Expiration perspiration

All hell broke loose for me in the Program Portal and Xcode today: welcome to 2009 and the expiration of development certificates over the holiday break. It’s far from obvious what is causing these problems, hence this quick essay to help others avoid them now and in the future. I’m sure that I’ll refer back to this essay on January 13th, 2010 when my latest certificates expire.

The problems began when I noticed that new devices couldn’t be added to an existing Ad Hoc provisioning profile. I assumed that meant something had changed in the Program Portal, so I wrote up a Radar ID# 6489692.

I then began looking for a workaround to the problem. When I tried to create a new distribution profile (using Program Portal > Provisioning > Distribution > Add Profile) I saw “Create a distribution certificate” instead of our company name. That led me to the root of the problem: our distribution and development certificates had expired.

A quick way to identify this problem is to open Keychain Access and do a search for “iPhone”. If you see a red X after “iPhone Distribution” or “iPhone Developer”, you have a lot of work to do.

Luckily, I had a copy of the original Certificate Signing Requests (CSRs) so recreating the certificates was straightforward. Words to the wise: keep a copy of your CSRs along with your private key developer key. If you’re not backing this stuff up in a safe place, you’re going to have some serious headaches in the future.

If you don’t have the original CSRs, you’ll need to follow the steps on the portal. Good luck.

Once I had approved the requests and the new certificate was issued, my Ad Hoc profile magically started working again on the Program Portal. Unfortunately, the magic didn’t extend to the development profiles. My developer certificate (“iPhone Developer: Craig Hockenberry”) had expired, but a reference to the previous one was still in the profile. To workaround this problem, I clicked on Edit > Modify on the Program Portal > Provisioning > Development page. On that page I added a checkbox to the second instance of my name (representing the developer certificate.) Once that was done, I generated new provisioning profiles.

As we all know, that’s only the beginning. To make Xcode happy, I removed the expired certificates from Keychain Access and downloaded new copies from the portal. Make sure to clear the search field, if don’t you’ll get confused because the search doesn’t refresh after the new certificate is loaded.

I then downloaded the new provisioning profiles and moved them into Home > Library > MobileDevice > Provisioning Profiles. After doing this, you need to quit and restart Xcode. Open your project file, select Project > Edit Project Settings from the menu bar and update the Code Signing Identity settings for each build configuration. Then say a little prayer and do a build. If there is a God, you’ll have a new signed binary.

To those Apple employees that are reading this, here’s a suggestion: send an email to a developer whose certificates are about to expire. The current system requires the developer to dig around a complex system to figure out what is broken. Since this system is designed to break over time (through expiration) please let us know it’s about to happen. It will make things easier for everyone involved.

Updated January 13th, 2009: You will also need to recreate the App Store provisioning profile for “iPhone Distribution”. Since it’s tied to the same distribution certificate that your Ad Hoc profile is, you’ll see “<matching certificate identity with private key not found in login keychain>” displayed when you try to select the Code Signing Identity in your Project Settings. Again, the portal is very awkward here: I needed to do the Edit > Modify > Submit with no changes to force the creation of a new .mobileprovision file. Once downloaded and installed in Library > MobileDevice > Provisioning Profiles, Xcode populated the signing identity list correctly.