Copy link to clipboard
Copied
Hi folks,
I wondering if any of you might be able to point me in the right direction on this. I'm likewise having issues trying to submit an ipa file to iTunes Connect via Application Loader, and got as far as zipping the .app file and submitting. I get an error in Application Loader that: "Unable to run the lipo command: ... Can't map input file ..." and "Application failed codesign verification. The signature was invalid, contains disallowed entitlements, or was not signed with an iPhone Distribution Certificate.", and "Unable to extract codesigning entitlements from your application. Please make sure ... is a valid Mach executable that's properly codesigned".
Now, before posting here, I have done the following to no avail:
a) I've regenerated all certs and mobile provisions from the top, completely on the Mac once, and completely on Windows as well using openSSL. Both times, I started at the top, from the csr request.
b) I'm able to install and run my ipa file just fine on the test iPhones using the distribution.p12 file and the associated ad_hoc distribution mobile provision. It's always only when I compile for 'app store release', using the distribution.p12 file and the app_store mobile provision that this happens.
c) I'm using Adobe Flash Pro CS6 on Windows 7 64, with Adobe Air 3.3 SDK, and I am submitting on a real Macbook Air with OS X Mountain Lion.
d) I've also gone as far as trying both sets of cert/provisions (generated on mac and windows), by publishing the ipa from within Flash Pro CS6, and also using the adt command line, but still same.. works fine as ad_hoc on the test iPhones, but will not submit through Application Loader. Same codesign verification errors.
e) My app uses native extensions, but these compile and run perfectly fine on the ad_hoc builds.
I'm pulling out my hair at this point as to what I could possibly be missing or doing wrong, or if there is a bona fide bug with the combination of technologies I'm using? I would appreciate any tips/hints/suggestions from anyone who know what I am describing here.
If there is anyone at Adobe that can look at my ipa file build for the app_store submission, that would be wonderful as well.
with kind regards,
Alex
SOLUTION
-------------
I'm posting this so others with the same problem may benefit. This makes no sense at all, but when I changed the ipa file extension to .zip on my Windows machine first (not on the Mac), transferred the .zip file to my Mac, then unzipped it on my Mac, and re-zipped the .app file on the Mac, Application Loader accepted the submission.
I was previously sending the .ipa itself to my Mac, and renaming the file to a .zip file on the Mac as the first step. This is literally the onl
...Copy link to clipboard
Copied
Many things broke on my app until I used the localized languages schema, most importantly to me being the actual name you see (which makes sense but nonetheless I had no warning either). It started using the name of the SWF exporting rather than the <name> element.
If you have the ability, definitely hold on to older OS installs. When iOS6 hit I had an old Ad-Hoc only app go absolutely nuts. I believe it was created with AIR3.2 or 3.3. Either way it wasn't compatible at all with iOS6 but worked perfectly with iOS5.
I test on 7 iPads of varying hardware and OS versions and from a lot of testing I can tell you update AIR ASAP if possible. It's an Adobe-specific thing. None of my native Xcode/obj-c apps tend to break. I do update them anyhow but as a general rule, update to the latest AIR and inspect the new schema every time for differences.
Copy link to clipboard
Copied
Yes, this is crazy really. I can't believe this is so unnecessarily difficult. Apple charging $99 a year for the pleasure of sheer frustration....
No matter what I do now, I can not get past the Codesign Failure error.
Is this because of something in CS6? Something Apple has done? no one knows, because this discussion is not only here, but also all over the Apple forums.
I can say, I have actually got 4 apps in the store. Built right up to CS5.5, and uploaded with Apples. ApplicationLoader on a Mac.
The moment I upgraded to CS6, and the new Air skd's etc, I first of all ran into the naming problem with the localization thing, then getting past that got to the CodeSiging error - where I am now stuck.
I have no idea now what to try next. Go backwards to CS5.5 and try again? how many hours can I afford to waste on this.
Copy link to clipboard
Copied
@Marius, glad to hear you got your certificate issues out of the way. I never have any certs/provision issues, but I do export my .p12 certs from the Keychain Access tool on my Macbook Air. I do work on Flash Pro CS6 on a Windows 7 64 bit machine though.
@Robert, I feel your pain. I went a week trying to figure this out when I first posted this thread. The first time, I was able to resolve it by renaming the .ipa file compiled on my Windows machine to a .zip file (not to be confused with 'zipping' the .ipa file), then, transferring that to my Mac, unzipping the .zip file there, and then zipping the .app file in the Payload folder, and submitting that through Application loader. The second time I encountered this issue (this past week), it was fixed by making sure my extensions directory only contained the .ane files I was using.
Hope this may help,
with kind regards,
Alex
Copy link to clipboard
Copied
@Robert
Well, actually, so far, I've made my trials using builds from FlashPro CS5.5,
but perhaps in my case there's a different cause.
So far, I've been using a virtual mac on windows (VMWare workstation 8, with OSX mountain lion installed on it).
Tomorrow, I'll have a try from a real mac of a friend (though I can hardly imagine how that would make a significant difference).
Copy link to clipboard
Copied
@ all:
The name of my IPhone Distribution certificate as it was generated by apple is:
"IPhone Distribution: Marius Versteegen"
The second part equals the name of my private key.
The name of the Distribution Certificate thus contains spaces, as well as a ":" character.
Could it be that the presence of these special characters in the name of the distribution key
could be the cause?
"Application failed codesign verification.
The signature was invalid, contains disallowed entitlements, or it was not signed with an iPhone Distribution Certificate."
Or has it been working for you in similar cases?
Copy link to clipboard
Copied
@sinious:
Right clicking in KeyChain on my distribution certificate, selecting validation..,there's
a dialog with radiobuttons. The one next to "generic (certificate chain validation only)" is enabled.
I was wondering - perhaps the one below ("Code signing") should be enabled instead?
Copy link to clipboard
Copied
If I generate a key/certSigningRequest on one Windows machine it's just as sensitive as Mac. CSRs and keys seem to have a 1 to 1 relationship with the machines they're generated on. You cannot make a key/csr on one Windows machine, take it to a different machine and generate certs with it. They fail.
My particular setup was generate certs on Mac, use them during production on Windows. There's no issue with Windows using a .p12 generated from Keychain/Mac. I did that for a long time. Soon I just got sick of even starting my Mac so I started using OpenSSL to generate the certs. That's when I found that the machine that generates the CSR must generate certs and only those certs can be used. So that's what I do. I generate certs once and copy the .p12 anywhere I go.
The pain in the neck is every time I add a new app I need to regen certs. That requires either being on the original machine I generated my CSR from or completely revoking the certs and generating them again (requiring all apps to be rebuilt, ugh).
Marius ~ I never changed anything in Keychain. I installed WWDC, generated a CSR, let the provisioning portal generate a .cer, downloaded and installed in keychain. I was able to export a .p12 that I used for quite a long time.
I've only done a few ad-hoc apps with Adobe Flash Pro CS5.5 and had no issue signing those for enterprise store development. That was about 2 years or so ago. Around then I downloaded FlashBuilder 4.6 and I've been using that and/or command line adt to compile since then and never had any issue.
One thing I did remember reading, just to confirm, is unzipping the IPA just to grab the .app file and rezipping that did solve some users issues. Although FB4.6 and Flash generate pretty similar IPAs (FB has plenty of "Flash stuff in it"), there has never been any issue on submission on my side as long as I generated my apps on a machine with WWDC and my cert installed while compiling.
Apple definitely went well out of their way to make the entire process very painful. Strange for a company extolling the simplicity they demand in their products.
Copy link to clipboard
Copied
@sinious
Then I guess I should try to give it a shot with FlashBuilder 4.6.
Before that, as my knowledge on this certificate stuff is rather poor - forgive me for asking some
more stupid questions - there's so much that can be different, and for something that's as vague
as this matter, anything different may imply "wrong".
My plan:
Revoke everything that is revokable-
apparently that's only the distribution and developer certificate, along with the attached provioning profiles.
Looks like the same WDRC can only be re-downloaded.
* So no other revokings. Am I right?
* No need to create a new AppID, I can just use one from an app that I configured on ITunes Connect already.
Right?
Download & generate csrs and certificates all just using the machine where the compilation takes place (Windows machine)
with help of open ssl. Build Using FlashBuilder 4.6.
Before that, cleanup current certificates.
A On windows machine:
Certificates-current-user
Other People
Certificates
Iphone Developer cert
Iphone Distribution cert
* and perhaps as well (?):
Personal
Certificates
Apple Iphone Device CA
* Did I forget anything?
Before upload on mac, cleanup KeyChain on mac:
1. remove certificates from KeyChain:
WDRC, Developer and Distribution.
2. remove private and public key from KeyChain.
(or is that dangerous? don't know how I got them - or how to get them back, if required)
3. Perhaps the "Apple Code Signing Certification Authority" in system root?
* Did I forget anything?
* Before upload on mac, is it necessary to add anything to KeyChain?
* Is it required to add any certificates to windows certificate manager anyway?
The p12 developer and distribution files are all that FlashBuilder will need to properly
sign the code, isn't it?
Many thanks in advance,
Marius
Copy link to clipboard
Copied
@Marius,
Here's a step by step (verbose) of what I do from the top when I setup for a new client (which I did just 3 days ago). If there's anything here that's different, I recommend you remove everything you have from before and start from scratch, as there are times when some ridiculously unforeseen item left over can affect your setup:
(a) On a Mac, open Keychain Access tool. Go to 'Keychain Access' in the main menu, then 'Certificate Assistant' --> 'Request a Certificate from a Certificate Authority'. On the Certificate information form, enter the email address you used for your iOS Developer Program account, for Common Name, use the name you have associated to your iOS Developer account (i.e. mine was a personal account, so it's just 'Alex Yamane'), leave CA email address blank, and choose 'Saved to disk', and save the .certSigningRequest file generated somewhere handy.
(b) Log into http://developer.apple.com/ with your iOS Developer account. Click on 'Member Center' at the top. Log in. Click 'iOS Provisioning Portal'.
(c) First of all, make sure you remove everything before you start this process. You need to go backwards when you remove everything, so make sure first, you go to the 'Provisioning' section, and remove all Provisioning profiles first (both Development and Distribution). Devices, you can leave alone. Go to the 'Certificate' section and remove all Development and Distribution certificates.
(d) Go to App ID, and create yourself a new AppID for your app, just to make sure so you're using everything fresh from the start.
(e) Now go to 'Certificates', and use the .certSigningRequest file. Also create one for Development using the same .certSigningRequest file. Re-click the tabs for each and they should refresh with your new certs there. Download each one. After you do, I recommend you rename them so you know these are the newest ones you just generated (it usually has a default ios_development.cer and ios_distribution.cer file name. If you haven't yet, make sure you also download the WWDR intermediate certificate if you haven't already.
(f) Go to 'Provisioning' section, and now create a new profile for 'Development'. Then go to the 'Distribution' tab and create one for the app_store and adhoc distributions. Save all 3 provisioning profiles.
(g) On your Mac, open Keychain Access tool. First if you haven't already, go to 'File'->'Import item' and choose the WWDR intermediate cert. Then, do the same for your Distribution Certificate (not Development certificate), I've had tons of trouble in the past when I first was starting out, because Adobe's website keeps talking about the Development cert, but you only need the Distribution Certificate installed (and just use the adhoc provisioning profile to development/test and the appstore provisioning profile for iTunes submission).
(h) Once you've imported your Distribution certificate, there should be an item under the 'login' section of the Keychains column on the left that looks like "iPhone Distribution: Marius Versteegen". Click the arrow next to that and expand it. When you do, you should see a little key icon and your name again. Right mouse on that, and choose "Export 'Marius Versteegen'". Choose file format .p12, and save this file somewhere.
(i ) Now take all of those certs and provision files over to your Windows machine. Fire up Flash Pro. Open your project, and use the new .p12 file for your certificate, and use the new appstore Distribution certificate and compile. You should now have a .ipa file that's ready for iTunes submission.
(j) For me, from this point on, I've described earlier in the thread how I get my .ipa file over to my Macbook Air and upload to iTunes.
Hope this helps,
Alex
Copy link to clipboard
Copied
Step by step guide with graphics from the Apple
http://quickblox.com/developers/How_to_create_APNS_certificates
In the case above - I'd rather not go deleting everything I already have, that's how I got in this mess. I deleted the original provisioning certificate that had expired. Instead of editing it, and thus renewing it.
That's a tip by the way. If you have an expired certificate - go to the Dev site, and open the cert to edit it. Don't do anything, just click your cursor into any field, then save it.The certificate will be renewed for another year.
However - if you have deleted it like I did ... 😞 then too bad.
I'm trying to pull apart my p12 file so I can create a new one through the process, but so far haven't found a way to renew the cert itself.
Copy link to clipboard
Copied
Does the WWDR cert get stored in the 'user' store, or the System store. It's asking where I want to store it?
Copy link to clipboard
Copied
Woohoo! 🙂 Holy Matrimony..
The bitch has uploaded!
Thank you Alex, Sinious and Robert, you're my heroes.
As it appeared, I needed two additional parts to solve the puzzle.
The first one, I realized when parsing through the list of checkpoints that Alex sent in:
I'm embarassed I didn't see that myself - that for the distribution, there is a different kind of profile.
When I was on the profile section of the provisioning portal, it appears I didn't realize the other tab
or realize that the developer and distribution certificate needed separate profiles.
Still, after that one, the signature failed problem remained.
Then, build with FlashBuilder 4.6.
The problem remained. - in retrospect, probably, because when I did export to release,
I failed to visit/discover the tab that decides on the additional includes - which would contain a lot
of trash (.fla's that build the swc's, the swc's and other build results)
Keeping in mind the earlier advice of Alex, I then moved all that crap out of the
project tree.
Then build.
In my case, it worked transferring the ipa via dropbox, uploading it without applying the zip-tric,
and with a virtual (VMware) mac rather than a real one.
Thanks thanks thanks!
Copy link to clipboard
Copied
That's great to hear. Now if all my visitors will leave ... 🙂 I can get back to trying to solve this problem here. But I think I may just keep drinking wine for today!
I'd like to try a few things that require a lot of concentration. Reading all the relevant bits on this post for example
Then taking that bit of advice about removing all the litter in the build directory. That's caught me before I must admit.
Copy link to clipboard
Copied
Sorry I'm still stacking turkey cranberry mashed tato sweet tato green bean casserole ham and squash sandwiches. I slept about 23.4 hours for the last 2 days .
Just chiming in that you don't need to remove a Mobile Provision just to create a new certs (I know, wow Apple at least didn't make one thing hard). I use a ton of provisioned devices over multiple accounts and I'd hang myself if I needed to. Once you revoke your dev/dist certs your provisions will be invalid but once you regen your certs simply "dirty" them by modifying them and the new cert is auto-applied. Then just check any option on/off (what they call dirtying, what I call bad javascript programming) and save. That mobileprovision is fine to re-use and will reset expire properly.
Also the extra adobe info in the IPA won't get your app rejected. I've had no issue with the extra cruft in there. You just need your basic ducks in a row (valid dist cert/mobileprofile connected to a valid app id, uncorrupt IPA, horseshoe up your... erm some luck).
Ok I have a sandwich to make...
Copy link to clipboard
Copied
WoooHoo.... I am one happy bunny. Upload successfull at LAST.
Here's what I did. (and didn't do)
Firstly - I had created certificates all out of sequence. Idiot. The process is listed on the Developer site in order for a reason.
So I thought.
Ok, I created the distribution certificate and the p12 file, using the openssl thing. Easy.
However - what I had done wrong - I had continued to try to use the old original .mobileprovision file.
What I should have done.
Create the CERTIFICATE for Distribution
Delete the old provisioning file, and then
Create a New Provisioning .mobileprovision file and down load it.
Once I did that, recompiled, moved the ipa to the VMMac, and up it went.
simple really 🙂
Copy link to clipboard
Copied
@Robert. I understand how you feel - when after soaring along the edge of despair you find the answer - the relief is immense.
It was in that extacy that I posted the non-compact previous post for which my apologies.
Copy link to clipboard
Copied
This is the creation order:
- App ID (enable options required)
- Certificate (dev and dist, now linked to new app ID)
- Devices (dev or ad-hoc dist)
- Mobileprovision (Now has new certs, app ID and all devices needed)
- SSL certs for Push/etc.
This is the revoke/renew order:
- Alter app ID if needed (adding Push, etc)
- Revoke certs
- Renew certs using old codeSigningRequest (makes no difference if you generate a new one)
- "Dirty" previous Mobileprovision (just hit modify, change anything to enable saving, save)
- Generate SSL certs for push if that was added
That order has never really changed. What they need to do is put App ID at the top of the list on the left. The how-to instructions are very useful but so isn't intuitive site design. Once you've done both of those processes it's really very simple.
Apple needs to fix assigning App IDs to certs. They should somehow be moved to the Mobileprovision permanently so dev/dist certs don't need to be updated. It's a pointless waste of time.
But you do NOT need to delete and recreate a Mobileprovision, it's a waste of time. You just need to dirty and resave it and it will absorb a newly created cert automatically, have the app ID and devices.
Copy link to clipboard
Copied
@Marius. Thanks, it was reading your post that got me back on the right track after all. So the non-compact version worked well 🙂
and I hear what @Sinious is saying also. No need to delete etc, just edit and save.
For existing apps, In the case of the p12 file expiring though, because that can't be edited, if it has expired, then remake that first, then do the provisioning file editing again after that.
When creating NEW apps, just follow Apple's instructions... basically do everything in order that it is listed and all will be well.
anyway - it's all good.
Now in review again, and waiting.
Copy link to clipboard
Copied
Careful there. Remember app IDs are bount to certs. If you do it in the order they list (starting with certs) when you gen your cert, then make your way down to app ID, you can't use those certs. You need to re-create them again.
So don't follow the list order in the portal, unless you're referring to some list in their help section.
What's the app you just made? Is it already out and you're submitting a revision or is it new?
Copy link to clipboard
Copied
@Sinious, good point.
For something supposedly so simple, the process is full of 'gotchas'.
The app is Pin Point Premium, the following is just a link to the appstore where it is.
So hopefully after review, the update will be ok.
Thanks for the help everyone as well.
Copy link to clipboard
Copied
Cool I'll check it out
Copy link to clipboard
Copied
Some info to share with visitors of this topic:
Previously, on this topic, it was reported that a .fla that was created could not be uploaded for distribution (would give codesign fail error), and that cleaning up all "trash" from the project tree would prevent that.
After some experimenting, I can be more precise on that:
* It only concerns trash in the source folders, where "trash" == non-.as3 files. (even .txt files will cause the problem).
Cool - keeping that in mind, FlashBuilder 4.6 does the job.
Yet another thing I noticed is even after removing the trash (and countless other things tried as well) - ipa's built using the FlashPro's appear to properly produce ipa's for test-purposes, but none that can be uploaded without the error.
I guess that's good for FlashBuilder 4.6 sales, but seriously:
Is it a known problem that has been caused by recent changes in the Apple Loader application? Or should it be something I'm doing wrong?
Thanks in advance, Marius
Copy link to clipboard
Copied
Just like FlashBuilder gives you an easy tab during export to see the contents it's going to include in the app, Flash Pro does as well. You'll notice Flash Builder (especially with re-imported existing projects) will include anything you put in the 'src' folder in your app automatically. All files being included in the export need to be checked each time incase there's any junk.
Otherwise I have no issue producing using Flash Pro CS5.5 or FB4.6. The IPAs require no additional changes to submit.
I'm not certain what you mean by:
* It only concerns trash in the source folders, where "trash" == non-.as3 files. (even .txt files will cause the problem).
If by that you mean 'src' folder in Builder or the publish source directory in Pro then that's not correct. I include a ton of files from my source folders (images, video, audio, XML, text, PDFs, etc). I simply do as I said above and make certain I only include what I need. I have all sorts of other litter in there (certs, todo lists, etc).
Don't get me wrong, you should love Flash Builder anyhow. Be sure to use the Profiler tool, hunt down any mem leaks. The code completion is excellent (CTRL+space autocomplete, and CTRL+1 auto-generate). It's so much easier to overlay a SDK. Copy the .zip in the sdk folder, extract, done, no editing XML files (FP is included). Project setup/management/svn is so much cleaner. Etc, etc..
Copy link to clipboard
Copied
I have to apologize (I should not have posted a message while drinking beer).
The "trash" definition in my previous post was too rigid / not true indeed.
For instance, the fooapp.xml file and icon folders are inside
the src directory as well, and they don't pose a problem.
So far, failed codesign appeared to be caused in next cases:
* a build folder inside a src folder.
* a .txt file in a package folder (sub folder of a src folder).
Copy link to clipboard
Copied
The src folder is named source because it's only supposed to contain just that, source . Why would you put your output in the source folder? This is what I was mentioning as far as automatic project cleanliness with FB as it by default auto-generates the src folder separate from the bin-debug folder (expecting you to export release builds in a bin-release you create yourself). I never tried exporting to my src folder but I imagine it would be a paradoxial mess, adding files to src while the compile continues to package that folder hehe.
I have all of my above mentioned files in sub folders of the src folder. They're the above mentioned files I include.
e.g.
/src/assets/images (PNG, JPG)
/src/assets/pdfs
/src/assets/video (MP4)
/src/model (txt, sqllite dbs, XML)
/src/views (html, etc)
No problem including those at all. I do it because FBs nature is to auto-include those files, and I intend to. My code of course is in there too. (Package and Folder are interchangable terminology):
/src/com/ertp/clientname/projectnumber (AS classes)
/src/com/etc...
I keep SWC/ANE outside /src, that's about it.
../assets/ (SWC, ANE)
Only because I don't want them added to packaging and they're configured to compile in the project so no need to include.