I am trying to sign my AIR application using the Code Signing Certificate I got from Apple (iPhone Dev). I have Apple's Root Certificate and my certificate. I installed both and then exported my certificate as pkcs12 (.p12 file) using many methods like Windows Certificate Manager and Firefox. I also used Keychain Access on my Mac. However, when I try to sign, I get the following error:
Unable to build a valid certificate chain for the signer.
Some help would be great. Thanks.
When you export the cert from say Windows Certificate Manager, there should be an option that ask if you want to export the whole certificate chain, just check that box.
You can do the same with Firefox.
Are you trying to package an AIR app. for iPhone?
In that case, you don't need to have the whole chain, but you need to specify
If you just want to have the whole chain, you should check the certificate in the certificate manager to see if the cert chains up to the Root CA.
If it does, you should be able to export the whole chain with the option box checked.
But if the Root CA (or any intermediate CAs if there is any) is not present, then you wouldn't get the whole chain.
No, I am not building iPhone apps. I am just signing AIR desktop application. My AIR code signing certificate expired a while ago, so I want to use my iPhone Dev Certificate to sign the desktop apps.
I have the Root CA and Dev Cert installed. In Firefox, my cert is showed under Apple's Root CA, so they are linked. However, I tried exporting with the chain if possible option checked and it still did not help.
On my Mac, I also selected both certs (mine and Root CA) and exported them from Keychain Access as a single p12 file. However, I still get the same error.
You can use the command:
keytool -list -v -storetype pkcs12 -keystore air.pfx -storepass xxxx
List out your cert's info. You should be able to find out if your cert has the whole chain or not.
I am not sure why you could not export the whole chain. I never fail to do this on Windows.
Well, I have 2 files. Developer CErtificate and Root CA. For some reason I cannot get them to combine. On Keychain Access on my Mac, it shows there is no Root CA found. Though I have the .cer file of the CA.
I tried adding it. Then hitting Done. But if I reevaluate the cert, then I get No rrot CA found again.
Here's a Preview on my Mac:
On my machine, I have two Cas.
Apple Worldwide Developer Relations Certification Authority
Which is an intermediate CA, the other is Apple Root CA which is the Root CA.
Then the certificate.
So you need to have all the 3. Also, I think you need to put the intermediate CA in Systems keychain.
Well, I have all certs in my keychain. Later I also exported them and installed them on Windows and tried to use Windows Certificate Manager to export the p12 chain. However, still I get the same error when signing my app.
Here are the files I have:
When you export a cert with a private key, the program (whatever that is) will ask you for a password to be used in the file.
When you import this cert again to a different machine (say to a Windows machine), the machine will ask you for the password to import the private key.
When you export the cert from this machine, it will ask you again for a different password to be used in the exported cert file.
Whenever there is a private key in a cert, it always comes with a password.
Ok, I am making progress here.
I signed on to a fresh mac with an empty keychain. I imported AppleWWDRCA and then developer_identity. Now it shows that the certificate is valid. Now I deleted the certificate and I imported cert.p12 file that I had made. Now the certificate re-appeared in keychain along with a private key. I had to put a password set by me earlier when I made the p12 file.
The certificate is displayed under my private key. So it means that the p12 file has the private key and the certificate.
Now the only thing is that AIR gives me the error stating that it cannot build a certificate chain, which means there's no Root CA in the p12 file, or WWDRCA for that matter. From what I understand, these 2 certs need to be put inside the p12 file.
On second note, Apple also provides a distribution cert besides the developer cert. But when I try to export the distribution cert, it asks for a password that I don't know (not got one for that). But I still think that I need to use the developer cert. nd not the distribution cert. by Apple.
The question again boils down to putting the Apple Root CA inside the p12 in order for AIR SDK to build the chain.
When you see the certificate is valid, you have all the certificate chains. But I don't know how to export the whole chain
In Keychain Access.
So to do this, you need to import all the certs to Firefox or in a Windows machine. Make sure you have the whole chain.
Then export the cert with the whole chain option checked. That should do it.