Expo: "No code signing certificates are available to use" — fix
Why EAS / `npx expo run:ios` reports "No code signing certificates are available to use" and the exact steps that resolve it on local builds and CI.
What the error actually means
Xcode (or `xcodebuild`, which Expo shells out to) walked through every identity in the login keychain and couldn't find one that satisfies all three conditions at once: (a) the certificate type matches the build configuration's requested signing identity (Apple Development for debug, Apple Distribution for release/archive), (b) the matching private key is present in the same keychain, and (c) the certificate hasn't expired or been revoked.
The vast majority of the time on a fresh Mac, condition (b) fails: you imported the .cer from Apple Developer but never imported the .p12 (or the .p12 was generated on a machine you no longer have access to).
Fix path A — you have access to the original Mac
- On the original Mac, open Keychain Access → Certificates, find "Apple Distribution: <Your Team>".
- Right-click → Export. Choose `.p12`. Set a password.
- On the build Mac, double-click the `.p12` and enter the password. Confirm the certificate now shows a disclosure triangle with a private key under it.
- Re-run `npx expo run:ios --configuration Release` (or your EAS local build).
Fix path B — you do not have the .p12 anywhere
You'll need to revoke the old certificate and create a fresh one. This is safe — App Store Connect tracks app provenance via the App ID and provisioning profile, not the signing certificate itself.
- Go to https://developer.apple.com/account/resources/certificates → revoke the existing Apple Distribution certificate.
- Generate a new CSR locally: Keychain Access → Keychain Access menu → Certificate Assistant → Request a Certificate from a Certificate Authority. Save to disk.
- Upload the CSR to Apple Developer → create a new Apple Distribution certificate → download the `.cer`.
- Double-click the `.cer` to install. The matching private key is already in your keychain (it was generated alongside the CSR), so the new certificate will be paired correctly.
- Re-download or re-generate the provisioning profile that references this certificate.
Fix path C — let EAS manage it for you
If you're on EAS, the cleanest long-term answer is to stop managing certificates locally:
eas credentialsPick the platform (iOS), the build profile, and choose "Set up a new Distribution Certificate". EAS will generate the certificate, store the private key encrypted in the EAS account, and provision a matching profile. Subsequent `eas build` invocations will sign with that identity even from machines that don't have it locally.
For local `npx expo run:ios --configuration Release` to work after this, run `eas credentials` again and download the .p12 to import locally.
Edge cases I've hit on real engagements
- Two Apple Distribution certificates with the same Team ID — Xcode picks one arbitrarily. Delete the older one in Keychain Access.
- The certificate is present, but in the System keychain instead of login. Drag it to login.
- CI runners with ephemeral keychains (e.g. macOS GitHub Actions) need `security create-keychain` + `security import` + `security set-key-partition-list -S apple-tool:,apple:` before xcodebuild can use the key non-interactively.
- `npx expo prebuild` regenerated the Xcode project and wiped the manual signing config back to automatic — now Xcode is trying to use a wildcard profile that needs Apple Development, not Distribution. Re-set manual signing in `ios/<App>.xcodeproj`.
Verify the fix
security find-identity -v -p codesigningYou should see at least one identity that does not say `(CSSMERR_TP_CERT_REVOKED)` or `(CSSMERR_TP_NOT_TRUSTED)`. If your distribution identity is in that list, Expo will find it.