security find-identity -v -p codesigning 0 valid identities found

I am trying to resign a package …

Are you referring to an installer package (.pkg)?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits.

I'm [resigning] an .ipa file for our mobile app using their resign script.

Just to be clear, this isn’t a process that DTS supports. If you’re building an app and you want someone else to distribute it, our recommendation is that you give them an Xcode archive. They can then load that into the Xcode organiser and Xcode will take of re-signing it.

I realise that you’re not able to follow that guidance because you’re on the receiving end of this process. However, I want to be clear about our recommendation because that’s sets a limit on how much I can help you here.

So, anyway, I can at least help you with setting up your code-signing identity. To sign an iOS app for distribution, you need an Apple Distribution signing identity. If you launch Keychain Access and search for Apple Distribution, do you see anything?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes! I see my Apple Distribution Certificate Expires: Friday, October 3, 2025

If you launch Keychain Access and search for Apple Distribution, do you see anything?

OK. That suggests that you have the certificate but not the private key. To confirm that:

1. In Keychain Access, choose Certificates at the top.

2. Find your certificate there.

3. Now switch to My Certificates.

4. Is it still there?

To sign code you need a code-signing identity, that is, a code-signing certificate and the private key that matches the public key in that certificate. If you only have the certificate, you can’t sign because you’re missing the private key.

It’s very common for folks to lose their private key. For some backstory on that, see Certificate Signing Requests Explained.

Fortunately, for Apple Distribution that’s easy to fix: Just generate a new distribution certificate.

IMPORTANT This fix make sense for most, but not all, certificate types. One that can cause real problems is the Developer ID signing identities use for directly distributed macOS products. If you do end up working on the Mac, see The Care and Feeding of Developer ID.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

But I have the certificate signing request still can I just like put it back? Or would you still recommend redoing the distribution certificate

But I have the certificate signing request still can I just like put it back?

No. Quoting Certificate Signing Requests Explained:

[Generating a CSR creates] a public / private key pair in your keychain [and the] .certSigningRequest file (CSR) … contains a copy of the public key.

So, the CSR only contains the public key, which doesn’t help you [1]. You need to find the corresponding private key, which only ever existed in your keychain.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] If you wanted the public key, you could get that directly from the certificate.

Okay so I found the original key it's a .p8 file on my computer.

It was signed by an account from someone who has since left our organization.

Is there any guidance on what to do? can I use this key?

I reallly appreciate your patience with me.

I managed to get this app on both the Apple and Google Play stores without a true developer just me a nonprofit employee with grit and perseverence. I've also managed to update this app on my own previously. But something went awry this time.

Hmmm, it’s possible that they might have exported the key as a .p8 file, but that’s relatively unusual. A more common practice is to combine it with the certificate to form a digital identity and then export that as a PKCS#12 file (.p12 or, if you’re feeling old school, .pfx).

I suspect that .p8 file is some other Apple related key.

It is possible to dump this key to see if it’s the right one but I’m not sure if it’s worth it. My understanding is that your ultimate goal is to publish an app to the App Store. If so, you don’t need to recover that Apple Distribution certificate. Rather, you can create a replacement using the Developer website. That process requires you to submit a CSR, creating which generates a new private key in your local keychain. When you download the new certificate, it and the private key form the identity you need for signing.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"