Behavior: I was recently having issues with errSecInternalComponent during codesign when using sudo su but NOT when logged into the non administrator account. Which appears to be due to the intermediate certificate not being in the admin user's keychain. Workaround: Add intermediate certificate (in my case the Apple Worldwide Developer Relations Certification Authority (G3) available here) to the Admin (who is running sudo su) user's keychain. Why this is unexpected: security find-identity -p codesigning indicates the identity is valid, but codesign fails with Warning: unable to build chain to self-signed root for signer and errSecInternalComponent. This behavior also seems to imply that while using codesign and sudo su, we are using the switched user (myuser)'s keychain for the signing identity, but the admin user's keychain for intermediate certificates. Setup: Admin user (referred to as admin) Regular user (referred to as myuser) For resting purposes do cp /usr/bin/true /Users/myuser/MyTrue Steps to reproduce: Login to the computer via Mac OS GUI as myuser Install developer certificate and intermediates as myuser such that myuser's keychain has the development certificate and apple WWDR certificate Verify that development certificate is valid and can codesign myuser@mymachine % security find-identity -p codesigning Policy: Code Signing Matching identities 1) <REDACTED> "Apple Development: My User (<REDACTED>)" 1 identity found Valid identities only 1) <REDACTED> "Apple Development: My User (<REDACTED>)" 1 valid identity found Verify that signing works myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue /Users/myuser/MyTrue: replacing existing signature Login to computer via Mac OS GUI as admin As admin verify your login keychain does NOT contain the Apple Development identity or any intermediate WWDR certificates (delete them if present). Use sudo su myuser to switch to myuser while in the admin GUI account. admin@mymachine % sudo su myuser myuser@mymachine % Verify that development certificate is valid and can codesign after switching myuser@mymachine % security find-identity -p codesigning Policy: Code Signing Matching identities 1) <REDACTED> "Apple Development: My User (<REDACTED>)" 1 identity found Valid identities only 1) <REDACTED> "Apple Development: My User (<REDACTED>)" 1 valid identity found Verify that codesigning fails myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue Warning: unable to build chain to self-signed root for signer: <REDACTED> "Apple Development: My User" /Users/myuser/MyTrue: errSecInternalComponent Verify that after installing the WWDR G3 intermediate in the admin user's keychain, signing works as expected. myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue /Users/myuser/MyTrue: replacing existing signature