Posted   by 

No Signing Certificate Mac App Distribution Found

NOTE This guide is superseded by the documentation here…

This guide will help you to set up automated deployment of your app, using CircleCI.

Signing

Before beginning, you should set up your app on CircleCI, and ensure that you have a green build with all tests passing.

  1. Upload your .P12 file in Project Settings > iOS Code Signing.
  2. Add your provisioning profile (.mobileprovision) file to your repo.
  3. Set GYM_CODE_SIGNING_IDENTITY to match your code-signing identity, ie 'iPhone Distribution: Acme Inc.'.
  4. Build with gym and deploy with ipa.

Background - Code Signing Process

The MD5, SHA-1 and SHA-256 fingerprints of the upload and app signing certificates can be found on the app signing page of the Play Console. Other fingerprints can also be computed by downloading the original certificate (.der) from the same page. The following are the different types of keys and keystores you should understand. You can open Keychain.app on the Mac and look for the signing certificate you expect to work. It should have a Public and Private key. Try manually selecting what you expect to work via the Properties iOS Bundle Signing menu of the iOS project. First, select the certificate you expect to work. You create a provisioning profile for an app and associate a distribution certificate to it. Only certificates assigned to the profile can be used to sign the app. Therefore, you need to create a new provisioning profile in case you add or change a distribution certificate. Go to Certificates, IDs & Profiles. The reason you're seeing that 'no found' error is due to the short life of the profile used with the app on your device.

The code-signing process for iOS apps can seem difficult at first, but once familiar with the concepts the process is less daunting.

There are 2 necessary items for signing an app:

  1. A provisioning profile (.mobileprovision)
  2. A corresponding developer private-key (.p12).

With these 2 files, and an XCode project the goal is to produce 2 files:

  1. A signed application (.ipa)
  2. A debug symbols archive (.app.dSYM.zip).

The .ipa file is the application file that can be distributed to your testers using a service such as Crashlytics Beta or Hockey App. The debug symbols file will be used by your distribution service of choice to produce call-stacks helping you to debug any crashes in your app that testers encounter.

OSX circle Keychain

When signing an app, Xcode will look in any keychains on the machine to find the necessary credentials.

When you build on CircleCI, a new keychain named circle.keychain is created. The password for this keychain is circle. This keychain is unlocked for the duration of the build, and it is added to the default search path, so any credentials stored in this keychain are available to Xcode.

Any P12 certificates that you upload to CircleCI in Project Settings will be added to circle.keychain before your build begins. Any Provisioning Profiles files that are found in your repository will also be added to circle.keychain.

1. Install Fastlane tools locally

This guide assumes that you are developing on a Mac running OSX. The first step is to install the Fastlane tools. If you are using the system Ruby, you can install using

Or if you are using a Ruby installed using Homebrew you can install as the current user:

The tools take a few minutes to install, so a little patience is required. For more information check out the Fastlane installation guide.

2. Create and Upload a Code Signing Certificate

To create a code signing certificate and keys we will use the cert Fastlane tool. Open a terminal in the root of the repository and run the following commands:

This will create 3 files in the certificates directly, all named after the certificate. In my case the certificate is named NK5Z971JCM but this will be different for each project.

The .certSigningRequest and .cer files are not needed to sign your app using CircleCI. You can delete these files if you have no need for them. The .p12 file is the private ket for your code-signing identity.

You can now upload the .p12 file to your project on CircleCI in Project Settings > iOS Code Signing. When your build runs this p12 file will be added to the circle keychain automatically.

3. Create A Provisioning Profile

Use the sigh tool to create a new provisioning profile.

This will create a provisioning profile (a file with the .mobileprovision extension) in the root of your repository. You can move this file to any folder that you like, and then add the file to your repository.

During the build on CircleCI the provisioning profile will be found and installed for use by Xcode.

4. Find Your Code Signing Identity name

No Signing Certificate Mac App Distribution Foundation

One your local machine run the following command to list the current code-signing identities installed on your machine.

You should see output like the following:

The string with the form 'iPhone Distribution: Acme Inc. (GL31ZZ3256)' is your code-signing identity. You might have more than one identity on your local machine, so choose the correct one for your app. You should add this to your circle.yml file as follows, so that it’s available during the build:

4. Sign Your App on CircleCI

We recommend using Fastlane Gym to build a signed app. gym is pre-installed on our containers, so it’s easy to set up. The first step is to add a new deployment command in your circle.yml file.

You should take a few minutes to read the documentation on deployments using CircleCI. The deployment stanza above instructs CircleCI to run the gym command on each successful build of the master branch. The beta_distribution is just a name for the deployment. You can use any name here.

You might need to pass additional parameters to gym to specify exactly which configuration to build, but in most cases these are not necessary. You should run gym locally specifying GYM_CODE_SIGNING_IDENTITY or --codesigning_identity until you get a signed app.

Deployment

Once you have a signed app you are on the homeward stretch. Distributing the app is easy. At CircleCI, we recommend using shenzhen to distribute your app. Shenzhen supports many distribution services such as iTunes Connect, HockeyApp, Beta by Crashlytics and TestFairy.

Hockey App

Log in to Hockey app and create a new API token at https://rink.hockeyapp.net/manage/auth_tokens Your token will need at least upload permission to upload new builds to Hockey App. Give your new API token a name specific to CircleCI such as 'CircleCI Distribution'. Copy the token, and log into CircleCI and visit the Project Settings for your app. Create a new Environment Variable with the name HOCKEY_APP_TOKEN and paste the token as the value. You can now access this token during the build.

Modify the deployment section of your circle.yml as follows:

Beta By Crashlytics

First, we need to get some credentials. Log in to Fabric.io and visit your organization’s settings page.

Click on your organisation (CircleCI in the image above), and click on the API key and Build Secret links to reveal the items.

In CircleCI, navigate to your App’s Project Settings page, and under Environment Variables add 2 new items named CRASHLYTICS_API_KEY and CRASHLYTICS_SECRET, with the values you find on Crashlytics website.

You can then modify the deployment section of your circle.yml as follows:

TestFairy

To set up your app on TestFairy first visit the preferences page in the TestFairy dashboard and navigate to the API Key section. Copy your API key and go to your App’s Project settings on CircleCI. Add a new Environment Variable named TESTFAIRY_API_KEY and paste in the API key from the TestFairy dashboard.

Next, you need to edit your circle.yml as follows:

Help – It Didn’t Work!

Exportarchive no signing certificate mac app distribution found

No valid signing identities

If you get an error like

or

Then xcode was not able to find the correct keychain to use. The first step to take is to example the output of the “Install Code Signing Credentials” step of the build on CircleCI. This is listed under “machine”. Expand the output and you should see output like the following:

In this example there is one valid code-signing identity, 'iPhone Distribution: UTAH STREET LABS INC (GL92ZZ6423)'. The goal is to pass this literal string to xcode. If you are building with Fastlane and gym, then you should ensure that you have your code-signing identity string in your circle.yml like this:

Exportarchive No Signing Certificate Mac App Distribution Found

Or that you pass this string to gym with the --codesigning_identity flag.

If you are calling xcodebuild directly you should pass your code-signing identity as the CODE_SIGN_IDENTITY= parameter, for example CODE_SIGN_IDENTITY='iPhone Distribution: Acme Inc. (GL31ZZ3256)'.

No provisioning profiles matching an applicable signing identity were found

If you get an error message that says:

This means that you have a valid P12 file, but there was no matching provisioning profile found. The first thing to check is that you have a valid provisioning profile file (.mobileprovision) checked in to your repository. Then take a look at the output from the “Install Code Signing Credentials” step of the build. It should no longer be saying 'No provisioning profiles found in repository.' The output shout give a list of the provisioning profiles that were found as follows:

My build fails with a timeout during code-signing

If your build fails with a timeout during the code-signing process, the issue is usually that the correct keychains are not unlocked, or the keychains are not added to the system search path. The first thing to check is the output of security list-keychains. You should add a step to your build to run security list-keychains immediately before the command that times out.

You should see the following:

You need to ensure that login.keychain and circle.keychain are in this list. If you are adding a custom keychain using your own commands, make sure that you are unlocking the keychain too. Make sure you are doing something like the following:

What Does “Install Code Signing Credentials” Do?

The “Install Code Signing Credentials” step of OSX builds is where we prepare the container for code-signing before your builds runs.

  1. We create a new keychain called circle.keychain with password circle. We unlock this keychain and add it to the system search path so xcode can access it.
  2. We install any P12 certificates that you have uploaded in project settings to circle.keychain
  3. We look through your repo and find any provisioning profiles you have. We copy any profiles to ~/Library/MobileDevice/Provisioning Profiles, and we add any certificates in the provisioning profiles to circle.keychain (the public key in the provisioning profile should match the private key in the P12 file).
  4. We call security find-identity -p codesigning to list the keychains in the build output.