apple app. When I try to authenticate as a developer, I get an error message.

[oh-sik]

Programs created with Adobe AIR run without problems in ios xcode, but apple app. When I try to authenticate as a developer, I get an error message. "The AIR file could not be signed. The signing certificate is not from the expected issuer." Attach the file. Is there a solution?

[rogerclarkmelbourne]

You need provisioning profiles and application certificates as appropriate to your app and how you plan to deploy it

[reckhoff]

fyi.... this is happening to me as well. I have an enterprise app that used to sign just fine. The provisioning profile had expired and the cert was close to expiration so i created a new cert and provisioning profile like I always had (in house distribution). All development is done on the Mac. I use IntelliJ as my IDE. When IntelliJ tries to sign the .ipa to debug on the device, I get the same error as above. When I try to package my app for deployment (I use ANT) from the command line, i get the same error. I've tried creating the cert in different ways (keychain and xcode) all to no avail.

I wonder if this is related to the email Apple sent out in early September for enterprise users:

Starting September 2, 2020, new Enterprise iOS Distribution Certificates will be issued using a new intermediate certificate that expires on February 20, 2030. Download and install this certificate to successfully sign apps with a newly created Enterprise iOS Distribution Certificate. Xcode 11.4.1 or later is required to sign apps using certificates issued with the new intermediate certificate. If you are unable to upgrade to a compatible version of Xcode, you can continue to sign your apps using the command line.

The intermediate certificate that expires on February 7, 2023 will continue to issue all other certificates, so you should keep both versions installed on your development systems and servers. All in-house apps that you have already deployed will continue to run until the associated certificate or provisioning profile expires or you revoke your signing certificate.

Yes, the certificate authority certs that expire in 2023 and 2030 that email mentions are both installed.

I'm continuing to research and dig but I wonder if a) is the original poster using enterprise like me or regular dev license b) if other enterprise users are running into the same issue c) anyone has any pointers where to look

[ajwfrost]

Hi

@oh-sik For Animate .. what are you actually doing to trigger this error message? I'm guessing that this is an application for desktop MacOS, and you're signing with your own certificates? or is this an iPhone app?

@reckhoff When you say you're using this from Ant, from a command-line, then are you able to find out what the command-line is?

Could you also please confirm the platform OS and version number that you're using?

It does look like this is an issue with certificates that ADT is expecting and trying to ensure that the signing certificate is one that was issued by Apple. If we're not able to reproduce this here, we can perhaps provide a version of ADT with a lot of debug output that tries to show what it's checking for; it may be the certificate descriptions/formats have changed slightly..

thanks

[reckhoff]

Long response with lots of info.

MacOS Catalina Version 10.15.7 (19H2) Kernel Version: Darwin 19.6.0

IntelliJ IDEA Version 2020.2.3 (Ultimate Edition) Build #IU-202.7660.26

When I do development (debugging, IDE step through source code while app running in emulator or on device, etc), I use IntelliJ. It is set up to use my ANT build for compiling; however, IntelliJ uses it's own mechanisms for packaging the app to deploy for debugging. This is important as you'll see below.

I generated fresh enterprise certificate and mobile provisioning profile yesterday, even changed the app id to see if it made a difference. I develop primarily on the Mac and haven't tried if any of this works on my Windows laptop yet as I rarely use it. I used Keychain to export the cert as a .p12 file.

The app we are created and are updating is an iPad app.

Ant build that has always worked in the past. I use a .p12 for my keystore:

     [exec] Executing '/opt/tools_air/flexsdks/4.16.1_AIR33.1.1.259/bin/adt' with arguments:
     [exec] '-package'
     [exec] '-target'
     [exec] 'ipa-app-store'
     [exec] '-provisioning-profile'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/certificates/ios_RTI/AFSCC_TO5_BMT.mobileprovision'
     [exec] '-storetype'
     [exec] 'pkcs12'
     [exec] '-keystore'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/certificates/ios_RTI/AFSCC_TO5_BMT.p12'
     [exec] '-storepass'
     [exec] 'password would be here'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/exportReleaseBuild/AFSCC.ipa'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/bin/AFSCC-app.xml'
     [exec] '-C'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/bin'
     [exec] 'AFSCC.swf'
     [exec] 'assets'
     [exec] 'Assets.car'
     [exec] 'Default-375w-667h@2x~iphone.png'
     [exec] 'Default-414w-736h@3x~iphone.png'
     [exec] 'Default-568h@2x~iphone.png'
     [exec] 'Default-Landscape@2x.png'
     [exec] 'Default-Landscape-414w-736h@3x~iphone.png'
     [exec] 'Default-LandscapeLeft@2x~ipad.png'
     [exec] 'Default-LandscapeRight@2x~ipad.png'
     [exec] 'Default-Portrait@2x.png'
     [exec] 'Default-Portrait@2x~ipad.png'
     [exec] 'Default-Portrait-1112h@2x.png'
     [exec] 'Default-Landscape-1112h@2x.png'
     [exec] 'Default-812h@3x~iphone.png'
     [exec] 'Default-Landscape-812h@3x~iphone.png'
     [exec] '-extdir'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/bin'

Build fails with: "The signing certficate is not from the expected issuer". If ADT is throwing this error, it should be easy to find if you search on the string. Note the misspelling of certficate. Hopefully this will help with searching the source.

So..... I did some experimenting late yesterday around the signoptions for ADT:

     [exec] Executing '/opt/tools_air/flexsdks/4.16.1_AIR33.1.1.259/bin/adt' with arguments:
     [exec] '-package'
     [exec] '-target'
     [exec] 'ipa-app-store'
     [exec] '-alias'
     [exec] 'iPhone Distribution: Research Triangle Institute'
     [exec] '-storetype'
     [exec] 'KeychainStore'
     [exec] '-providerName'
     [exec] 'Apple'
     [exec] '-provisioning-profile'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/certificates/ios_RTI/AFSCC_TO5_BMT.mobileprovision'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/exportReleaseBuild/AFSCC.ipa'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/bin/AFSCC-app.xml'
     [exec] '-C'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/bin'
     [exec] 'AFSCC.swf'
     [exec] 'assets'
     [exec] 'Assets.car'
     [exec] 'Default-375w-667h@2x~iphone.png'
     [exec] 'Default-414w-736h@3x~iphone.png'
     [exec] 'Default-568h@2x~iphone.png'
     [exec] 'Default-Landscape@2x.png'
     [exec] 'Default-Landscape-414w-736h@3x~iphone.png'
     [exec] 'Default-LandscapeLeft@2x~ipad.png'
     [exec] 'Default-LandscapeRight@2x~ipad.png'
     [exec] 'Default-Portrait@2x.png'
     [exec] 'Default-Portrait@2x~ipad.png'
     [exec] 'Default-Portrait-1112h@2x.png'
     [exec] 'Default-Landscape-1112h@2x.png'
     [exec] 'Default-812h@3x~iphone.png'
     [exec] 'Default-Landscape-812h@3x~iphone.png'
     [exec] '-extdir'
     [exec] '/Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/bin'

This worked. Note the difference in the signing options. I reference the cert in Keychain directly. This is not an ideal solution because I do need to work on windows on the rare occasion and the .p12 mechanism is cross platform where as the above direct reference to keychain won't work on windows. So some progress. I can create my .ipa for deployment.

But what about development and debugging. Back to IntelliJ. In the project structure iOS settings, IntelliJ prompts for a Keystore file. Using the .p12 file yields the same result as building from the command line.

If I try to debug on an iOS Device from IntelliJ where I specify the .p12 file (what has worked for all these years), I get the same error as the command line package. Here is the IntelliJ output for the ADT command:

ADT command line:
/Applications/IntelliJ IDEA.app/Contents/jbr/Contents/Home/bin/java -Dapplication.home=/opt/tools_air/flexsdks/4.16.1_AIR33.1.1.259 -Dfile.encoding=UTF-8 -Djava.awt.headless=true -Duser.language=en -Duser.region=en -Xmx512m -jar /opt/tools_air/flexsdks/4.16.1_AIR33.1.1.259/lib/adt.jar -package -target ipa-debug-interpreter -listen 7936 -storetype PKCS12 -keystore /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/certificates/ios_RTI/AFSCC_TO5_BMT.p12 -storepass PasswordWouldBeHere -provisioning-profile /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/certificates/ios_RTI/AFSCC_TO5_BMT.mobileprovision /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/bin/AFSCC.ipa /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/bin/AFSCC-app.xml -extdir /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/externalLibs -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/bin AFSCC.swf -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/bin assets -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Assets.car -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-375w-667h@2x~iphone.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-414w-736h@3x~iphone.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-568h@2x~iphone.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-812h@3x~iphone.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-Landscape-1112h@2x.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-Landscape-414w-736h@3x~iphone.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-Landscape-812h@3x~iphone.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-Landscape@2x.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-LandscapeLeft@2x~ipad.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-LandscapeRight@2x~ipad.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-Portrait-1112h@2x.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-Portrait@2x.png -C /Users/reckhoff/Desktop/ProjectSource/GitHub/PHIT-AirForceSCC/BMTClassroomApp/src Default-Portrait@2x~ipad.png

If I try to debug on an iOS Device from IntelliJ where I blank out the Key store file and specify the working command line sign options in the "Additional ADT options" field, I still get prompted to enter a keystore password, even though it is blank and the options don't specify to use it. IntelliJ seems to only want to package with a keystore file. If anyone knows how to get IntelliJ to ignore the keystore file, I'm all ears.

So from a development perspective, I'm a bit stuck. I can't debug on the iOS device and I can't debug in the emulator because of the EncryptedLocalStore issue (see #508).

This morning's task is to try this all on windows which I haven't used in over a year. ugh...

In terms of priorities, since my tech team are all using macs, since I now have a workaround for signing the app on MacOS, the priority is being able to debug from our IDE (IntelliJ). So which ever is easier to fix (EncryptedLocalStore or this one), I defer to you on priorities.

More than happy to help with any debugging on your end like trying a special ADT with additional debug info: reckhoff@rti.org

[reckhoff]

Windows Update - using the .p12 file also fails on windows.

Basically the same information as above for environment, just on windows 10 pro

[lamselli]

When I try to use your adt options, I get the following error : KeychainStore Ignored Exception: java.security.cert.CertificateParsingException: java.io.IOException: Duplicate extensions not allowed Did you have the same thing ? Did you fix it ?

[reckhoff]

Stuck? ....

The only thing I can do is package the .ipa from the command line as if for release with the ADT options above. When I created the cert, I made certain I had the 2030 certificate from Apple installed. From the email I got from Apple, here is the link to it if you don't have it already. maybe that is what is driving the parsingException you are getting?

Certificate: Apple Worldwide Developer Relations Certification Intermediate Certificate Expires: February 20, 2030 Download certificate https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer

What I can NOT do which I'm hoping for a fix soon from Harman:

1. On the Mac, I can not debug in the emulator from my IDE (IntelliJ) because of #508
2. On the Mac, I can not debug on an iOS device from my IDE because IntelliJ forces you to use a .p12 and I couldn't find anything in the flash plugin source code to specify my working options above without suddenly becoming an IntelliJ plugin developer, something i don't have time for.
3. On Windows, I can NOT debug on an iOS device from my IDE for the same reasons as the mac
4. On Windows, I am able to debug in the emulator but this isn't ideal as our app is iPad specific with iPad specific styling

I really need to be able to debug directly on the iPad, something I can not do right now so yeah, I'm still stuck.

[lamselli]

Actually, when I have this warning, it builds the IPA anyway. But I can't install it on any device. I have to resign it (following this method : https://stackoverflow.com/questions/6896029/re-sign-ipa-iphone) and then it eventually works. You don't have this kind of warning with adt when having '-storetype KeychainStore' parameter ? What version of Mac OS and Java are you using ?

From my side, I managed to debug with Intellij on mac using a specific p12developper certificate and provisionning profile. (It seems that the developper certificates are still using previous CA and thus it prevents the adt error message). Hope this helped you !

[reckhoff]

@ajwfrost Good morning, I know everyone is super busy, just wondering if you have an ETA on a fix?

[ajwfrost]

We're investigating this currently; the issue is in the way the ADT code is looking through the signing chain, we'll look to get a patched version of ADT out once we have a fix (might be optimistic to say the end of this week..?)

Re #508 if you want to work around that, you can remove the code-signing from ADL, it should then work I believe.. Weirdly for us this is working fine on Catalina but we have a Mojave machine where we can reproduce it. There may be something to do with caching of passwords etc which is impacting it..

[reckhoff]

@ajwfrost any status on a fix for signing with a .p12 file?

[reckhoff]

@ajwfrost i didn't see 504 in the bug list of fixes in the latest release. I'm curious how other people are able to debug on a device using an IDE as this bug has us completely blocked in doing so. any update on when this might be addressed? 1980s style debugging techniques are totally lame and slowing us down. other options. We use intellij which seems to only support .p12.