Certificates Magically Re-appearing in your keychain? Try this

by: dermdaly

We’ve had this ongoing issue on our Continuous Integration server which had us scratching our heads. It went like this:

  1. We create a certificate for our CI “Developer”
  2. We add him to the provisioning certificate
  3. The build is fine
  4. Some time later, we update the provisioning profile, and install this – We remove the old certificate from the key chain
  5. Each subsequent build, the old certificate magically re-appears in the key chain, and the code-signing fails as there are multiple matched certificates in the keychain

If you’ve seen this; here’s what I think is happening, and here’s how you work around it.

The certificate is embedded in the provisioning certificate. During the code signing process, a check is made to see if this is in the keychain; if it isn’t, the code signing process adds it to the keychain. Because the keychain has a matching private key, the certificate is now valid again, but cannot be used, as you now have 2 keys with the same identity in the keychain.

We tried deleting the older certificate time and time again, but the build process always brought it back. So frustrating. Also; there’s radars about this (example, and there’s questions on StackOverflow about it.

But here’s a little tip that helps; Note the certificate is put back into the keychain, but codesign will only work with a certificate where the private key is also in the keychain. The problem arises when the re-inserted certificate has its private key in the keychain.

So, next time this happens

  1. Locate the older, duplicate certificate
  2. Expand it
  3. Delete it’s private key

Now, even if you remove the certificate also, and even if your build re-instates the certificate, the private key will not be in the keychain, and so this older, duplicate certificate will not be used to sign your binary.

Yay. Go us.

You May Also Like

Top Tips for Gathering In-App Feedback

Top Tips for Gathering In-App Feedback

Developing an app is never a finished product. There are always tweaks that can be made to improve the user experience and make it a better and more desirable product. But whatever changes you make to your app you want to make sure that they are in line with what...

read more
6 Ways to Improve your Apps User Experience

6 Ways to Improve your Apps User Experience

Is your mobile app suffering from "everything but the kitchen sink" syndrome? We often find when working with new clients on their user experience design strategy that they start with an ambitious goal for their app. They want 'everything but the kitchen sink'! While...

read more
3 Best Mobile App A/B Testing Tools

3 Best Mobile App A/B Testing Tools

We spoke about the best practices in mobile app A/B testing in our last post. Here we cover three of the best mobile app A/B testing tools. These tools allow you to run experiments that improve the design of your app while increasing conversion rates. By running these...

read more


  1. Avatar

    thanks, your comment really helped

  2. Avatar

    This makes so much sense and solved my problem, you saved me a day of googling and fixing!

  3. Avatar

    It works!! thanks a lot!

  4. Avatar

    Thanks a million – I hate these bloody time wasting xcode bugs!

  5. Avatar

    Learn something new every day… Thanks man!

  6. Avatar

    Awesome! I had been struggling for HOURS with this. great find!

  7. Avatar

    Awesome. Your writeup is exactly what I was seeing. Your solution perfect. Only problem is that it took me an hour before I found your solution. Thanks

  8. Avatar

    This still didn’t fix it for me :-/ As long as there was at least one provisioning profile using the expired certificate XCode managed to bring it back to the keychain. What did it for me eventually was to remove every single provisioning profile using the expired certificate or editing and re-submitting them without any changes so that they were using the re-generated certificate. At this point the portal stopped referring to the expired/revoked certificate. On top of that I removed all the provisioning profiles as well from the organizer and hit “refresh” to sync again with the portal and voila: the old certificate was finally gone for good. Phew…

  9. Avatar

    That did the trick… thanks!! 🙂

  10. Avatar

    It does the trick.
    Thanks for the tip.

  11. Avatar

    Worked for me, thanks for sharing. Go you, indeed.

  12. Avatar


  13. Avatar

    OMG. it totally worked. Thank you so much. I was trying to avoid having to redo the provisioning stuff to bypass this.

    But it totally worked. YEAY

  14. Avatar

    Thanks, it worked for me….

  15. Avatar

    YAY! Worked Perfectly!



  1. How to: Codesign error: Certificate identity appearing twice | SevenNet - […] I just spent a fair amount of time struggling with this same issue. After all the attempts to fix…

Submit a Comment

Your email address will not be published. Required fields are marked *