Back to the iPhone Index
For some reason, getting your iPhone to recognize your Apple Developer Provisioning Certificate is tricky. I think apple has done a lot to make some of the tricky details plain in their excellent videos, which you'll find on the right side of the iPhone Developer Program's Portal Home Page. This is the place where you find the links to create certificates, register devices, create App Ids and where you created your Provisioning Certificate. You probably already watched them, and you were probably dismayed when, after following those instructions meticulously, it still didn't work.

Well, you aren't alone. A lot of people have difficulty. I did and it was very frustrating to figure out what was wrong.

I came up with what I think is a reasonable sequence of events to make sure that it will work for you, assuming you have correctly followed Apple's steps to create your provisioning certificate.

First, be sure your keychain only has one developer identity certificate for you with the same name -- you'll really confuse yourself if there is more than one, because they look identical, but your provisioning certificate is tied to one of them and not the other. If you have two, you may have to try the procedure below with each one of them, to determine which one is valid. Once you figure it out, you should probably delete the other one unless you have a good reason to keep it around.

If you need to delete both of them and create a new certificate signing request, you should quit the keychain assistant program after deleting them and before recreating the new certificate signing request.

OK, so now you have only one "iPhone Developer" identity in your keychain and you've used it to produce your provisioning certificate, which is in a file on your Mac. Now follow these steps:

  1. In XCode, double-click on the Info.plist file, which you'll find in the Resources folder of your project.
    iPhone OS 3.0
    If you used a * in your bundle identifier in the program portal, you must choose a bundle identifier for this app. You cannot use a *. You can use a bundle identifier such as com.yourdomain.${PRODUCT_NAME:identifier} as long as the product name doesn't contain a blank. If your product name has a blank, you can choose whatever string you want for the last component after com.yourdomain (as long as it is just alpahnumerics). For example: com.youdomain.foo

    iPhone OS 2.2.1 and earlier

    Change the bundle identifier to com.yourdomain.${PRODUCT_NAME:identifier} or com.yourdomain.* so that it matches the bundle identifier in your provisioning profile.

  2. In XCode, click on your project's main icon (first in the list on the left).

  3. Now click apple-I to summon the inspector window. Click the Build tab. Scroll down to the "Code Signing" section, and if it isn't already exposed, click on "Code Signing Identity" to expose "Any iPhone OS Device". Now select your "iPhone Developer: Firstname Lastname" certificate name for both the "Code Signing Identity" row and the "Any iPhone OS Device" row. This should correspond to a certificate you have in your keychain access collection. You can find Keychain Access in your Applications-->Utilities folder.

    Also, if you are doing a debug build onto your device, make sure you do not have an Entitlents.plist or any other entitlements plist file in the "Code Signing Entitlements" row. That row should be empty unless you are doing a build for ad-hoc distribtution.

  4. in XCode, click on the triangle next to "Targets" to open it up and then select your application's name therein.

  5. Now click apple-I to summon the inspector window. Click the Build tab. Scroll down to the "Code Signing" section, and if it isn't already exposed, click on "Code Signing Identity" to expose "Any iPhone OS Device". Now select your "iPhone Developer: Firstname Lastname" certificate name for boththe "Code Signing Identity" row and the "Any iPhone OS Device" row.

    Also, if you are doing a debug build onto your device, make sure you do not have an Entitlents.plist or any other entitlements plist file in the "Code Signing Entitlements" row. That row should be empty unless you are doing a build for ad-hoc distribtution.

    Yes, this is exactly the same as step 3, but it is for the Target.

  6. Power down your iPhone by holding down the button on the top, right side of the phone for five seconds. It will ask you to confirm power-down by sliding a switch on the touchscreen.

  7. Perform a "Clean" on your software app and click both checkboxes if they aren't already clicked.
  8. Quit XCode

  9. Turn on your iPhone and let it sync. You turn it on by holding down the same button you used to power it down.

  10. After the phone has synced, start up XCode and select one of the Device build targets (e.g. Device - 2.2 | Debug" and click "Build and Go."

If you still get the dreaded "Your mobile device has encountered an unexpected error (0xE800003A) during the install" it means you may have missed one of the steps in the creation of your provisioning certificate or its installation. Or, here are some other possibilities:

  • Your SDK is not at the same level as your iPhone (e.g. are both 2.2?)

  • You created the certificate signing request on a different mac -- it must be created on the mac where you will install it

  • You have an older version of a provisioning certificate on your iPhone. You can delete the older provisioning certificate on your iPhone by going to the Settings app, tap "General" and scroll down to "Profiles" where you will see all the installed profiles. You can delete the one that is giving you a problem (or both or all of them) and they will also go away from the XCode organizer. Do this with the iPhone connected to your mac, otherwise the provisioning certificates will just get installed again and it will be as though you never deleted them. You can delete them all, see that they are gone in Organizer, and then drag the provisioning certificate you downloaded from apple back into the organizer and it will get installed again when you try to install your app. But, after dragging it into the organizer and before you attempt a build and install, quit Xcode, and when you start it up, be sure to do "Clean" first, before attempting another build and install.

  • Oddly, if you update your provisioning profile via the program portal, download and install it, then delete it, leaving your previous certificate in place, the previous certificate will no longer work, even if it is the only certificate in XCode and on your iPhone. Once XCode or your phone get a clue that a newer certificate is available, the older one can never be used again!

  • The com.yourdomain.${PRODUCT_NAME:identifier} string that you typed in can also be a source of trouble. If you created a specific AppID such as com.foo.myproductname then naturally you'll type that in. But, if you used a * (many people do) for a name like com.foo.* then you don't type in com.foo.*, even though that would seem to make sense. Instead you actually use com.yourdomain.${PRODUCT_NAME:identifier} and XCode will substitute your product identifier for the ${PRODUCT_NAME:identifier} portion of the string. And, don't forget that this string needs to be entered in two different places, exactly the same way.

  • Another common problem is that people have included the number provided by Apple as part of their AppID. Don't include that part -- just the part beginning with "com".

  • Another problem I've run into is that there was an Entitlements.plist mentioned in the "Code Signing Entitlements" row. There should only be a value here when you are producing a build for Ad Hoc distribution. Having a value there could interfere with a non-ad-hoc install.

  • Another common reason that the install fails is that you have not selected the correct certificate in Both places mentioned in the steps above (steps 3 and 5).

  • Finally, I've run across a case where everything was perfect and it still didn't work. The situation arose when I had more than one ADC developer account on the same Mac at the same time (I was working as an agent for someone else). It wasn't appropriate to use my own name and identity for their account. I had developed an App in my own account and when I tried to use it with their identity and provisioning profile I couldn't get past the 0xE800003A error.

    In fact, if you do have two ADC accounts with the same name, neither will work. You'll have to delete one. But, mine were for two different names, so that wasn't the problem in my case.

    I first verified that there was nothing wrong with my certificates by creating a brand new app in XCode (a navigation app). I didn't need to add any code. Just assign it to use the new provisioning profile I had installed. That worked.

    I quit XCode. I found the .xcodeproj bundle for my app and revealed the "Package Contents" in the finder (select "Show Package Contents" in the context menu using Control or Right click.) A bundle is a directory. I found the file called project.pbxproj and opened it in an editor such as TextEdit (I used vi). I searched for all the elements associated with CODE_SIGN_IDENTITY or PROVISIONING_PROFILE and deleted the value in double quotes. I left behind the empty pair of double quotes. There were lots of instances of these -- more than one in the same section of the file.

    Then I restarted XCode and assigned it to use my provisioning profile again and it worked! Thanks to Rama MacIntosh for suggesting that I try a spanking new app as a diagnostic.

Best of luck! If the above helps you, drop me a line and let me know. If it didn't, and you found a different problem, let me know and I'll add it to the above, to help other folks out.

All content copyright Howard Cohen 2009, all rights reserved worlwide.
hoco(at)timefold(dot)com