Certificates Magically Re-appearing in your keychain? Try this

by: dermdaly

App development companies. Tapadoo logo

We’ve had this ongoing issue on our Continuous Integration server which had us scratching our heads. It went like this:

  1. We create a certificate for our CI “Developer”
  2. We add him to the provisioning certificate
  3. The build is fine
  4. Some time later, we update the provisioning profile, and install this – We remove the old certificate from the key chain
  5. Each subsequent build, the old certificate magically re-appears in the key chain, and the code-signing fails as there are multiple matched certificates in the keychain

If you’ve seen this; here’s what I think is happening, and here’s how you work around it.

The certificate is embedded in the provisioning certificate. During the code signing process, a check is made to see if this is in the keychain; if it isn’t, the code signing process adds it to the keychain. Because the keychain has a matching private key, the certificate is now valid again, but cannot be used, as you now have 2 keys with the same identity in the keychain.

We tried deleting the older certificate time and time again, but the build process always brought it back. So frustrating. Also; there’s radars about this (example, and there’s questions on StackOverflow about it.

But here’s a little tip that helps; Note the certificate is put back into the keychain, but codesign will only work with a certificate where the private key is also in the keychain. The problem arises when the re-inserted certificate has its private key in the keychain.

So, next time this happens

  1. Locate the older, duplicate certificate
  2. Expand it
  3. Delete it’s private key

Now, even if you remove the certificate also, and even if your build re-instates the certificate, the private key will not be in the keychain, and so this older, duplicate certificate will not be used to sign your binary.

Yay. Go us.

Back to Blog

You May Also Like

We built a product in a lockdown

At the start of the lockdown, around March last year, I have to admit a case of the jitters. I was prospecting on five different projects. Some with existing clients, some with new clients. Our order book was good - but we always have to have an eye on up coming...

read more
The Rise of the Super App

The Rise of the Super App

Imagine being able to chat with your friend through instant messaging, then book dinner, a movie or a gig and pay for everything all from one single app. That’s the power of a super app.  Mobile users worldwide have dedicated apps for specific tasks. This is not...

read more

15 Comments

  1. Clemens
    Clemens on July 29, 2012 at 3:49 pm

    thanks, your comment really helped

    Reply
  2. Benjamin
    Benjamin on August 4, 2012 at 4:39 pm

    This makes so much sense and solved my problem, you saved me a day of googling and fixing!

    Reply
  3. david
    david on August 10, 2012 at 10:15 pm

    It works!! thanks a lot!

    Reply
  4. Sean
    Sean on August 23, 2012 at 7:30 pm

    Thanks a million – I hate these bloody time wasting xcode bugs!

    Reply
  5. Noam
    Noam on September 2, 2012 at 12:05 pm

    Learn something new every day… Thanks man!

    Reply
  6. Gus
    Gus on September 2, 2012 at 2:07 pm

    Awesome! I had been struggling for HOURS with this. great find!

    Reply
  7. Rob Gorman
    Rob Gorman on September 6, 2012 at 4:53 am

    Awesome. Your writeup is exactly what I was seeing. Your solution perfect. Only problem is that it took me an hour before I found your solution. Thanks

    Reply
  8. Marcin
    Marcin on October 4, 2012 at 11:02 pm

    This still didn’t fix it for me :-/ As long as there was at least one provisioning profile using the expired certificate XCode managed to bring it back to the keychain. What did it for me eventually was to remove every single provisioning profile using the expired certificate or editing and re-submitting them without any changes so that they were using the re-generated certificate. At this point the portal stopped referring to the expired/revoked certificate. On top of that I removed all the provisioning profiles as well from the organizer and hit “refresh” to sync again with the portal and voila: the old certificate was finally gone for good. Phew…

    Reply
  9. DKLA
    DKLA on October 12, 2012 at 6:07 pm

    That did the trick… thanks!! 🙂

    Reply
  10. Rafael
    Rafael on October 23, 2012 at 7:06 pm

    It does the trick.
    Thanks for the tip.

    Reply
  11. Nigel Street
    Nigel Street on November 1, 2012 at 11:00 am

    Worked for me, thanks for sharing. Go you, indeed.

    Reply
  12. Thomas
    Thomas on December 23, 2012 at 12:07 pm

    Thanks!!!!!!!

    Reply
  13. €
    on March 22, 2013 at 3:40 am

    OMG. it totally worked. Thank you so much. I was trying to avoid having to redo the provisioning stuff to bypass this.

    But it totally worked. YEAY

    Reply
  14. Priyanka
    Priyanka on March 27, 2013 at 8:50 am

    Thanks, it worked for me….

    Reply
  15. Sonny
    Sonny on May 8, 2013 at 5:55 am

    YAY! Worked Perfectly!

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *