Xcode 4 restores expired certificates

Number:rdar://9173280 Date Originated:22-Mar-2011 08:29 PM
Status:Duplicate/8972064 Resolved:13-Apr-2011
Product:Developer Tools Product Version:Xcode 4 (4A304a)
Classification:Serious Bug Reproducible:Always
22-Mar-2011 08:29 PM Tom Harrington:

Xcode 4 keeps adding an expired code signing certificate to my keychain. This causes duplicate entries which prevent Xcode from compiling because of the duplicate entry. Deleting the expired certificate is fruitless because Xcode restores it.

Steps to Reproduce:

Please refer to the attached set of screenshots. [OpenRadar readers, screenshots are at http://dl.dropbox.com/u/14191/bug-9173280-screenshots.zip]

When I attempt to do a device build in Xcode, it fails due to a code signing error. The error reads:

"CodeSign Error: Certificate identity 'iPhone Developer: Tom Harrington (VC7282VPMT)' appears more than once in the keychain. The codesign tool requires there be only one."

The above error is illustrated in screenshot "image1-build.jpg".

If I run Keychain access I can see that there are two entries marked as VC7282VPMT, one current and one expired (screenshot image2-keychain-access.jpg).

I can delete the expired entry and it no longer appears (screenshot image3-keychain-access.jpg).

If I quit Xcode and restart it, the expired certificate reappears in Keychain access. If Keychain access is running, it's possible to watch this happen. This takes me from image3-keychain-access.jpg back to image2-keychain-access.jpg, with the expired certificate restored.

If I look in the Xcode organizer I can see duplicate entries (image4-organizer.jpg). But Xcode doesn't indicate which is current and which is expired. I thought maybe I could delete the certificates in the organizer window but they're not selectable.

At the iOS provisioning portal, only the current certificate is shown (image5-portal.jpg).

Expected Results:

Xcode would not restore duplicate, expired certificates to my keychain after I have deleted them.

Actual Results:

Xcode effectively prevents itself from doing device builds by restoring bogus data.


Never had this problem before Xcode 4.

29-Mar-2011 05:18 PM Tom Harrington:
This bug occurs with Xcode 4.0.1 (4A1006) exactly as described previously for Xcode 4.0.


Here's a quick workaround that works and is less hacky: http://tapadoo.com/2012/certificates-magically-re-appearing-in-your-keychain-try-this/

Hack Fix

Came up with this hack fix to help deal with the "Zombie" Certificate issue - http://stackoverflow.com/a/11093263/285694 works for me for now... waiting for a real bug fix.

Same Issue on 4.02 (4A2002a)

When doing a distribution build 'Check Dependencies' phase fails with "CodeSign error: Certificate identity 'XXXXX' appears more than once in the keychain. The codesign tool requires there only be one." Close Xcode, open keychain access delete certificates, re-open Xcode and they re-appear in Xcode Organizer under profiles.

Alternatively: Delete the profile from xcode, remove the certificates from keychain, add the profile back into xcode and two certificates get populated in keychain again.

What worked for us was removing all the expired profiles from Xcode through organizer and removing all the certificates from keychain that had expired as well.

By mattcascone at June 15, 2011, 4:01 a.m. (reply...)

Figured out why this was happening for me...

This was happening for me and I fixed it by going to the Organizer and Removing all old Provisioning profiles from the LIBRARIES section (above DEVICES). That was an area where I missed it. Then it stopped happening. I posted on the Apple dev Forum here: https://devforums.apple.com/message/425569 ... That also fixed my issue with the "The executable was signed with invalid entitlements" error.

By john.jumper at April 29, 2011, 4:29 p.m. (reply...)

Same problem here...

I am having the same problem. Is there any resolution. I am also unable to deploy to my device since I got my new cert because I get the following error:

The executable was signed with invalid entitlements. The entitlements specified in your application’s Code Signing Entitlements file do not match those specified in your provisioning profile. (0xE8008016).

Are these related issues or is this device deployment issue a whole other problem?

By john.jumper at April 29, 2011, 3:02 p.m. (reply...)

Video demo

I added a video demonstration of the process, which is available at http://dl.dropbox.com/u/14191/bug-9173280.m4v

By atomicbird at March 23, 2011, 6:18 p.m. (reply...)

Happens in XCode 3 as well

This happened in XCode 3 for me a few days ago. I exported my certificate and keys from the keychain and deleted. Then I closed XCode and Keychain and re-imported the key and certificate. That fixed it for me.


By bartelmess at March 23, 2011, 2:48 a.m. (reply...)

Thanks but...

Thanks for the suggestion, but, I just tried that and Xcode still put the expired cert back into the keychain. Interestingly it restores BOTH the current one and the expired one, so I don't even need to re-import to get the current one back.

By atomicbird at March 23, 2011, 2:58 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!