Validating fails because of account permissions

Question

I've been added as a Team member by Team Admin through the iTunesConnect and I am trying to create an archive and validate it. It fails as title says with a message :

Also, if I try to let the Xcode fix this automatically, I get this error:

The Team Agent created iOS Distribution profile in iTunesConnect and according to the docs, the Team Member indeed can't create certificates :

but that is why the Team Admin created them for me, but still, it looks like my Xcode tries to create certificates, rather than to download and use them (while validating archive). Any ides why is this happening and how to validate an archive and upload the build to the iTunesConnect?

Answer 1

Certs are always paired with private keys. You need the cert/key pair to sign properly.

Since your team agent created the distribution cert, the cert/private key is on their computer's keychain. Even if you were to download the cert, you'd be missing the private key. Your team agent will need to open up Keychain App, export it, send it to you, and then you'll need to import it into your keychain.

At that point, assuming you also have the correct provisioning files downloaded and have the build settings correct, signing should work.

Answer 2

First of all, Xcode is trying to create a cert because it believes there is something wrong with your code signing settings. This can mean several things:

1. You don't have a valid iOS distribution certificate. To check this, go into the Keychain Access app and check that you have a green check mark when you select the certificate from the list on the left.

   .

   If it's not valid, it could have been revoked on the Apple developer site, or it may have expired.

   Also, make sure you have the appropriate provisioning profile and certificate by downloading them from Apple's developer site. The only thing your Team Admin should need to send you is the private key. If the private key doesn't connect to the certificate you got from Apple's developer site, you were given the wrong key.

2. You could have a valid certificate, but be missing the required private key that allows you to sign things with that certificate. This is required to use the certificate to sign things, and will also cause Xcode to try to generate a new cert when submitting. Make sure you can expand the cert to see the private key shown in item 3 in the image below.

3. The project code signing settings are referencing a code signing identity that does not match the certificate and key in your keychain. I recommend that you use the following settings in your project's code signing section.
   For Provisioning Profile, choose "Automatic". For Code Signing Identity, choose "iOS Developer" for the Debug build config, and "iOS Distribution" for the Release build config.

   

I would also recommend you taking a look at Apple's great video on What's New in Code Signing from WWDC that covers the key components of code signing iOS apps.