In an attempt to build an iOS project (in XCode), I need to import my colleague's public and private keys for the code signing identity, but I am unable to do so because I get an error in Keychain Access that says "An error has occurred. Unable to import an item. / The contents of this item cannot be retrieved"

FULL DETAILS:

I have got two keys from my colleague's computer, exported them from his Keychain as two files:

Roomer Inc.p12 (the private key)

Roomer Inc.pem (the public key)

When he exported these, he left the password blank (Although we also tried with a password of "test" and got the same results).

When I double-click Roomer Inc.p12 (for the private key), it opens in Keychain Access and promts me to choose the keychain ("login" is selected by default)

I click "Add" and then I am prompted for the password to the keychain (which I leave blank)

Next I always see this message in Keychain access:

However, despite this message appearing, when I click OK, I see a new private key entry for "Roomer Inc". Note that this entry is a private key in the "login" key chain as I would expect, but has no expiration date (should it?)

Next, for the Roomer Inc.pem file (the public key) I am asked to choose the keychain ("login") and I click Add

Then, I also get the "An error has occurred. Unable to import an item. / The contents of this item cannot be retrieved" message for the public key as well. In this case however (unlike the Private key), I do not see any entry corresponding for what I just added.

So, it appears that the private key entry may or may not be OK (I have no way to verify), and the public key entry for Roomer cannot be installed in the keychain without this error message. Please note that I also tried using the security import command to import the public key :

$ security import Roomer\ Inc.pem -f pkcs12 ~/Library/Keychains/login.keychain

1 key imported.

When I do this, although the command returns "1 key imported" I do not see a public key for "Roomer Inc" in my Keychain Access window (I closed out Keychain Access and re-opened it).

Either way, we have identified that this is our blocker. (The symptom of course is that the XCode project won't build for the AdHoc provisioning profile to be used with TestFlight). I have left off the additional steps regarding the XCode build and TestFlight setup, because we believe the core problem has to do with importing the keys as explained above.

We figured out our problem, and I am posting my answer here so that others may find it helpful.

The problem is really a UX problem with Keychain Access. Let me back up and give a little context: when you create a distribution certificate with Apple, you create it based on a PRIVATE KEY and App-based permissions.

In Keychain Access, the distribution certificate is listed as a child below the name of the private key that it was created from. Here's the catch: When you use the search box in Keychain access (in my case we were typing in "Roomer" because that's the name on our distribution certificate), it won't look for a certificate with that name, it will look for a certificate attached to a private key for that name.

So my colleague had create a distribution certificate based on a private key that was named "Jorge Davila" (his name), even though the distribution certificate was named "iPhone Distribution: Roomer Inc."

When he searched for "Roomer" in Keychain Access, the correct one was NOT displayed in the search results because the key this certificate was created from was named "Jorge Davila" not "Roomer". Thus, he was exporting the wrong certificate and didn't realize because there were others (some expired) with that name.

Here's how the correct one looks:

This is a relatively nuanced problem with the UX of Keychain Access and the fact that the search tool doesn't give you the results you expect it to. I am posting this answer in the hope that others may find it useful.