We’ve had this ongoing issue on our Continuous Integration server which had us scratching our heads. It went like this:
- We create a certificate for our CI “Developer”
- We add him to the provisioning certificate
- The build is fine
- Some time later, we update the provisioning profile, and install this – We remove the old certificate from the key chain
- Each subsequent build, the old certificate magically re-appears in the key chain, and the code-signing fails as there are multiple matched certificates in the keychain
If you’ve seen this; here’s what I think is happening, and here’s how you work around it.
The certificate is embedded in the provisioning certificate. During the code signing process, a check is made to see if this is in the keychain; if it isn’t, the code signing process adds it to the keychain. Because the keychain has a matching private key, the certificate is now valid again, but cannot be used, as you now have 2 keys with the same identity in the keychain.
We tried deleting the older certificate time and time again, but the build process always brought it back. So frustrating. Also; there’s radars about this (example, and there’s questions on StackOverflow about it.
But here’s a little tip that helps; Note the certificate is put back into the keychain, but codesign will only work with a certificate where the private key is also in the keychain. The problem arises when the re-inserted certificate has its private key in the keychain.
So, next time this happens
- Locate the older, duplicate certificate
- Expand it
- Delete it’s private key
Now, even if you remove the certificate also, and even if your build re-instates the certificate, the private key will not be in the keychain, and so this older, duplicate certificate will not be used to sign your binary.
Yay. Go us.