Error when using wrapper: an invalid signing certificate was specified.

[tommy-time]

Describe the bug: When invoking the intune wrapper for ios on our mobile app we always get the error: "An invalid signing certificate was specified." We are unsure as to how to resolve this issue. Any help would be appreciated. How can we verify that the certificates are loaded correctly, or what the tool is looking for exactly?

For android we can wrap the app jut fine.

To Reproduce

1. Follow the guide on https://learn.microsoft.com/en-us/mem/intune/developer/app-wrapper-prepare-ios to create distribution certificate and provisioning profile.
2. build app with provisioning profile linked to distribution certificate
3. Try to wrap .ipa file with intune wrapper tool, using the same certificate

Expected behavior: A successful wrap of the .ipa file.

Screenshots and logs:

• Command:

  ./IntuneMAMPackager -i /Users/XXX/XXXX/MobileBuilds/apple-wrapping-test/XXX-intune.ipa -o /Users/XXXX/XXX/MobileBuilds/apple-wrapping-test/XXX-intune-wrapped.ipa -p /Users/XXX/XXXX/MobileBuilds/apple-wrapping-test/xxxxxx_intune.mobileprovision -c 52715FDD021DB0EE7A9A1C86A1A5C62C899XXXXX -v true -ac 3d2952e0-1aae-43a3-8198-d719ce005XXX -ar
  msauth.com.xxxx.xxxxx.intune://auth

• OUTPUT

  
  MacOS git:(main) ✗ ./IntuneMAMPackager -i /Users/xxxxx/xxxxx/MobileBuilds/apple-wrapping-test/xxxxx-intune.ipa -o /Users/xxxxxx/xxxxxx/MobileBuilds/apple-wrapping-test/xxxxxx-intune-wrapped.ipa -p /Users/xxxx/xxxxx/MobileBuilds/apple-wrapping-test/xxxxxxx_intune.mobileprovision -c 52715FDD021DB0EE7A9A1C86A1A5C62C899xxxx -v true -ac 3d2952e0-1aae-43a3-8198-d719ce00xxxx -ar msauth.com.xxxxxx.xxxxx.intune://auth
  Application packaging in progress...
  Version of MACOSX is 14.3
  Version of XCode installed is Xcode 15.2
  Build version 15C500b

Parsing provisioning profile... Parsing main app provisioning profile... Parsing extension provisioning profiles... Checking that main provisioning profile has not expired... Checking that extension provisioning profiles have not expired... Checking if signing certificate is valid... Provided certificate name length matches that of SHA1 hash. Number of certificates returned by query: 3 Checking certificate at index: 0 Getting certificate common name. Computing SHA-1 fingerprint of current certificate. Computing SHA-1 fingerprint of provided certificate. Checking certificate at index: 1 Getting certificate common name. Computing SHA-1 fingerprint of current certificate. Computing SHA-1 fingerprint of provided certificate. Checking certificate at index: 2 Getting certificate common name. Computing SHA-1 fingerprint of current certificate. Computing SHA-1 fingerprint of provided certificate. An invalid signing certificate was specified. Specify a valid Apple signing certificate. Cause of the error to be provided for investigation:(null)

**Intune app wrapping tool (please complete the following information):**
- What version of the wrapper are you using? Are you using the latest version? 19.4.0
- What platform is your app based in (Java, Xamarin based, Cordova, etc)? Expo - ReactNative
- For pre-wrapping errors, does the app build without being wrapped? Yes
- For post-wrapping errors, does the app launch without being wrapped? Yes
- Who is the customer? Internal
- Do you see a trend with it only being reproduced on a specific device? Same result on two developer devices

[ChismanRaheem]

Hi @tommy-time
The signing cert maps to a Sha-1 hash, which should be located in the "keychain access" of the signed-in users.

Make sure you've downloaded the correct signing certificate from the Apple developer portal. Your certificate might be expired or might be missing a public or private key. If your Apple certificate and provisioning profile can be used to correctly sign an app within Xcode, then they're valid for the App Wrapping Tool. Additionally, verify that the signing certificate has a unique name within the host macOS machine's keychain. If there are multiple versions of the same certificate within the keychain this error may be returned.

Note:
Make sure that the signing certificate is valid before you specify it. The tool doesn't check whether a certificate is expired when processing iOS apps. If the hash for an expired certificate is provided, the tool will process and sign the app, but it will fail to install on devices.

Make sure that the certificate provided for signing the wrapped app has a match in the provisioning profile. The tool doesn't validate if the provisioning profile has a match for the certificate provided for signing the wrapped application

[tommy-time]

Thanks for the feedback @ChismanRaheem , but as far as we can tell everything checks out. The certificate is available in the keychain access, where we got the SHA-1 hash from. The same certificate was used to provisioning profile. The certificate name is unique. The certificate was newly created so it is not expired.

[ChismanRaheem]

Hi @tommy-time Based on the output provided it would suggest that the application identified 3 certs on the mac of the signed in user please check these and validate if required on system and also confirm cert is trusted. Number of certificates returned by query: 3

[ChismanRaheem]

@tommy-time In summary make sure a valid signing certificates exist in your system keychain. Located below are troubleshooting steps I am recommending:

• Reset trust settings for all related certificates
• Install intermediate certificates in the system keychain and sign-in keychain
• Uninstall and reinstall all related certificates