The Ruby script "generate_hash" signs IPA again with the same one already used for signing IPA.
But if the certificate & private key are not installed on your MacBook, you will get errors while running generate_hash script.
Here's a clean, step-by-step guide on how to install a certificate and private key (usually in a .p12 or .pem/.key pair format) into the macOS Keychain β so your machine can sign or re-sign apps successfully.
β Goal: Import Code Signing Certificate + Private Key into MacBook Keychain
π Format to Import:
Most commonly:
-
A
.p12(PKCS#12) file β contains both cert + private key -
Alternatively: a
.ceror.crt(certificate) +.key(private key) pair
πΉ Option 1: Using a .p12 file (Recommended)
π§ Steps:
β
Step 1: Get the .p12 file
This may be:
-
Exported from another machineβs Keychain
-
Downloaded from your developer account
-
Sent by someone who signed the original IPA
If they are exporting:
-
Open Keychain Access
-
Right-click on the cert >
Export -
Save as
.p12with a password to protect the private key
β
Step 2: Import the .p12 into your Keychain
Double-click the .p12 file
OR run this in Terminal:
security import /path/to/YourCert.p12 -k ~/Library/Keychains/login.keychain
You'll be prompted to enter the password used during export.
β Step 3: Verify Installation
-
Open Keychain Access
-
Go to the Login keychain > Category: Certificates
-
Search for your certificate name (e.g., "Apple Distribution")
-
β Click the arrow to expand:
-
You should see a private key beneath the certificate
-
If yes β π you're good to go
-
πΉ Option 2: Using .cer/.crt + .key file pair
If you only have a cert and a separate private key:
π§ͺ Convert to .p12 first:
openssl pkcs12 -export \
-in YourCert.cer \
-inkey YourPrivateKey.key \
-out YourCert.p12 \
-name "Custom Cert Name"
Then follow the same import process as above.
β οΈ Common Issues
| Problem | Fix |
|---|---|
| π Private key not visible | You didn't import it, or itβs in a different keychain |
| β "Missing private key" during signing | The private key was not included in .p12
|
| β "Not trusted" cert | Manually set trust level in Keychain Access (right-click > Get Info > Trust) |
π§ Bonus: Set Codesign Identity to Use It
You can test signing with:
codesign -s "Apple Distribution: Your Company" --dryrun YourApp.app
Want a mini script to check if a matching cert + key is installed?