How to purge and re-install code signing identities
Sometimes the nuclear option is the best.
Tuesday, July 13, 2021 - Sam Rowlands
This is documented here as we continue to restore our website after site outages
Sometimes identities get messed up, keys go missing and it seems like a clear-out and start again is the best solution.
Commence the purge
This step is very important; as if it's not completed correctly will leave invalid identities or certificates on the machine and may cause the re-installation process to function incorrectly or not at all.
From here you may choose to purge all the code signing identities on the machine, or just the ones that are non-functional. App Wrapper's "Code signing diagnostics" can help identify which identities are non-functional.
- Open "KeyChain Access" application (use the search box in the top right hand corner of your screen to find it).
- In the top left hand column, you see the "Keychains", you're going to have to repeat the process for each one of these "Keychains". Start by selecting the top most "Keychain".
- In the bottom left hand column, select "My Certificates". This should list out the code signing certificates and also other certificates for other purposes.
- In the right hand side, if you're dealing with a specific identity, select it, then right click the mouse on it and choose "Delete".
- In you're resetting all the Apple code signing identities, you need to select and delete each of the following. If you see multiple copies, remove all copies.
- "3rd Party Mac Developer Application: <yourName/>"
- "3rd Party Mac Developer Installer: <yourName/>"
- "Mac Developer: <yourName/>"
- "Developer ID Application: <yourName/>"
- "Developer ID Installer: <yourName/>"
- "Apple Distribution: <yourName/>"
- "Apple Development: <yourName/>"
- Click on the next "Keychain" in the top left hand list and repeat the process. Do not remove certificates that you don't know; in doing so it may cause other problems. Repeat steps 2 to 6 until you've gone through each and every "Keychain" in the top left hand list.
You should give it a few seconds after clicking on a new "Keychain" as it can take a couple of seconds for Keychain Access to update it's listing.
- Close everything and restart your Mac.
Reinstall the identities
Now that the troublesome identities have been removed (which may be all of them), we need to reinstall the identities. This stage is best done through Apple's Xcode. If you don't have Xcode installed, you can download it from the Apple App Store.
- Open "Xcode" (use the top right hand search box if you need to).
- Go into the "Xcode" preferences, then click on "Accounts".
- You may need to login to "Xcode" with your Apple Developer ID.
- Select your account in the left hand list, then click on "View Details" in the bottom right hand corner of the window.
- In the top part of the sheet window, you'll see a list of the code signing identities that can be installed.
- For each listed item that can be installed right now, you should see either a "Create" or "Reset" button in the right hand side of the top list. "Create" will create the code signing identity on your machine, simply click it and wait for it to disappear.
- If the button says "Reset", click it. If it changes to read "Create" (give it a few moments), click on "Create" to create the identity. However if it takes you to the Apple developers section of the Apple website, see the next section.
- Repeat this process until all the buttons are gone, or the only ones left take you to the Apple developers portal.
- Close Xcode
Reset failed and now what? or Do I feel lucky?
I actually flagged this as a bug with Apple about how sometimes the "Reset" button simply takes you to the Apple developers portal on their site, and just leaves you there, without any clue or indication as to what you're meant to do next.
By now, you've probably seen enough of the above web site, but here's what to do next.
- Click on "Certificates, IDs & Profiles" in the left hand column of the site.
- Change "iOS, tvOS & watchOS" to "OS X" (yeah they still call it OS X too).
- Click once on the Identity name, use the "Type" column to help you figure out which one is which.
- Then click on the "Download" button.
- Open "Keychain Access" and select "Login" in the top left hand corner, this is the Keychain where you want your identities to be installed.
- In your downloads folder, double click on the new file to open it and have it installed onto your computer.
- Are you lucky? If your new shiny identity has a disclosure triangle, it's a success.
- Repeat this process with the certs that failed to automatically download.
That failed also, so now what am I meant to do?
At this point, it appears that your private encryption keys are shot. Below is Apple's take on that.
Optionally, contact Apple at product-security@apple.com if you need to revoke Developer ID certificates. Alternatively, you can continue to develop and distribute apps by creating additional Developer ID certificates, as described in Creating Additional Developer ID Certificates.
Apple's official code signing help document
I created this document based upon what I had to go through the other night when our own code signing identities suddenly stopped working. If nothing here works for you, then maybe read the official help document from Apple.
developer.apple.com/library/content/documentation/IDEs/ Conceptual/AppDistributionGuide/Troubleshooting/Troubleshooting.html