The guys in charge of iTunes Connect are telling me that my distribution app is reporting the following error when they try to submit:
"Application failed codesign verification. The signature was invalid, contains disallowed entitlements, or it was not signed with an iPhone Distribution Certificate."
They swear blind that they have tested all the certs by using them to build their own test app, which apparently uploads without problem. I have looked back at Viewer Builder time and time again to make sure I put the correct certs in the correct fields, and I have downloaded the distribution app twice (just to make sure the correct P12 and MP files were used) and sent them the latest version but still no joy.
Can anyone here offer any help? I have asked for them to make new certs from scratch but they are adamant that there's nothing wrong with the ones they gave me.
I just ran into this the other week. What I found is that if any one of your certs has been created using a different name or computer it could be a problem. In this case, I had created Push Certificates with one certificate, but tried signing with a distribution certificate that was created from a different signing request. The Keychain account should be the same for all of your certificates. Also make sure that iCloud has not been enabled for the application.
One solution is to go into the Provisioning portal, revoke the Distribution Certificate, generate a new certificate signing request and upload to the portal. The user that creates the signing request should be the same certificate name that was used in all other areas. Once you have rebuilt your distribution cert, it should work on upload.
I've had the same problem. It seems that despite the fact that on developer.apple.com you download a "valid" certificate, it is in fact "invalid" but not displayed immediately like that. The day after, when I llged in again on the website it was stated as invalid. I had to recreate all the certificates (took 5 minutes) and everything went fine.
This problem has serious implications for companies working for third parties (i.e. agencies). If you build an app with Viewer Builder for a third party, this problem means that it is not possible for you to use certificates or mobile provision files created by your client from its Apple Developper Account (at least you are on client's desktop in which the private key is stored). As ivan mentioned: 'The Keychain account should be the same for all of your certificates.'
In other words, this is the situation: it is not possible for you to upload the AppStore with a distribution-viewer.zip (built from Viewer Builder) signed with a distribution certificate from your client (created on a different computer). Viewer Builder does not have any problem building the app, but you get this CodeSign error from Application Loader.
Solution: by now you have to upload AppStore with your own Apple Developer Account (certificates, mobile provision, etc.). In my opinion, it is required an urgent solution from Adobe DPS team to enable agencies build apps for third parties using client's certificates.
I am sure you can use your Clients certificates to create, sign and upload
to apple from your computer. But you need the private key that was created
during the certification process. This is a signing and seecurity
restriction by apple, not adobe. So there is only one computer (in fact:
user account) that can upload to iTunes. The p12 file is only one half of
You could create new certificates on your computer, but then your computer
is the only one that can upload to iTunes. in the provisioning portal at
apple there are help files on how to transfer certificates to other
Hi, Johannes. Thanks for your reply. If I understand correctly, what you are indeed saying is that it is not possible to upload an app built with Viewer Builder to iTunes for a third party. Since third party can not use your Viewer Builder either to sign the app, I would like to know the best solution to move it forward.
Maybe this is an issue for Apple too, but with Viewer Builder you have to upload your mobile provision (MP) and p12 distribution/development certificates. Even though you have third party's MP and p12 files, you can not upload to iTunes with other certificates than yours. Again, this is a huge problem for agencies.
I know this Is confusing and complex, the signing process is very tricky, especially for apple iTunes.
The p12 file is not exactly a certificate, it is only the public key of something that is a certificate. Remember when you created the certificate request in the keychain tool? This is where the private key was created and that one is kept on the machine and never sent to apple or adobe (that's because it's a private key). This private key is stored deep in your user profile on the machine.
If you put the public (p12) and the private key (also p12) together, they form the certificate.
So the agency you work may have sent you the p12 file they may have used before. But this is only the public key, the private resists on the machine where the certificate was requested from.
So basicly you have to options here:
1) get the private key from the agency and install it into your machine. There is a help document in the provisioning portal at apple on how to transfer a certificate (both public and private key)
2) delete the certificate in the apple provisioning portal and create a new one from your machine. Then YOU own the private key in your keychain tool, and your machine (user account!) is the only one allowed to upload to iTunes. Of course the agency would not be able to upload anymore, because they don't have the current private key.
Both solutions need to be declared with the agency.
Is that what you need?
You have been very helpful. Now I have a better understanding of this issue. This is my case: I was trying to use my client's Apple developer account to create MP and p12 files, and then to upload to iTunes. When I did it for the first time a year ago, I stored its distribution certificate with my private key and was able to sign apps and upload to iTunes. Months later, they changed the distribution certificate. When now I was trying to generate new MPs for a new app (with the new client's certificate) and then sign it with the old distribution certificate, I get the error 'Application failed code sign verification...'
So, I agree that I have the two options you mentioned. First one seems more practical.
Please confirm my interpretation is correct in my case.
Many thanks for your explanations and support.
As an alternative, what you can do is get all those p12's MB's and create the app for the client and do all the work on iTunes for them. Then send them the zip file which they can submit on their own.
Looks like they used method 2) on you: The created a new certificate making
Yes, as Bob mentioned, you could get all the p12 from the client (including
private ones!) and create the app, but you could also send it to iTunes
yourself because when you own the private keys, you have an intact
This is really complicated and also dangerous, as you could destroy
important information in the developer account. So proceeed with caution. I
would recommend you keep the certificate and get the private key from the
client, this way your have two computers that can upload.
if that does not help, recreate the certificate and tell the client.