Understanding iOS Development certificates

Question

We received the email from Apple: Your iOS Development certificate has been revoked.

There are answers on SO about how to restore your cert (1, 2) but I have some other questions

1. Why did it get revoked? What I did is try to run our app on my iPhone. I'm doing this for the second time - this time on a new MacBook to a new iPhone. Is this the issue that triggered the email?
2. What is the significance of this email? I can still run the app on the same iPhone. Uninstalled it and reinstalled it and it worked fine. Is there really an issue?

Answer 1

Every certificate is just usual pair of private and public key. When you generate a new certificate, actually you save a private key on your machine, and send a part of public key to Apple. Then Apple generates a key by itself, and send you a public key as result (see Diffie–Hellman key exchange).

If you changed a machine and now don't have a private key on your new machine, Xcode is unable to sign your application with your certificate. Because you can only download a public key from the developer portal. So if you used "Automatic manage signing" Xcode took decision to recreate a certificate, because it couldn't find a private key. All this process is same for a Private team, and for iOS developer program. You can export your old certificate with private key from your old machine before you try to sign smth, so you don't need to revoke old certificate.

As for email, Apple just notifies you that your old certificate has been revoked, and it can't be used to sign apps now. Just like it written. It could been revoked because has been expired, or somebody else has revoked it (e.g. it was you). So to keep you informed, Apple sent you such email.

Answer 2

I think what happened is is that when you ran it from a new Macbook you downloaded the new certificate there, and when you did that, Apple revoked your current one and made a new one. We had something like this happen at where I work.

Answer 3

1. Maybe you don't import the Development certificate to your new Macbook. So when you run app to your phone with Xcode, Xcode will detects an issue with a signing identity. From the developer site:

If Xcode detects an issue with a signing identity, it displays an appropriate action in Accounts preferences. If Xcode displays a Create button, the signing identity doesn’t exist in your developer account or on your Mac. If Xcode displays a Reset button, the signing identity is not usable on your Mac—for example, it is missing the private key. If you click the Reset button, Xcode revokes and re-creates the corresponding certificate.

So, maybe Xcode revoke the certificate.

2. Because you have a new certificate on your new Macbook, so you can still run your app. But when you work on your old Macbook, the certificate on your old Macbook has been revoked, Xcode can't compile your app to run on your phone.

Once you create a new certificate you need export it from Xcode-> Preferences->Accounts->YourAppleID->ViewDetails->Right click the certificate->Export.

Then your can import it on a new Macbook without revoke it and create a new one.