Debugging codesigning issues

This guide will help you resolve the most common code signing errors. In general, make sure to read the complete output when something goes wrong, in particular the very top and the very bottom of the build output. You'll always get access to the raw xcodebuild output, make sure to analyze it, as fastlane can only assist with helping you resolve problems.

Error message

Make sure to find the exact error message in your build output. Many times the error message actually tells you how to resolve the issue.

To get even more details, try archiving using Xcode 8.

Different machine

Does code signing work on a different Mac, but not on yours? If so, chances are high you don't have the latest private key, the certificate or the provisioning profile. Also follow the Keychain part of this document to make sure you don't have any expired certificates installed.

Xcode project

Make sure to follow Setting up your Xcode Project to properly set up your project.

A check list on what you should verify on your Xcode project

  1. Make sure to have consistent code signing settings across your targets
  2. Don't set any code signing settings on your project level, just on the target level
  3. Make sure the bundle identifier matches the one of your provisioning profile
  4. Make sure the code signing identity is set to iOS Distribution for Release builds
  5. Make sure to set a provisioning profile for all your targets, e.g. Watch, Today widget, ...
  6. Check your working copy in git - did you make any changes by mistake?

Developer Portal

If a certificate gets revoked, all connected provisioning profiles get invalidated. This however might not immediately show up in your local keychain.

  1. Open the Developer Portal
  2. Verify your certificates are valid, and didn't expire or get revoked
  3. Switch to the Provisioning Profiles and make sure the profiles you want to use are all still valid
    1. If your profile is invalid or expired, you can easily fix it:
      1. If you're using match, run match with force enabled
      2. If you're using sigh, run sigh with force enabled
      3. If you're doing manual code signing, edit the provisioning profile, and click on Generate on the bottom of the screen. Make sure to select the correct certificate, then download and open the new provisioning profile
    2. If your profile is valid, but you still have issues make sure
      1. that the certificate matches the certificate you have installed locally. You can view the used certificate by editing the profile (Don't click Generate, unless you want to re-generate the provisioning profile)
      2. that all devices you need are included (Development and Ad-Hoc only)
      3. that you are actually looking at the correct provisioning profile, that matches the bundle identifier of your app. You might have multiple provisioning profiles for the same app / certificate combination. By default Xcode will use the last modified one.

Keychain

  1. Run security find-identity -v -p codesigning to get a list of locally installed code signing identities. Does yours show up?
  2. Open the Keychain Access app, switch to Certificates and find your iOS Developer or iOS Distribution entry and unfold the entry to verify the private key is locally installed:

  1. Make sure to have deleted all expired WWDR certificates, more information here. There might be 2 expired WWDR certificates, one in the login, and one in the system keychain
  2. Run security default-keychain to view the default keychain that is used by some fastlane actions if a keychain path is not explicitly provided. If it's the system keychain, make sure fastlane has access to write to it. You may want to reconfigure your environment so the default keychain is the login keychain, which is less prone to permissions errors. If you're using launchctl, see this link to change the default keychain to the login keychain.

Have you tried turning it off and on again?

As funny as it sounds, sometimes restarting your Mac helps.

fastlane

Run fastlane in verbose mode to get even more debug information:

fastlane [lane] --verbose

Common Issues

Check out Common code signing issues for the most common code signing issues and how you can solve them.