iOS Certificate Error in AppStudio Cloud Make

2782
17
Jump to solution
01-11-2019 08:02 AM
ChristopherEby1
New Contributor II

We are trying to do an iOS cloud make for our Appstudio app (version 3.1.134) and after queuing the build we get this error:

Cannot read iOS identity from iOS certificate.

Check the iOS certificate has not expired and that you have supplied the valid password.

We are using iOS Development certificates tied to the Apple IDs in our Organizational Apple Developer Program Team and the development provisioning profile is linked to those certificates. I created a sample native app in XCode with the same Bundle Id as my AppStudio app and the same certificate and provisioning profile worked to build and sideload to an iPad. So I think the certificate and provisioning profile are valid. I have verified that I am entering the correct password for my .p12 file so I know it's not that and this same error is occurring for multiple developers. We are able to do successful iOS cloud makes using a distribution certificate and ad hoc distribution provisioning profile. Is there something about development certificates and development provisioning profiles that is incompatible with AppStudio cloud makes?  I don't see anything that we are doing wrong in the AppStudio documentation for signing iOS apps (Sign your app—AppStudio for ArcGIS | ArcGIS).

0 Kudos
1 Solution

Accepted Solutions
ShobanaSuresh
Esri Contributor
Hi Frédéric,
 
I checked the build logs for your app Citec TwentyFive. The cause for the build failure appears to be different to the original issue reported in this thread. 
 
In the case of your app, the openssl commands succeed and I see a "MAC verified OK" in the logs. Build fails later when importing the p12 file on the build server. There is not much information in the build log providing any clue as to why the build fails.
 
The best step forward would be to create a support incident with Esri Support to troubleshoot the issue further using your certificate files. 
 
I understand that this is time critical since you are trying to upload the app to App Store soon. You can reach out to appstudiofeedback@esri.com to investigate this issue further.
 

Thanks
 
Shobana

View solution in original post

0 Kudos
17 Replies
ShobanaSuresh
Esri Contributor

Hi Christopher,

>Is there something about development certificates and development provisioning profiles that is incompatible with AppStudio cloud makes?

Development certificates and provisioning profiles are supported in AppStudio Cloud Make. I just submitted a build request with my iOS developer certificate and the build succeeded.

I checked the build logs for your app ( Connects Mobile ) on the AppStudio Cloud Make build server. Build fails when attempting to parse the supplied p12 file.

+ openssl pkcs12 -in 109019/buildrequest-ios.p12 -out temp.pem -nodes -password pass:{secret}

Mac verify error: invalid password?

+ cat temp.pem

+ openssl x509 -noout -enddate

unable to load certificate

Could you please run the below command on a mac machine and let me know if it succeeds with a "MAC verified OK" message? 

openssl pkcs12 -in path_to_file.p12 -out temp.pem -nodes -passin pass:enter_password_here

Reference:

/docs/man1.0.2/apps/pkcs12.html 

command - Converting PKCS#12 certificate into PEM using OpenSSL - Stack Overflow 

Thanks

Shobana

ChristopherEby1
New Contributor II

Shobana, 

Great job sleuthing out which build was mine.  Those build logs would be handy to see, is there any way I could see them?

I ran the command on my certificate on a Mac and I did get a MAC verified OK message. It also exported the PEM file successfully on a Linux machine. When I purposefully type my certificate password in wrong I get this message:

Cannot read iOS identify from iOS certificate.

Check that the iOS certificate has not expried and that you have supplied the valid password.

Mac verify error: invalid password?

security: SecKeychainItemImport: MAC verification failed during PKCS12 import (wrong password?)

So I know that the password is accepted at some point because the error message is different when I give it the right password.

Chris

0 Kudos
ShobanaSuresh
Esri Contributor

Hi Chris,

I've shared the build log in the below link.

Box Notes 

There's not much information in the log as the first step which is parsing the p12 file fails.

Are you using any special characters in the p12 file password? I'm wondering if there's a bug in the Cloud Make system when special characters like @ ! are used in password.

Can you try exporting the p12 file with a different password and try again?

Thanks

Shobana

0 Kudos
ChristopherEby2
New Contributor III

The password for the p12 files that fail contain only letters and numbers. The password for our distribution certificate (which works) contains special characters. The two failing development certificate p12s were generated and exported from the same Mac while the distribution certificate p12 was exported from a different Mac. Do you think that there could be different versions of openssl with some kind of compatibility bug between them?

0 Kudos
ShobanaSuresh
Esri Contributor

Hi Chris,

Good point. Turns out the Cloud Make build server uses a custom version of the openssl binary from /opt/local/bin/openssl folder instead of the default /usr/bin/openssl

Can you run the command "openssl version" on the mac where the openssl command succeeds with MAC verified OK message and let me know the version number? We'll make sure to upgrade the openssl version installed on the mac cloud make build server.

Would you please report this as a bug through the ESRI support channel? This will help with tracking the progress of the bug fix.

Thanks

Shobana

0 Kudos
ChristopherEby1
New Contributor II

I think this is the issue. The version on the Mac I exported the Development certificates from is LibreSSL 2.2.7. The version on the Mac we used to to export our Production certificate (which works) is LibreSSL 2.6.5. I exported a new Production certificate and distribution profile from the older Mac and got the same error. I will report this as a bug. 

0 Kudos
ChristopherEby1
New Contributor II

One additional detail. I tried manually updating openssl on our older Mac and re-exporting the certificates. That did not work.

0 Kudos
ShobanaSuresh
Esri Contributor

Hi Chris,

Thanks for providing the additional details. I'll contact you once we have applied a fix on the Cloud Make servers.

Are the builds with the developer certificate working when you export it from the newer Mac? If yes, would you be able to use this as a workaround until a fix is applied on AppStudio Cloud Make build servers?

Thanks

Shobana

0 Kudos
ShobanaSuresh
Esri Contributor

Hi Chris,

We've updated the openssl binaries on AppStudio 3.3 beta Cloud Make build servers. Would you please test using AppStudio 3.3 beta and let me know if the build succeeds?

https://community.esri.com/groups/appstudio/blog/2019/02/27/appstudio-for-arcgis-33-beta-now-availab... 

Thanks

Shobana

0 Kudos