codesign gives always no identity found error via terminal

Question

I've looked through already existing questions, but none has solved my problems (like recreating certificates). I've built an app where inside the app I have few executables and folders and frameworks. Whenever I try to do codesign -s "our identity" my.app always gives no identity found. Can someone give a step by step process of this.

codesign -s "Developer ID Application: Sai***** (123123123J)" out/Release/Sai.app

Error

Developer ID Application: Sai****** (123123123J): no identity found,

I tried removing "Developer ID Application" and the serial number, but everything gives the same error

Looking for help in these lines

Thank You

Are you manually codesigning the app? If so, please show the entire `codesign` command line along with any arguments and exact error messages. — gaige, Apr 16 '13 at 12:54

gaige · Answer 1 · 2013-04-20T10:44:12.273

I had some trouble with this as well. Double-check that your code-signing identity is in your keychain, and you might consider using the SHA-1 fingerprint instead of the name after the -s.

You can find the SHA-1 fingerprint by opening up Keychain Access and selecting your Developer ID Application: FOO certificate, and then choosing Get Info. From here, scroll to the bottom of the information until you reach Fingerprints. The SHA-1 fingerprint here can be copied and you will have to remove all of the spaces, but after that you will have a 40-character identifier which will be appropriate for placing after the -s in your codesign statement.

If you are still having problems locating the key, try the following from Terminal:

certtool y | grep Developer\ ID

and look for anything with Developer ID Application in the Common Name to verify that the certificate is actually in a keychain that is accessible from Terminal. If you don't see anything in response, that would indicate that the keychain containing your credentials is unavailable to your Terminal session. Reasons for this would include things like the keychain being locked, the shell running as another user, executing the command with different permissions (such as sudo).

After executing the command above, you should have at a minimum the following:

Developer ID Application: <your company name>
Developer ID Installer: <your company name>
Developer ID Certification Authority

If you don't have all three, you should go and download the missing elements. Although you may not currently need to build an Installer, there's no harm in having it around. The Application and Installer elements can be downloaded from the Mac Certificates section of the Certificates, Identifiers, & Profiles tab on Apple's Developer site. You should have listings there that are not expired. You may have listings there as well that have expired. To install the certificates in your keychain:

Access the Apple Developer Site
Access the Mac Dev Center
Access Certificates, Identifiers, & Profiles link
Download the Certificates from the portal
Double-click on the Certificates and Keychain Access should open
Allow Keychain Access to add the Certificates to your Keychain

The Developer ID Certification Authority should have been installed by Xcode, but if it wasn't, you can install it yourself. You will need to download that separately from Developer ID Authority or by clicking on the + link in Certificates tab and use the link at the bottom to download the Certificate.

This would also be a good time to make sure that you have the Apple Worldwide Developer Relations Certification Authority, which is the basis for some of the signing tools. It should be installed in your System keychain, by the Xcode installer and can be downloaded directly from the + link in the Certificates tab above or from Apple WWDR CA.

According to Apple's App Distribution Guide, there are specific keychains that are appropriate for each of the Certificates and keys:

Your private Keys and your signing certificates (Developer ID Installer,Developer ID Application, and the App Store Certificates) should be in your login keychain
The Apple Worldwide Developer Relations Certification Authority and Developer ID Certification Authority belong in the System keychain
Your developer certificates also belong in your login keychain

Keychain Maintenance

Because Xcode automatically manipulates the keychains, and because some certificates are re-issued regularly when profiles change (although not for Developer ID, since it has multi-year certificates and doesn't require profiles), you can end up with a propagation of unnecessary and potentially confusing certificates in your keychain. It is a good idea to clean these out when they have expired, as they can create some confusion for Xcode.

WARNINGS

Before performing any maintenance on your Keychains, make sure you have a backup of your keychains
This process is intended for removing unnecessary Certificates relating to development, If the certificates don't start with Mac Developer, 3rd Party Mac Developer, iPhone Developer or Developer ID, do not mess with them at this time. If you accidentally delete the Certificate you received with an email (for example), even if it has expired, you may not be able to read the email that you received.

Things to do:

Quit Xcode
Run Keychain First Aid (from Keychain Access) and verify that your keychains are OK
Click on the Certificates Category on the left sidebar
Locate any expired developer certificates of the kinds mentioned above. They will show up with a small X in the lower right corner.
Select the Certificates you will be removing and back them up by using File > Export Items...
Put this file in a safe place and give it a good password
Delete the Certificates which you have backed up
Look through your remaining certificates and verify that you have the certificates mentioned in the preceding section. If you don't, you'll need to download, and possibly renew them.
Verify that the certificates are in the keychains that are indicated above (all your signing certs should be in your login keychain, for example)

hi, Thanks for the help. I tried the above solution, it gave the same error with sha1 string error before no identity found — J Bourne, Apr 16 '13 at 13:23
Are you sure you removed just the spaces? The SHA-1 for the Certificate should be definitive. If you've double-checked this and it still didn't work, you may need to try running Keychain First Aid from inside of Keychain Access. — gaige, Apr 16 '13 at 19:32
Hi gaige, I tried even keychain repair, it said no problems found — J Bourne, Apr 17 '13 at 05:39
Do you get any warnings when the software is initially built for Archive by Xcode? — gaige, Apr 17 '13 at 22:04
Oh, I'm not able to open the project in Xcode because the project size of 25GB. Its a dual core cpu with 10GB RAM. — J Bourne, Apr 18 '13 at 02:33
@SaiKrishna I've added a couple more diagnostics steps to verify that the keychains available in your `Terminal` shell include the certificate you're signing with from the shell, can you check those out? — gaige, Apr 18 '13 at 11:25
Thank you @gaige, I tried them, but they didnt work too. Can you help me of what steps you follow to do a codesign, right from downloading certificates? — J Bourne, Apr 20 '13 at 06:11
I set up a [chat room](http://chat.stackoverflow.com/rooms/info/28550/developer-id-signing) about codesign so that we don't have to do so much back-and-forth in comments. If you could join, that'd probably be quicker, then we can narrow things down and I can adapt an answer. — gaige, Apr 20 '13 at 10:09
I've added some extensive keychain maintenance and verification information. Since you are still getting the error indicating it can't find your certificate, we need to focus on that for now. Your basic `codesign` command looked fine and that command is relatively straightforward. — gaige, Apr 20 '13 at 10:45
Thank You very much gaige. Ill follow the steps and see how it builds — J Bourne, Apr 20 '13 at 11:00
@RyanTuck no. Apple issues all the acceptable Developer IDs from their program. However, you don't have to be signed up to sell on the AppStore to use Developer ID. — gaige, Dec 15 '14 at 18:19
@gaige got it - i asked and answered my own question yesterday once i figured it out - http://stackoverflow.com/questions/27474751/how-can-i-codesign-an-app-without-being-in-the-mac-developer-program/27474942#27474942 — ryantuck, Dec 15 '14 at 18:27
Very helpful. As it turns out, in my case the problem was an *extra* developer private key in my login keychain. I (exported and then) removed that key and magically codesign (as spawned by a Crashlytics/Fabric upload) started working again. — RobP, Mar 31 '18 at 16:38

score 28 · Accepted Answer · answered Sep 03 '15 at 15:34

while I did not do this for apple development code signing, I still think I have some valuable inside that could help you debug such a problem. The difference is that I created my own certificate while you got one from apple.

Check the trust of the cert, it must be trusted for code signing (on yosemite that is the third last in the trust section of the cert view in the keychain access). Be aware that for your code signing the cert should be in the login keychain, I needed it in the System keychain.

At first the cert was not known for codesigning to the keychain, because there was the Extension purpose "Code Signing" missing, you can find this if you look into the keychain and double click on the certificate:

I fixed that (you can not fix it as Apple provides the cert to you. The extension should just be there):

Then I added the certificate to the trusted signing certificates, after I had drag&dropped the certificate from the keychain to my desktop, which created the ~/Desktop/gdb-cert.cer (be aware you can omit -d and -r trustRoot:

$ sudo security add-trusted-cert -d -r trustRoot -p codeSign -k /Library/Keychains/System.keychain ~/Desktop/gdb-cert.cer

This was a bit tricky because I was mislead by some internet posts and did not look at the man page. Some said you should use add-trust (https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt). The terrible bit was that the command succeeded, but did not do what it should.

After that I found the new cert in the trusted certs like so:

$ security find-identity -p codesigning

Policy: Code Signing
  Matching identities
      1) E7419032D4..... "Mac Developer: FirstName LastName (K2Q869SWUE)"    (CSSMERR_TP_CERT_EXPIRED)
      2) ACD43B6... "gdb-cert"
  2 identities found

  Valid identities only
      1) ACD43... "gdb-cert"
  1 valid identities found

In my case the apple cert is expired, but the one I was using to sign gdb was not (well, I just created it myself). Also be aware that the policy is named differently for the "security add-trusted-cert"(-p codeSign) and the "security find-identity" command (-p codesigning). I then went on to sign gdb and I also always got:

$ codesign --sign gdb-cert.cer --keychain ~/Library/Keychains/login.keychain `which gdb`
  gdb-cert.cer: no identity found

because I was under the impression that I had to give the file name of the cert file to the --sign option, but that in fact was the CN of the certificate that I should have provided and should be in the trust store. You can find the CN here when double clicking on the cert in the keychain:

or in the above output of "security find-identity -p codesigning". Then I went on to sign and I had to give it the right keychain. In your case this would have to be the ~/Library/Keychains/login.keychain, in my case the System.keychain:

 codesign -s gdb-cert --keychain /Library/Keychains/System.keychain `which gdb`

That then gave me a working gdb and it should give you a signed application.

This helped me with codesigning my gdb installation. Thanks! — adino, Nov 27 '16 at 09:54
i get 'SecTrustSettingsSetTrustSettings: One or more parameters passed to a function were not valid.' — tofutim, Apr 17 '18 at 05:03
If you need a self-signed certificate just for testing purposes (as in my case) you can use the Keychain Access tool with the instructions reported here: https://stackoverflow.com/questions/27474751/how-can-i-codesign-an-app-without-being-in-the-mac-developer-program — Bemipefe, Nov 30 '18 at 16:33
I know 2 years passed, but whoever find this, and see "param not valid" thing, try change trustRoot to trustAsRoot — Valentyn Vynogradskiy, Nov 27 '20 at 12:48

score 11 · Answer 3 · answered May 21 '13 at 13:56

11

The Answer finally was very simple. My Private Key was missing. For this I revoked the certificate and followed its steps in developer program (Especially creating CSR certificate during the process, which I did not get several times, unless I revoked the certificate).

answered May 21 '13 at 13:56

J Bourne

1,337
2
13
33

2

Not sure why you revoked my answer. The absolute first thing that I stated in my answer was "check that your code-signing identity is in your keychain" and I made specific references later to verifying which keychain your private key was in and how to revoke and reinstall it. But, no matter. Cheers. – gaige Jun 06 '13 at 09:09
Okay Sorry about that..! Just want users to know exact answer. Not for points sake or meaning that you were answer was wrong..! – J Bourne Jun 07 '13 at 09:18
How do I determine if my private key is missing? How is it specified? – Joel Jun 02 '16 at 01:54
1

This is a good answer. I purchased a new Mac Mini build machine to replace an old one. The old one had the signing certs. Just importing the signing certs downloaded from Apple didn't work, I also needed the original private key from which the certificate request was formed. So I followed https://stackoverflow.com/a/34063997/28190 to export a new keychain and used that. – Dan Gravell Oct 31 '19 at 15:48
This was my problem too. I had a bit of a fiasco with the keychain between doing the CSR and getting the cert, and my key was lost along the way. I happened to have a backup of the broken keychain, and found the private key in there. – rfay Dec 30 '19 at 23:40

score 3 · Answer 4 · edited Apr 29 '13 at 15:32

As even

certtool y | grep "Developer ID Application: xxxx"

could not display any results, I guessed it was an issue of accessing the desired keychain. So first I verified, the private key could be accessed by any applications in the keychain itself and then I started to use the k=/Users/myUser/Library/Keychains/login.keychain option in the certtool command and as this succeeded I did the same with

codesign --keychain /Users/myUser/Library/Keychains/login.keychain --force --verbose -s "Developer ID Application: xxxx"

score 0 · Answer 5 · edited Dec 14 '19 at 21:28

As even

certtool y | grep "Developer ID Application: xxxx"

could not display any results, I guessed it was an issue of accessing the desired keychain. So first I verified, the private key could be accessed by any applications in the keychain itself and then I started to use the k=/Users/myUser/Library/Keychains/login.keychain option in the certtool command and as this succeeded I did the same with

codesign --keychain /Users/myUser/Library/Keychains/login.keychain --force --verbose -s "Developer ID Application: xxxx

codesign gives always no identity found error via terminal

5 Answers5

Keychain Maintenance