xamarin-macios
xamarin-macios copied to clipboard
xamarin
[xcode11-support] No support for Apple Distribution/Development certificates - "Apple Development"
From Xcode's release notes (beta 3):
Xcode 11 supports the new Apple Development and Apple Distribution certificate types. These certificates support building, running, and distributing apps on any Apple platform. Preexisting iOS and macOS development and distribution certificates continue to work, however, new certificates you create in Xcode 11 use the new types. Previous versions of Xcode don’t support these certificates.
New certificates have Apple Development not 'iPhone Developer', 'iOS Development': https://github.com/xamarin/xamarin-macios/issues/7171
One note here. I just ran into a problem with VSMac (version 8.2.2) wherein it cannot find the Apple Development certs, because the project properties UI does not acknowledge them. I had to manually edit the project file and insert the exact name of the certificate before it would sign properly. (Once done, however, it does sign properly.) For this issue to be properly resolved, we would need to update the VSMac project designer to properly handle these certificates as well.
We got it working by editing the .csproj file and manually specifying the name of the certificate as seen in the KeyChain
<CodesignKey>Apple Distribution: Company Pty Ltd (5W******)</CodesignKey>
Visual Studio Mac 2019 (latest) still didn't recognise it, but it built in release mode.
also noticed the issue on our mac build server running msbuild.
we use fastlane match to prep the certs, and started noticing issues only for newly minted xcode 11 certs. older xcode 10 certs still build, but this is a growing concern as certs are expiring, and some have already...
i noticed in https://developer.apple.com the new xcode 11 certs would say "Distribution" vs "iOS Distribution" as they did before, I also noticed the "Apple Development" and "Apple Distribution" names on the xcode 11 certs (i believe):
# ran with msbuild /verbosity:detailed to get this extra info
# this is the start of our troubles
Using "DetectSigningIdentity" task from assembly "/Library/Frameworks/Mono.framework/External/xbuild/Xamarin/iOS/Xamarin.iOS.Tasks.dll".
Task "DetectSigningIdentity"
...
# when it looping through the certs, i believe "Apple Distribution" and "Apple Development" are new xcode 11 ones ...
The certificate 'Apple Development: <developer> (<random>)' does not match any of the prefixes 'iPhone Developer', 'iOS Development'.
The certificate 'iPhone Distribution: <app_owner> (<random>)' does not match any of the prefixes 'iPhone Developer', 'iOS Development'.
The certificate 'Apple Distribution: <app_owner> (<random>)' does not match any of the prefixes 'iPhone Developer', 'iOS Development'.
...
# when looping through provisioning profiles, i see thumbprint issues...
The profile 'match AppStore <name1>' is not applicable because its id (bundle_id_1) does not match the bundle identifer <bundle_id_we_are_building>.
The profile 'match AppStore <name2>' is not applicable because its id (bundle_id_2) does not match the bundle identifer <bundle_id_we_are_building>.
The profile 'match Development <bundle_id_we_are_building>' might not be applicable because its developer certificate (of 1 certificates) Apple Development: <developer> (<random>)'s thumbprint (<developer_thumbprint>) is not in the list of accepted thumbprints (<thumbprint_1>,<thumbprint_2> ... )
# this repeats for 'match AppStore <bundle_id_we_are_building>' and any other profiles matching <bundle_id_we_are_building>
...
# the final error is this, what we'd see on verbosity:quiet as well
/Library/Frameworks/Mono.framework/External/xbuild/Xamarin/iOS/Xamarin.iOS.Common.targets(693,3): error : Could not find any available provisioning profiles for <assembly_name> on <project_name>. [/path/to/project/<project_name>.csproj]
I just ran into this same issue today as our certificates are about to expire. Any word on when this will be resolved?
Any updates on this? We have also run into this issue, and editing anything manually isnt a solution, since we build white labelled apps (each with different signing identity) with Jenkins (using Visual Studio for mac)...
When I select the 'new' distribution cert manually in the 'Signing Identity', I can leave the 'Provisioning Profile' option on 'automatic' and it works. But if I put 'Signing Identity' to 'Distribution: Automatic' it cant sign the app.
This is clearly a bug, but is it really just xamarin? Or Visual Studio for mac in general?
I have my build tools in ruby and use fastlane match to manage certs.
this is a workaround to drop the certs into the csproj before you build.
require 'nokogiri' # xml library
# use fastlane match to get cert ids for development any/or appstore
dev_cert = nil
appstore_cert = nil
matches = `bundle' exec fastlane match`.match(/Common\sName\s+\|\s+([^ ].*[^ ])\s+\|\n/)
if matches
if matches[1] =~ /(Development|Developer)/
dev_cert = matches[1]
elsif matches[1] =~ /Distribution/
appstore_cert = matches[1]
end
# backup csproj
csproj = "your_project.csproj"
csproj_bak = "#{csproj}.bak"
csproj_doc = Nokogiri::XML(File.read(csproj))
File.rename(csproj, csproj_bak) unless File.exists?(csproj_bak)
# replace certs where available
# TODO: verify these are the "Condition" used by your development / appstore builds
csproj_doc.at_css('PropertyGroup[Condition*="\'Debug\|iPhone\'"] > CodesignKey').content = dev_cert if dev_cert
csproj_doc.at_css('PropertyGroup[Condition*="\'AppStore\|iPhone\'"] > CodesignKey').content = appstore_cert if appstore_cert
# write this out and run your build
File.write(csproj, csproj_doc.to_xml)
I noticed someone did a PR to fix this. Did that actually fix the issue? Any updates on when this might be released? Just had to redo all my certs and now all my devops builds are failing.
Can someone pass an example of how it should be in the csproj? If would do it manually as a workaround? Mine original one is like below. What should I change? Or where do I get the reference of CodeSignKey and Provision?
<PropertyGroup Condition=" '$(Configuration)|$(Platform)' == 'Release|iPhone' ">
<DebugType>none</DebugType>
<Optimize>true</Optimize>
<OutputPath>bin\iPhone\Release</OutputPath>
<ErrorReport>prompt</ErrorReport>
<WarningLevel>4</WarningLevel>
<MtouchArch>ARM64</MtouchArch>
<CodesignKey>iPhone Distribution: Company Name (##########)</CodesignKey>
<CodesignEntitlements>Entitlements.plist</CodesignEntitlements>
<CodesignProvision>AppDev-DistProvisioninfProfile</CodesignProvision>
</PropertyGroup>
@alwydl try changing CodesignKey from iPhone Distribution: ... to Apple Distribution: ...
Thanks for the tip @rolfbjarne . What fixed here for me was to update VS Win to latest. Now it has a Automatic Certification tool that enable you to create a new certificate direct on it. Go to Apple Developer page and generate new Distribution profiles.
Hope it helps anyone, because nowhere on documentation I'd find out about this change.
@acastr7 this one? https://github.com/xamarin/xamarin-macios/pull/6797
just wondering if someone can confirm
When Apple finally decides to deprecate the old profiles, Xamarin will have a huge problem in their hands.
Using a Apple Development: ... certificate should work just fine now (at the very least at build time; I'm not entirely sure whether you can select it in the IDE for Xamarin.Mac projects, but manually editing in the csproj should work just fine).
In any case this is fixed for .NET projects (all platforms).
You cannot select it in the IDE (visual studio). You can manually edit the csproj. Set the CodeSigningKey and the CodeSignProvision. But you cannot then use the workflow -> archive for publishing -> sign and distribute. But you can grab the package from the build folder instead. This is workable but not user friendly and very confusing for users needing to update apps with the 'new' type of cert.
This should clearly be fixed. iOS projects do not have this issue. Why can visual studio not support Mac signing at the same level. They are the same cerficates?
