• Replies 5 replies
  • Subscribers 14 subscribers
  • Views 1036 views
  • Users 0 members are here
Options
Related

App Store: Signature check failed

Alan.raceQs
over 6 years ago
Since my last upload, over 12 month ago, I have done extensive modifications to my app and, now I'm ready to go, the app store is refusing the upload with:
"Signature check failed. All app versions have to be signed with the same key pair."
The error refers to "key pair": I assume it's referring to the manifest ID which I haven't changed, I wonder what the other half of the pair is?
  • over 6 years ago
    No, it’s your developer public/private key which is used to securely sign your app. (Developer key under CIQ compiler settings under Eclipse). Public/private keys are the cornerstone of all computer security (including https and online shopping/banking) and are used so an entity can establish its identity without giving others the ability to impersonate it. It’s how you can verify that https://www.apple.com belongs to Apple without being able to claim that your own website belongs to Apple.

    Compare with a password where telling it to someone gives them the ability to pretend to be you.

    Your key pair consists of a public key that everyone knows (in principle) and was part of the package when you submitted your app initially. It also consists of your private key which is something that only you have and which allows you to sign the app so that it belongs to the public/private key pair. Anyone can verify that a signed file is associated with that key pair simply by checking against the public key. Nobody can sign a file with your key pair unless they have the private key.

    Having a private key is the same as having the complete private/public key pair, but having the public key is not.

    TL;DR anyone can verify that a submitted app version is yours by checking the public key against the previous submission. Only you can say that a new app version is yours, by using your secret private key to sign it.

    When you built and submitted your first app you had to generate a unique developer public/private key pair somehow. That key pair represents your identity as a dev (at least for that app).

    Hopefully you have the original developer key you used when you first uploaded that app. Otherwise you’re not updating it.

    To be Captain Obvious, this is the system that prevents bad people from pretending to be you and maliciously replacing your app with their own app. Without the private dev key, the store cannot distinguish you from those bad people.
  • over 6 years ago
    Argh, that will be the problem.
    I migrated from Windows to Mac and started from scratch, using an archive of my app code from my Windows box, but still used my same Garmin login.
    I wonder how I can recover?
    I'll see if I can retrieve my developer key from the W10 box.
    [EDIT]
    Nope, the W10 box died and was trashed 8 months ago.
    I guess I'll have to upload the upgrade as a new app. That's annoying as the existing users won't be alerted about the upgrade.

  • over 6 years ago
    As long as you have the old computer you should be good. Don’t worry, you’re not the first to underestimate the importance of that key. Maybe it’s a deficiency in the docs. It’s been a while since it read that part of the docs, but I don’t remember it emphasized how important it is not to lose that key. You should have multiple backups.

    But if you don’t have the key you can’t recover, any more than you can impersonate Apple or Garmin....
  • over 6 years ago
    OK, Found it on on old backup (PHEW!)
  • over 6 years ago
    I did the exact same thing a couple years ago. Had created a new key when I published a new app without realizing it. Luckily, I too eventually found my original. But now I have two separate keys to keep track of for different apps. I didn't fully realize what that key was the first time around. Glad you found it.