codesign gives always no identity found error via terminal

J Bourne picture J Bourne · Apr 16, 2013 · Viewed 57.1k times · Source

I've looked through already existing questions, but none has solved my problems (like recreating certificates). I've built an app where inside the app I have few executables and folders and frameworks. Whenever I try to do codesign -s "our identity" my.app always gives no identity found. Can someone give a step by step process of this.

codesign -s "Developer ID Application: Sai***** (123123123J)" out/Release/Sai.app

Error

Developer ID Application: Sai****** (123123123J): no identity found,

I tried removing "Developer ID Application" and the serial number, but everything gives the same error

Looking for help in these lines

Thank You

Answer

gaige picture gaige · Apr 16, 2013

I had some trouble with this as well. Double-check that your code-signing identity is in your keychain, and you might consider using the SHA-1 fingerprint instead of the name after the -s.

You can find the SHA-1 fingerprint by opening up Keychain Access and selecting your Developer ID Application: FOO certificate, and then choosing Get Info. From here, scroll to the bottom of the information until you reach Fingerprints. The SHA-1 fingerprint here can be copied and you will have to remove all of the spaces, but after that you will have a 40-character identifier which will be appropriate for placing after the -s in your codesign statement.

If you are still having problems locating the key, try the following from Terminal:

certtool y | grep Developer\ ID

and look for anything with Developer ID Application in the Common Name to verify that the certificate is actually in a keychain that is accessible from Terminal. If you don't see anything in response, that would indicate that the keychain containing your credentials is unavailable to your Terminal session. Reasons for this would include things like the keychain being locked, the shell running as another user, executing the command with different permissions (such as sudo).

After executing the command above, you should have at a minimum the following:

Developer ID Application: <your company name>
Developer ID Installer: <your company name>
Developer ID Certification Authority

If you don't have all three, you should go and download the missing elements. Although you may not currently need to build an Installer, there's no harm in having it around. The Application and Installer elements can be downloaded from the Mac Certificates section of the Certificates, Identifiers, & Profiles tab on Apple's Developer site. You should have listings there that are not expired. You may have listings there as well that have expired. To install the certificates in your keychain:

  1. Access the Apple Developer Site
  2. Access the Mac Dev Center
  3. Access Certificates, Identifiers, & Profiles link
  4. Download the Certificates from the portal
  5. Double-click on the Certificates and Keychain Access should open
  6. Allow Keychain Access to add the Certificates to your Keychain

The Developer ID Certification Authority should have been installed by Xcode, but if it wasn't, you can install it yourself. You will need to download that separately from Developer ID Authority or by clicking on the + link in Certificates tab and use the link at the bottom to download the Certificate.

This would also be a good time to make sure that you have the Apple Worldwide Developer Relations Certification Authority, which is the basis for some of the signing tools. It should be installed in your System keychain, by the Xcode installer and can be downloaded directly from the + link in the Certificates tab above or from Apple WWDR CA.

According to Apple's App Distribution Guide, there are specific keychains that are appropriate for each of the Certificates and keys:

  • Your private Keys and your signing certificates (Developer ID Installer,Developer ID Application, and the App Store Certificates) should be in your login keychain
  • The Apple Worldwide Developer Relations Certification Authority and Developer ID Certification Authority belong in the System keychain
  • Your developer certificates also belong in your login keychain

Keychain Maintenance

Because Xcode automatically manipulates the keychains, and because some certificates are re-issued regularly when profiles change (although not for Developer ID, since it has multi-year certificates and doesn't require profiles), you can end up with a propagation of unnecessary and potentially confusing certificates in your keychain. It is a good idea to clean these out when they have expired, as they can create some confusion for Xcode.

WARNINGS

  • Before performing any maintenance on your Keychains, make sure you have a backup of your keychains
  • This process is intended for removing unnecessary Certificates relating to development, If the certificates don't start with Mac Developer, 3rd Party Mac Developer, iPhone Developer or Developer ID, do not mess with them at this time. If you accidentally delete the Certificate you received with an email (for example), even if it has expired, you may not be able to read the email that you received.

Things to do:

  1. Quit Xcode
  2. Run Keychain First Aid (from Keychain Access) and verify that your keychains are OK
  3. Click on the Certificates Category on the left sidebar
  4. Locate any expired developer certificates of the kinds mentioned above. They will show up with a small X in the lower right corner.
  5. Select the Certificates you will be removing and back them up by using File > Export Items...
  6. Put this file in a safe place and give it a good password
  7. Delete the Certificates which you have backed up
  8. Look through your remaining certificates and verify that you have the certificates mentioned in the preceding section. If you don't, you'll need to download, and possibly renew them.
  9. Verify that the certificates are in the keychains that are indicated above (all your signing certs should be in your login keychain, for example)