How does Xcode set EXPANDED_CODE_SIGN_IDENTITY?

Question

I started getting a codesign error after a certificate expired. I have an updated certificate and the expired one has been deleted. But somehow, Xcode sets EXPANDED_CODE_SIGN_IDENTITY with the SHA-1 of the expired certificate. Where does it get this value? I assume it must be cached somewhere because there is no certificate in the keychain with the SHA-1 it is trying to use for code signing. I searched the pbxproj file and did not find it, nor did a recursive grep starting from the project root yield any results.

Here are some details about my configuration:

• There is no account set up in Xcode
• Instead of a developer account, I am using the exported certificate from the Team Agent
• Xcode version is 6.1.1
• OSX version is 10.10.2

The project identity is set up in Xcode like this:

When I check the keychain, it finds the correct identity:

$ security find-identity -p codesigning
Policy: Code Signing
  Matching identities
  1) F1326572E0B71C3C8442805230CB4B33B708A2E2 "iPhone Developer: XXX XXX (C395QGL4DK)"

In the build output I see the environment variable set incorrectly:

    export EXPANDED_CODE_SIGN_IDENTITY=9F5616A53464FC5C003847ED620357A7BC72ABB1

I have tried to fix it with the following:

• Delete the certificate from Keychain Access and re-add it
• Set the Access Control of the private key to allow all apps
• Delete all provisioning profiles and re-add the one I am using
• Delete everything under ~/Library/Developer/Xcode/DerivedData
• Delete everything under ~/Library/Caches/com.apple.dt.Xcode
• Restart Xcode
• Reboot the Mac

I have now run out of ideas for things to try. There are two other developers I work with, and both of them experienced the same problem initially. However, they are working again after doing some of the same steps that I have tried. We are all using the same certificate, the same provisioning file, and the same project settings. It must be a setting or lingering cache that is on my system, but I have not been able to find it.

If I could find out where Xcode sets this environment variable, I can clean it up and everything should be fine again.

Answer 1

I was having the same issue and for me the answer was fairly simple: I was trying to use a provisioning profile that was tied to the old certificate (my guess is that EXPANDED_CODE_SIGN_IDENTITY is pulled from the profile you are trying to use).

Anyway, after creating a new profile on the dev center tied to the new certificate, this stopped happening.

Answer 2

if it helps, I'm using jenkins to build app, so all commands run from console... So i've turned off CODE_SIGNING_ALLOWED and "overrided" EXPANDED_CODE_SIGN_IDENTITY_NAME and EXPANDED_CODE_SIGN_IDENTITY. For some reason it helped me to build app with proper identities.

xcodebuild -project my.xcodeproj/ -sdk iphoneos \
CODE_SIGNING_REQUIRED=YES \
CODE_SIGNING_ALLOWED=NO \
CODE_SIGN_IDENTITY="My Identity" \
EXPANDED_CODE_SIGN_IDENTITY_NAME="My Identity" \
EXPANDED_CODE_SIGN_IDENTITY=<CODE_SIGN_IDENTITY>

Last one could be obtained with

security find-certificate -a -c "My Identity" -Z|grep ^SHA-1|cut -d " " -f3|uniq