned to let me continue.