Advertise here




Advertise here

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Critical: Back up your developer key!

Duncan CDuncan C Posts: 9,112Tutorial Authors, Registered Users @ @ @ @ @ @ @
edited July 2012 in iPhone SDK Tutorials
When you register with Apple and pay your fee, you have to go through several steps in order to be able to build apps and install them on iOS devices. The first step is creating private key and certificate signing request. All your developer certificates will require that you have this private key.

To quote Apple's docs from the provisioning portal on their website:
It is critical that you save your private key somewhere safe in the event that you need to develop on multiple computers or decide to reinstall your system OS. Without your private key, you will be unable to sign binaries in Xcode and test your application on any Apple device.

If your hard drive crashes and you don't have a backup of your private key, you will have to revoke your developer certificate and create a new one, and regenerate all your provisioning profiles. Needless to say, this is bad.

Below are the instructions on backing up the private key that's used to create your developer certificate, extracted from the how to section of Apple's provisioning portal:

It is critical that you save your private key somewhere safe in the event that you need to develop on multiple computers or decide to reinstall your system OS. Without your private key, you will be unable to sign binaries in Xcode and test your application on any Apple device. When a CSR is generated, the Keychain Access application creates a private key on your login keychain. This private key is tied to your user account and cannot be reproduced if lost due to an OS reinstall. If you plan to do development and testing on multiple systems, you will need to import your private key onto all of the systems you’ll be doing work on.

When a CSR is generated, the Keychain Access application creates a private key on your login keychain. This private key is tied to your user account and cannot be reproduced if lost due to an OS reinstall. If you plan to do development and testing on multiple systems, you will need to import your private key onto all of the systems you’ll be doing work on.
  1. To export your private key and certificate for safe-keeping and for enabling development on multiple systems, open up the Keychain Access Application and select the ‘Keys’ category.
  2. Control-Click on the private key associated with your iOS Development Certificate and click ‘Export Items’ in the menu. The private key is identified by the iOS Developer: <First Name> <Last Name> public certificate that is paired with it.
  3. Save your key in the Personal Information Exchange (.p12) file format.
  4. You will be prompted to create a password which is used when you attempt to import this key on another computer.
  5. You can now transfer this .p12 file between systems. Double-click on the .p12 to install it on a system. You will be prompted for the password you entered in Step 4.
Post edited by Duncan C on
Regards,
Duncan C
WareTo

widehead.gif
Animated GIF created with Face Dancer, available for free in the app store.

I'm available for one-on-one help at CodeMentor

Replies

  • cribasoftcribasoft Posts: 159Registered Users
    edited September 2011
    Why is it such a big deal to re-create your provisioning profiles?

    I've done it a couple of times. Doesn't really affect App Store distribution.

    Maybe you're pushing out a lot of Ad Hoc Dist builds? I bet not many people are doing that.
  • Duncan CDuncan C Posts: 9,112Tutorial Authors, Registered Users @ @ @ @ @ @ @
    edited September 2011
    cribasoft wrote: »
    Why is it such a big deal to re-create your provisioning profiles?

    I've done it a couple of times. Doesn't really affect App Store distribution.

    Maybe you're pushing out a lot of Ad Hoc Dist builds? I bet not many people are doing that.

    I'm not talking about provisioning profiles. I'm talking about the private key that is used to create your developer certificate. If you lose that, you have to revoke your developer certificate and re-create it, AND all of your provisioning profiles (release, development, and ad hoc, across all your products)
    Regards,
    Duncan C
    WareTo

    widehead.gif
    Animated GIF created with Face Dancer, available for free in the app store.

    I'm available for one-on-one help at CodeMentor
  • cribasoftcribasoft Posts: 159Registered Users
    edited September 2011
    Duncan C wrote: »
    I'm not talking about provisioning profiles. I'm talking about the private key that is used to create your developer certificate. If you lose that, you have to revoke your developer certificate and re-create it, AND all of your provisioning profiles (release, development, and ad hoc, across all your products)

    Yeah I know.

    So you are creating different profiles for each product? I only have the distribution profile, the team profile that Xcode automatically creates/maintains, and one ad hoc one (because I do such limited ad hoc). Maybe I'm doing this wrong? :)

    Once you re-create your profiles everything is back to normal. It *is* a bit of a hassle, though.
  • _Mac_Mac Posts: 148Registered Users
    edited May 2012
    Duncan, don't TimeMachine back this up?

    If not, I'm taking your're advice and backing up my private key first thing tomorrow to a usb-stick and save it our physical safe.
    -- Happy Coding <img src="http://www.iphonedevsdk.com/forum/images/smilies/smile.gif"; border="0" alt="" title="Smile" class="inlineimg" />
  • samurlesamurle Posts: 254Registered Users
    edited May 2012
    Question:

    In KeyChain Access, the private key contains my developer certificate, which is set to expire
    in exactly one year.

    What must I do when this certificate expires? Will I need to go through this process again,
    and export another private key?
  • skirilskiril Posts: 19Registered Users *
    edited May 2012
    samurle wrote: »
    Question:

    In KeyChain Access, the private key contains my developer certificate, which is set to expire
    in exactly one year.

    What must I do when this certificate expires? Will I need to go through this process again,
    and export another private key?

    Nope. Prior to expiration date (I did it 2 weeks in advance) login to your developer portal on apple and pay for another year. Once your payment cleared (few minutes to few hours) your profile extends to another year from the expiration date. Tnen when you launch Xcode just sync your new profile from organizer.

    About main topic: I might be wrong here but I don't think it's a big deal about your local keychain. Your profile is maintain on Apple side. Local keys is just an ssl self signed request to ensure identity, not a validity.
    I revoked and recreated my profiles few times with signing process started over and it didn't affected my existing apps being revoked or something.
    As long as you paid on time prior to your Dev account on Apple expiration you are good. Even if you screw things up you can call them and they will work with you to help you out. It might take you a lot of waiting and hassle but not the end of the world.
  • samurlesamurle Posts: 254Registered Users
    edited May 2012
    skiril wrote: »
    Nope. Prior to expiration date (I did it 2 weeks in advance) login to your developer portal on apple and pay for another year. Once your payment cleared (few minutes to few hours) your profile extends to another year from the expiration date. Tnen when you launch Xcode just sync your new profile from organizer.

    About main topic: I might be wrong here but I don't think it's a big deal about your local keychain. Your profile is maintain on Apple side. Local keys is just an ssl self signed request to ensure identity, not a validity.
    I revoked and recreated my profiles few times with signing process started over and it didn't affected my existing apps being revoked or something.
    As long as you paid on time prior to your Dev account on Apple expiration you are good. Even if you screw things up you can call them and they will work with you to help you out. It might take you a lot of waiting and hassle but not the end of the world.

    Thanks for the reply.

    Just to get this straight in my head, does my private key need to be backed up every year,
    since my certificate expires annually, or does it only need to be backed up once?
  • skirilskiril Posts: 19Registered Users *
    edited June 2012
    samurle wrote: »
    Thanks for the reply.

    Just to get this straight in my head, does my private key need to be backed up every year,
    since my certificate expires annually, or does it only need to be backed up once?

    Again: you are confusing private key with certificate. Private key is a key you sign your SSL certificate with. Local digital signature to ensure you are is the one who requested it.
    Certificate is a processed SSL identity tied up to your Apple Dev ID. Once your certificate expired annualy or revoked by you its pretty much useless and cant be used at all. You will need to recreate a valid certificate anyway, so dont bother.
    Back to private key: yes, it is unique and generates on your Mac and must be the same when you get your certificate from Apple. Because certificate is validated versus this key and if its not matched then it wont install.
    I give you a good example here: you request a cert from your Mac today and didnt wait for a few minutes to install it. Decided you will do it tomorrow. By morning your Mac fried up and reloaded, or you get a new one, or whatever. You download your key and it tells you that it cant find a valid cert request. Ops!
    That the only situation where you regret you dont have a backup of private key. Should you worry? No. Just invalidate your certificate and request a new one. Pretty simple.
    Now back to question should you backup your certificate? There are 2 kind of certificates: developer and distribution. Developer is kinda test cert you sign your own apps for your own use. Like test on your own devices or ad hock. You can make as many as you want, wildcard or specific for app. Shouldnt worry about it.
    Distribution is an important one. This one you use to code sign your final bundle to submit it to AppStore. Keep in mind that this one ensure your validity as a Developer. So, once you signed it and Apple approved it you dont care about it anymore. If its revoked or expired or lost, you just get another one for your NEW APPS. Again: you dont care about old app, its already on the store. As long as your Dev ID still being paid your app is good.
    When you submit any future updates to the old app you simply sign in with the new distribution certificate. Thats all.
    P.S.: sorry for the long post, hope that answer your questions.
  • iSDKiSDK Posts: 1,353Tutorial Authors, Registered Users @ @ @ @
    edited June 2012
    Amen to that. Regenerating &/or revoking your certificates is not "bad", it's just a bit of a hassle. It doesn't take much to click a few buttons and drag the certificates into Keychain Utility; of which I believe you don't even have to do anymore - Xcode takes care of it for you.
  • skirilskiril Posts: 19Registered Users *
    edited July 2012
    Xcode actually little picky. It doesn't like duplicate identity, so if you clicked on you cert twice it imported into keychain 2 times and Xcode will tell you about it during compile. Then you have to remove all duplicates from keychain.
    Also sometimes Xcode keep old ID of profile inside project file and fail to compile with error like "profile <long string of numbers here> can't be found..."
    Then you have to open .xcodeproject file (it's actually a folder) and search delete all records manually. Anyway google is a good help on any errors.
Sign In or Register to comment.