Skip to Content
Technical Articles

SDK 5.0: Handling Ambiguous Apple Developer Identity

When running the framework signing script distributed with SAP Cloud Platform SDK for iOS, some developers with multiple Apple Developer Team accounts may encounter the issue:

Apple Development Identity is Ambiguous. Multiple Certificates are found in your keychain for identity Apple Development

The brute force solution is to delete the non-essential conflicting Apple Development certificates from your macOS Keychain.  But, if you have distributed apps using the signing certificate and cannot revoke it, or frequently switch accounts, you should not delete the certificate.

In this case, the best solution at this time is to specify the specific certificate which should be used by the ‘codesign’ tool directly.  To do this, open the Keychain Access system app, and select the certificate you should use for signing.

Double-click on it, then scroll to the bottom of the details to grab the SHA-1 fingerprint.

Then in the python script, modify the line (79) where the ‘codesign’ command is called, to take the fingerprint as a string, instead of the script-derived signing identity.

if self.sdk.startswith('macosx'):

    binaryPath = frameworkPath + "/" + framework + ".framework/Versions/A"

    print "Signing binaries on path : " + binaryPath

    codesignCommand = ["codesign", "--timestamp", "--options=runtime", "--verbose=2", "--force", "--sign" , "43 47 20 5E D6 A7 BF 00 00 00 00 00 00 00 00 EB 67 1F 50 C3", binaryPath]

You should be able to build for Mac target, without a script error.

3 Comments
You must be Logged on to comment or reply to a post.
  • Thanks Stan!

    I had downloaded the SDK 5.0, and the Tutorial App ran fine in the iPhone 11 Pro Max simulator and on my iPhone X.  https://developers.sap.com/group.ios-sdk-setup.html

    However, I was getting a generic sigabort (about @rpaths to frameworks) when trying to run the app with the target as “My Mac” with Catalyst. The error didn’t indicate duplicate Apple Developer IDs.

    I had just today upgraded my Apple Developer account to a real paid developer ID, and I had 2 prior “regular” certificates in my keychain. After deleting those 2 older certificates, leaving only my current paid ID certificate, the Tutorial App ran directly in MacOS 10.15.3!

    Also note that I did NOT have to copy the SHA signature into the python script. AND that exporting the signing script from the SDK is NOT available on the SDK menu as it is shown in the 5.0 announcement blog screenshot. https://blogs.sap.com/2020/03/06/cp-sdk-for-ios-5.0-released/

    Great work on the SDK 5.0 and this helpful blog on overcoming the ambiguous Apple IDs!

    I also tweeted a reply to @SAPDevs post here: https://twitter.com/SAPdevs/status/1237544773684092930?s=20

     

     

    • Hi Doug, I’m glad that you’re up and live!

      Yes… I was informed that I was using a copy of the next patch build, which contains the Export Codesigning Script menu item.  It will be public shortly.

      I’ve seen the @rpath error message also, this is coming directly from Xcode, not from the SAP SDK. Typically the message also indicates that there is some sort of signing issue (I’ve seen a number of variants of “Could not load [framework]…found [similarly-named framework], which is incompatible for [reason]”).

      The signing script is designed to work without intervention–the additional step of specifying the SHA-1 or certificate CN is only necessary for disambiguating duplicate certs.  It’s interesting that it did not detect your older certs as duplicates… will track this.

      BR/Stan