Import iOS signing certificate and provisioning profile into the Mac mini host Learn how to import the signing certificate and mobile provisioning profile files used for signing your iOS app. Before you start Export the appropriate signing certificates (.p12) and provisioning profiles (.mobileprovision) for the UDID of the device, then transfer the exported files into the Mac mini host. Download the Apple Worldwide Developer Relations - G3 (AppleWWDRCAG3.cer) file. Log into the Mac mini host(s) as the deviceconnect user. All the below sections needs to be performed on the Mac mini host. Import Apple Worldwide Developer Relations G3 certificate Skip this step if the Apple Worldwide Developer Relations Certification Authority - G3 certificate is already imported to the System keychain. Open Keychain Access on the Mac mini host. Select the System keychain, then select the tab Certificates. Drag and drop the AppleWWDRCAG3.cer file into the Certificates list of the System keychain. Input the password of the deviceconnect user to continue. Double-check that the Apple Worldwide Developer Relations Certification Authority certificate appears in the list. Double-click the above certificate to view its details. Double-check that under Details, the Organizational Unit is G3. If the value is different, download the correct certificate and import again. Import developer certificates You can use either the Keychain Access app or Terminal commands to import the developer certificates. Keychain Access Terminal Open Keychain Access on the Mac mini host. Select the System keychain, then select the tab Certificates. Make sure the Apple Worldwide Developer Relations G3 certificate exists before continuing. Drag and drop the .p12 file(s) into the Certificates list of the System keychain. To be able to drag and drop the .p12 file(s) into the Keychain Access app, the file(s) must be password-protected. If the file(s) are not password-protected, use the Terminal command to import them instead. Input the password of the deviceconnect user to continue. Input the password to protect the .p12 file to finish the import. These steps require accessing the Mac mini host’s screen and cannot be done via SSH. Open Terminal on the Mac mini host and enter the following command, replacing <Path to the cert> with the full path to the .p12 certificate files and <Name of the cert> with the filename. sudo security import <Path to the cert>/<Name of the cert>.p12 -k /Library/Keychains/System.keychain -A Enter the certificate password. If the certificate has no password, leave the field blank and click OK. Repeat the above commands for each .p12 file if there are multiple files. After importing, open Keychain Access on the Mac mini host (if not already opened). Select the System keychain, then select the tab Certificates. Double-check that: The imported certificate(s) appear in the list and there is an associated private key when expanding the certificate. If there is no associated private key, make sure you have imported the .p12 file that was exported from the machine you created the certificate signing request. The certificate status says This certificate is valid. If the certificate status says certificate is not trusted, you have not imported the Apple Worldwide Developer Relations - G3 certificate. Do not manually trust the signing certificate using the Always Trust option in the certificate details when you see the certificate is not trusted message, as this will cause issues later. If you see a signing certificate that has the status This certificate is marked as trusted for all users, follow the below steps to undo the manual trust: In Keychain Access, double-click the signing certificate to vew its details. In the certificate details, expand the Trust section. All the options under this section should be Always Trust if you manually trust the certificate. Set the value of When using the certificate to Use System Defaults. Doing so will set the rest of the options to no value specified. Close the certificate details pop-up, then enter the password of the deviceconnect user to save the changes if prompted. If the status of the certificate is now certificate is not trusted, proceed to import the Apple Worldwide Developer Relations - G3 certificate and the status will change to This certificate is valid. Expand the signing certificate, then right-click the associated private key and select Get info. Select the Access Control tab, then choose Allow all applications to access this item (skip this step if the option is already selected). Choose Save Changes. Enter the password of the deviceconnect user if prompted. In the next pop-up, input deviceconnect for username and its password, then choose Allow. Close the key information pop-up. Confirm imported certificates and upload provisioning profiles for deviceConnect Before importing, if your deployment include multiple Mac mini hosts, make sure the Mac mini host has deviceConnect installed by opening the Chrome browser, navigating to the address: localhost/#/System/IOS, and logging in. Only proceed if you can access the page and log in. Else, move on to the next Mac mini host. Under Available signing certificates, you can see all imported certificates from the above step. Click Choose File under Upload provisioning profile. Select a .mobileprovision file, and click Open to upload it. The uploaded profile should display under Installed provisioning profiles: Restart deviceConnect services to apply the new provisioning profiles. Resolve common errors with certificates and provisioning profiles in deviceConnect This section provides possible resolutions to common errors related to certificates and provisioning profiles. Open the Chrome browser on the Mac mini host, then navigate to the address: localhost/#/System/IOS, and log in. This page can also be accessed from the menu by selecting System, then choose iOS Management. The iOS Provisioning Status page displays. This page has the following main sections: Devices: If you have connected the device and deviceConnect can recognize it, it will display in the list under Devices. For each connected device, check the Provisioning Profile columns first. If you see the green check icon, then there is no issue with the certificate or provisioning profile. If you see the red cross icon instead, then there is one or more issues that needs to be addressed. You can select Details to view the issue. Installed provisioning profile: All imported provisioning profiles are included here. If there is an error with the provisioning profile, a message starting with Failed: displays. Available signing certificates: All imported signing certificates are included here. If there is an error with the certificate, a message starting with Failed: displays. When there is an issue regarding signing certificate and profiles with at least 1 device, a warning permanently displays on the page until all issues are resolved. To dismiss the warning when all issues a resolved, a service restart is required. Below are common error messages and how to fix them: Common errors with signing certificate Issues with signing certificates are reported under Available signing certificates. There are no signing certificates available. No signing certificate can be recognized by the system. Ensure you have imported the signing certificate into the correct location. Failed: An associated private key has restricted access: The private key access is limited. Set the Access Control of its associated private key to Allow all applications to access this item, then restart deviceConnect and make sure the error no longer displays. Failed: certificate is expired If all imported certificates are expired, generate a new certificate then import it. If there is already a working certificate that is not expired, there is no issue to resolve. You can remove the expired certificates. Common errors with provisioning profiles Issues with signing certificates are reported under Installed provisioning profiles. There are no provisioning profiles installed Ensure you have imported the provisioning profile into the correct location. Failed: profile expired If all provisioning profiles are expired, generate or edit a provisioning profile then import it. If there is already a working provisioning profile that is not expired, there is no issue to resolve. You can remove the expired provisioning profiles. Failed: No signing certificate available. Explanation: The provisioning profile is not associated with any certificate(s) that is recognized by the system. Either there is no signing certificate imported, or the imported signing certificates are not selected when generating the provisioning profile. Make sure you have selected the correct signing certificate when generating the provisioning profile and imported the correct certificate. You can always edit and add the certificate. To verify that a certificate matches a provisioning profile, select the Plus icon of a provisioning profile to expand it, then compare the Certificate ID information under the provisioning profile with that of the signing certificate. If they are the same, then the certificate matches the provisioning profile. A provisioning profile can match multiple certificates and vice versa. On the Apple Developer site, the certificates do not have the certificate ID displayed and may have duplicated names. When in doubt, select all possible signing certificate when generating or editing the provisioning profile. Common errors with provisioned device UDIDs The errors regarding provisioned device UDIDs can be viewed by selecting Details of a device under Devices. Failed: ProvisionedDevices does not contain device udid Explanation: The device’s UDID is not included in any installed provisioning profiles. It is possible that the device is not added to Apple Developer, or the device UDID is not checked when generating or editing the provisioning profile. Make sure you have added the device to Apple Developer and selected the device UDID when generating the provisioning profile. You can always edit and add the device UDID. Import developer certificates and provisioning profiles to deviceShare Skip this section if you do not use Kobiton app re-signing service. If your deployment includes multiple Mac mini hosts, ensure that deviceShare is installed on the current Mac mini host before proceeding. To check if deviceShare is installed on the Mac mini host, navigate to the path /usr/local/kobiton/ and check for the presence of the deviceshare folder. If there is no such folder or the folder is empty, it means deviceShare is not installed. In this case, locate another Mac mini host where deviceShare is installed to continue with this section. Open the Keychain Access app. Select the System keychain, and then Certificates. You will see your Apple Development signing certificates along with all the other certificates. Expand all the Apple Development signing certificates to show the private key like the below: Shift-click to select all the Apple Development certificates and their private key, then right-click and select Copy items. Select the deviceshare keychain and then Certificates. Right-click the empty area and choose Paste items. You will be prompted to enter your login keychain password and the password for the deviceshare keychain for each certificate imported. Retrieve the deviceshare keychain passwword from the deviceshare_config.toml file under the location /usr/local/kobiton/deviceshare/. The password is the <secret> value of the below line in the file: ios_keychain_paths = [ "/usr/local/kobiton/deviceshare/keychains/deviceshare.keychain@<secret>" ] In the below example, the password for the deviceshare keychain is Rand0m429! ios_keychain_paths = [ "/usr/local/kobiton/deviceshare/keychains/deviceshare.keychain@Rand0m429!" ] Verify that the certificates and keys are imported successfully into the deviceshare keychain. Open the deviceshare_config.toml file located under /usr/local/kobiton/deviceshare/. Locate the line starting with ios_provisioning_profile_paths . If the line is the same as below, skip this section as deviceShare is using the same folder with deviceConnect for provisioning profiles: ios_provisioning_profile_paths = [ "/usr/local/deviceconnect/ProvisioningProfiles" ] If the line is the same as below instead, continue on the next step: ios_provisioning_profile_paths = [ "/usr/local/kobiton/deviceshare/provisioning_profiles" ] Move all provisioning profile files into one folder and note down the location. Open Terminal and execute the below command, where /path/to/profiles/ is the location of all the provisioning profile files: cp -R /path/to/profiles/*.mobileprovision /usr/local/kobiton/deviceshare/provisioning_profiles Restart deviceShare signing service to apply all the configurations above by running this command: sudo /bin/launchctl unload -w /Library/LaunchDaemons/com.kobiton.deviceshare.signing.plist && sleep 5 && sudo /bin/launchctl load -w /Library/LaunchDaemons/com.kobiton.deviceshare.signing.plist Verify that the deviceShare signing service is running normally by executing the below command: tail -100 /usr/local/kobiton/deviceshare/deviceshare_signing.log A successful execution should show the output as below: 2022-02-24 23:23:20.873521 INFO [deviceshare::logging] initialized log config from /usr/local/kobiton/deviceshare/deviceshare_signing_log_config.yaml 2022-02-24 23:23:20.873612 INFO [deviceshare::signing::signingserver] attempting to connect to Kobiton signing portal 2022-02-24 23:23:20.873630 INFO [deviceshare::signing::signingserver] authentication not enabled for Kobiton signing service portal 2022-02-24 23:23:20.873653 INFO [deviceshare::signing::signingserver] attempting to connect to Kobiton signing service portal at http://10.2.122.251:6000/ 2022-02-24 23:23:20.873729 DEBUG [hyper::client::connect::http] connecting to 10.2.122.251:6000 2022-02-24 23:23:20.874310 DEBUG [hyper::client::connect::http] connected to 10.2.122.251:6000 2022-02-24 23:23:20.886689 INFO [deviceshare::signing::signingserver] connected to Kobiton signing portal .... truncated ... 2022-02-24 23:23:20.902941 DEBUG [deviceshare::signing::keychain] signing_certificates_all: elapsed: 0 ms 2022-02-24 23:23:20.905563 DEBUG [deviceshare::signing::signingserver] monitor_resource_changes: resources have not changed since 2022-02-24 23:23:20.902087 2022-02-24 23:24:20.927290 DEBUG [deviceshare::signing::signingserver] sending keepalive message 2022-02-24 23:24:20.943450 DEBUG [deviceshare::signing::signingserver] monitor_resource_changes: polling current