Hello

I'm mlssing a lot of info here. Please read https://www.pmbaty.com/iosbuildenv/help/thread.php?path=Problem%20solving/&file=how-to-report-a-problem

That iTMS error means that you tried to send an .ipa file to Apple that was signed with your development certificate and provisioning profile. Anything sent to the App Store should be signed with a *Distribution* certificate and a *Distribution* profile.

It is possible that you've hit a bug in the code signer, but in order to ascertain that you need to tell me what happens exactly when you sign your app for submission as per Apple's requirements, i.e. with your most recent distribution certificate suitable for your app ID and a matching distribution profile.

If those error messages are unclear, please pay more attention to the documentation where the code signature principles are explained and the difference between certificate types is explained.

Best regards,

An app whose icon is stuck with "Waiting" during installation is usually typical of a code signature problem. The app has been downloaded on the phone but rejected by iOS at signature verification time.

Let's proceed methodically. You say you could build and upload successfully with Xcode. So, we know the certificates you have on your Mac are good. We'll start from here.

You have understood that there are basically 2 signature types:

- Development signatures, apps signed with those can be directly deployed to your iPhone (mainly for testing) but can't be uploaded to Apple ;

- Distribution signatures, apps signed with those cannot be deployed to your iPhone directly, but can be uploaded to Apple (then Apple re-signs them with their own certificate, which is why your device trusts them when it seems them on the App Store)

As you have working certificates on your Mac, you should migrate them to Windows. You don't need to migrate the whole SDK, just the *certificate* that Xcode uses to sign your app, using macOS's Keychain Access utility (the documentation explains how to do that) ; and the *provisioning profile* with which it installs on your device.

If you built with Xcode for development (i.e. direct deployment to your device) you should look for and migrate a *development* certificate and provisioning profile, and if you built with Xcode for uploading to Apple you should look for and migrate a *distribution* certificate and provisioning profile.

How to find your iOS code signing certificate on your Mac :

- open Spotlight (the search magnifier), type "Keychain Access.app". Open that app.
- make sure the "session" keychain is highlighted in the left panel
- in the right panel you see a list of certificates. The one you're looking for either begins with "Apple Development: " or "Apple Distribution: ", is *not* expired yet, and has a '>' mark next to it which when you click it shows the *private key* with which the certificate is associated. Select the right certificate, then right-click (or Control+click) and select "Export". Choose the .p12 format, enter a filename, and move that .p12 file to Windows. It will contain both your certificate and its private key.

How to find the provisioning profile for your app on Mac :

- if your app was built for a *real device* at least once, do a file search in Xcode's DerivedData directory for this app for a file called "embedded.mobileprovision". It must be located in a folder that has your app's name in it (such as ...VeryLongPath/YourAppName.app/embedded.mobileprovision). This is your provisioning profile, the very one that Xcode used.
- if your app was not built yet (or if you cleaned the Xcode intermediary files), you'll find your provisioning profile in ~/Library/MobileDevice/Provisioning Profiles/ and it will have a nonfriendly name in hex chars. You'll need to right-click (or Control+click) and display its information to figure out which one is the right one.

At this point you will have migrated 3 things in the Windows iOS keychain: your certificate, its private key, and a provisioning profile. If you did it right these are the very items that Xcode used to sign your app.

Build and sign your app with this signing identity.

- Do you get an error message during the build ?
- If not, if it's a development certificate, can the app be installed on your iPhone ? Else if it's a distribution certificate, can the app be uploaded to Apple ?

If it's a no-op to these two points, then it's likely that you've hit a bug in the code signer that I'll have to take a closer look at. In which case please send me your .ipa file by email at pm at this domain for analysis. I'll look at this in priority. I suspect the unusually long name of your signing identity could maybe overflow a static buffer somewhere.

Hello

The error is the consequence of the first warning. It means there's a problem in the build script when trying to identify your team ID from your signing certificates.

Let me guess... what are the *file names* of the certificates you're using ?

:: @Pierre-Marie Baty added on 21 Nov ’21 · 16:27

P.S: you can see that in the Keychain tool, or by browsing to the "Keychain" subdirectory in the builder's install path.

I guess the parentheses () are the cause of the problem. Please rename that file (from the Windows file explorer) with a name without parentheses. Then close and reopen the builder and try building again. Did it help ?

Could you please send me this certificate file to my email address so I can have a closer look at it ?

Well received. And I found the problem.

There's a bug (yet another one) in Microsoft's "findstr" command-line utility. This utility doesn't conform to its own specification. According to "findstr /?", doing a "findstr /v "item1 item2begin\ item2end" should filter out from the standard input the lines that contain either "item1" or "item2begin item2end" (by the use of the backspace as a metacharacter to join item2begin and item2end in a single search item). Yet it does not. It behaves as if the argument passed was "item1 item2begin item2end", turning out to be 3 search items instead of 2. And as the build script was trying to filter ou the lines containing either "Authority" and "Root CA" (findstr /v "Authority Root\ CA"), and since your team identifier in your certificate contains the characters "CA", it was filtered out. The build script couldn't identify your team ID, and that yielded the error.

As a workaround measure, you can do this. Open the "build.cmd" script in the builder's install path with a text editor and look for the string:

% build.cmd (lines 424-425)
"Authority Root\ CA".
%

It appears in two places. Replace this substring with

% build.cmd (lines 424-425)
"Authority Root"
%

(i.e. delete the "\ CA"). Save and close the file. Now rebuild. This should fix your error.

I take note to review every occurence of "findstr" in my scripts. This could potentially be the cause of more issues...

Thank you for your excellent suggestion ! I improved a bit about it, what do you think of this one:

% build.cmd
rem // now, if we have a valid signing identity, identify the signer by its Common Name
if not "_!IDENTITY!_"=="__" if not "_!IDENTITY!_"=="_::_" (
	rem // split the identity string
	for %%S in ("!IDENTITY::=" "!") do (
		rem // remove leading and ending quotes and evaluate item
		set ITEM=###%%S###
		set ITEM=!ITEM:"###=!
		set ITEM=!ITEM:###"=!
		if not "_!ITEM!_"=="__" set ITEM=!ITEM:###=!
		if not "_!ITEM!_"=="__" (
			if not exist "!ITEM!" set ITEM=!KEYCHAIN_PATH!\!ITEM!
			if exist "!ITEM!" "!TOOLCHAIN_PATH!\openssl.exe" x509 -in "!ITEM!" -inform der -noout -subject -nameopt multiline 2>nul | findstr " commonName " >> "!TEMPDIR!\cert-CommonName.txt"
			if exist "!ITEM!" "!TOOLCHAIN_PATH!\openssl.exe" x509 -in "!ITEM!" -inform der -noout -subject -nameopt multiline 2>nul | findstr " organizationalUnit " >> "!TEMPDIR!\cert-OrganizationalUnit.txt"
		)
	)
	if exist "!TEMPDIR!\cert-CommonName.txt" (
		rem // read the output (i.e. the contents of the temporary file) into the variable
		set SIGNER=&set /p SIGNER=< "!TEMPDIR!\cert-CommonName.txt"
		rem // if a signer was retrieved, read what's after the " = " separator
		if not "_!SIGNER!_"=="__" (
			for /f "tokens=2 delims=^=" %%a in ("!SIGNER!") do set SIGNER=%%a
			set SIGNER=!SIGNER:~1!
		) else echo WARNING: unable to identify signer. Is your identity string correct?
	)
	if exist "!TEMPDIR!\cert-OrganizationalUnit.txt" (
		rem // read the output (i.e. the contents of the temporary file) into the variable
		set TEAMID=&set /p TEAMID=< "!TEMPDIR!\cert-OrganizationalUnit.txt"
		rem // if a team ID was retrieved, read what's after the " = " separator
		if not "_!TEAMID!_"=="__" (
			for /f "tokens=2 delims=^=" %%a in ("!TEAMID!") do set TEAMID=%%a
			set TEAMID=!TEAMID:~1!
		) else echo WARNING: unable to identify team ID. Is your identity string correct?
	)
)
%

Ain't it fun to hack in the scripting language of Mordor ^^

I realized that the fix works when the signing identity only contains one certificate (i.e: "developer.cer:private.key:passphrase"). When multiple certificates are given (i.e. an explicit trust chain, such as: "root.cer:intermediate.cer:final.cer:final_private.key:passphrase" -- this is a very special case) it won't work anymore. I have to think a bit more about it.

For 99.9% of the users however I believe, the fix will totally work. No worries.