Apple Development Certificate not trusted - no root cert found even though they are installed

Code Signing Certificates, Identifiers & Profiles
riotchild OP
Created Sep ’20
Replies 15
Boosts 0
Views 19k
Participants 11
I am trying to codesign an app and receive the following error:

Warning: unable to build chain to self-signed root for signer "Apple Development: John Smith (########)"


The Apple Development certificate I'm using is not trusted, and when I evaluate it, it tells me that there is No Root Certificate found. However, I have the following unexpired certificates on my machine:

  • Apple IST CA 2 - GA

  • Apple Root CA

  • Apple Root Certificate Authority

  • Apple Worldwide Developer Relations CA - G2

  • Apple Worldwide Developer Relations Certificate Authority

Can anyone shed light on why my Apple Development Cert is not trusted / no root cert found when the root certs are installed?

When I evaluate the Apple Root CA it tells me that the cert is valid, but "Root ALSO in System Roots". Is this a problem?

Thanks in advance.





Replies  15
Boosts  0
Views  19k
Participants  11
DTS Engineer OP
Apple
Sep ’20
The most common cause of this is that someone has set custom trust settings on the leaf, the intermediate, or the root. Run Keychain Access, open each of those certificates, and check their trust settings (disclose the Trust section and make sure the “When using this certificate” popup is set to “Use System Defaults” and all the other popups are set to “no value specified”).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
0
riotchild OP
Sep ’20
Thanks Quinn,

This advice prompted me to reinstall my certs and the issue has been fixed.

However, my Apple Development Cert now has the green tick and "Certificate is Valid" - but when I evaluate it (generic) Certificate Status reports "Good", but Evaluation Status reports "No root certificate found".

I am trying to notarise an app with this cert and I am getting the error "The binary is not signed with a valid Developer ID certificate." Even though:

Code Block 
security find-identity -v -p codesigning

returns a valid identity, and I'm guessing the notarise error is due to the missing root cert.








0
riotchild OP
Sep ’20
To clarify, none of the certs had custom trust settings, I fixed the issue by deleting all the apple-related certs and re-downloading them.
0
riotchild OP
Sep ’20
I've checked each certificate and they all have trust settings as “Use System Defaults” for “When using this certificate” and “no value specified” for the other pop-ups.

Evaluation (generic) of my Apple Development Certificate (not expired) returns

  • Evaluation Status: No Root Certificate Found

  • Certificate Status: Good

Evaluation (generic) of my Apple Worldwide Developer Relations Certification Authority (not expired) returns

  • Evaluation Status: No Root Certificate Found

  • Certificate Status: Good



0
riotchild OP
Jan ’21
I solved this issue, well, it turns out there was no issue. I successfully signed and released an app even though the certificate I used to sign it was 'untrusted' and had no root certificate. Neither of these issues prevented the certificate from working as it should.
0
azav OP
Mar ’21
The same thing just happened to me and freshly made dev and distro certs are all not trusted. Even reinstalled the Apple WWDRCA cert and all of my dev and distro certs are "not trusted" with "no root certificate found".

My dec
Common Name: Apple Worldwide Developer Relations Certification Authority
Organizational Name: G3
Organization: Apple Inc.

Does that mean that the root cert needs to be in the keychain? Because it is and it's valid. There are no certs that are expired or certs with custom trust settings in my keychain.



1
azav OP
Mar ’21
Well, it appears that there is another AWWDCRA cert that is required.

One that expires on Feb 7, 2023 and one that expires on Feb 19, 2030.

Copy and paste the following link to see. i.imgur.com/XiicKhc.png

Installing the cert below made my freshly created certs become trusted.

https://developer.apple.com/support/expiration/
1
phirk OP
Jul ’21

I also got hit by this issue, even after re-installing Apple's root certificates.

My workaround is to delete my development certificate from the keychain, download it from the developer web site, and re-install it.

The developer certificate will then be trusted for the remainder of the day.

However, the next morning it is not trusted again!

So I have to apply this workaround every morning... Huh?

What's the proper fix?

1
sseitz OP
Jul ’21

Thank you azav ... solved my problem.

An excerpt from that link:

The current Apple Worldwide Developer Relations Certification Intermediate Certificate (intermediate certificate) is set to expire on February 7, 2023. The renewed certificate will be used to sign new software signing certificates issued after January 28, 2021 for the Apple Developer Programs.

https://developer.apple.com/support/expiration/

There is even a spot on the page to click which simply downloads the new AppleWWDRCAG3.cer file to your Mac for you to double-click (which installs it to Keychain). With the new cert in place (expiring Feb 19, 2030), the Apple Development cert I just created immediately became valid.

1
phirk OP
Nov ’21

Today I even had to re-install the certificate 3 times! (instead of once every day...)

Any fix for this?

(I already have all Apple certificates installed)

1
phirk OP
Jan ’22

Two more colleagues are now suffering from this issue. Any updates?

0
gkacy OP
Jan ’22

I had this exact issue (4 of my dev certificates were shown as untrusted) and the issue was solved by downloading The Worldwide Developer Relations - G3 (Expiring 02/20/2030 00:00:00 UTC) cert from (thanks azav)

https://www.apple.com/certificateauthority/

After clicking on the link, the Cert file gets downloaded. Click on it (which will give you an option to install in the Keychain). Once installed all my certs are shown with green checkmarks. YAY! I can now embark on another journey of signing my electron app... Its good to be equipped with right certs for that journey as I have a feeling it will be an uphill climb...

1
Soonerwolf OP
May ’22

I had this happen to me today. I went into Keychain Access and noticed I had an expired personal developer certificate that was being referenced by our distribution certificate. I also had multiple personal developer certificates that were not expired. All the distribution certificates were showing as "Untrusted" in Keychain.

I deleted the expired personal certificate, then all the distribution certificates came up as "Trusted." I then re-opened Xcode and successfully built an Archive of my current project for distribution on the App Store.

0
Beanman OP
Aug ’22

I have an Apple push services certificate due to expire in 2 days so I created a new one but have the same issue as listed above where the new certificate is not trusted and the root certificate is not found. I have followed and tried many of the steps already listed above, but none have worked. All other certificates in my keychain are shown as valid. I am at a loss now as to what I can try next.

0
sabiland33 OP
Aug ’22

Every time I have this RANDOM issue I open keychain and change Apple Worldwide Developer Relations Certification Authority:

  1. Use system defaults
  2. Save
  3. Back to -> Always trust
0
Apple Development Certificate not trusted - no root cert found even though they are installed
First post date Last post date
 
 
Q