Command CodeSign fails because of … | Apple Developer Forums

Developer Forums

I have an Apple Development certificate issued by: Apple Worldwide Developer Relations Certification Authority (until February 20, 2030). From time to time the Xcode build fails and I see that my certificate is invalid. In this situation, I see two "Apple Worldwide Developer Relations Certification Authority" certificates. One is valid until 2030 and the other is valid until 2023. When I remove the second one (until 2023), my Apple Development certificate becomes valid and the build goes fine. But after a while CodeSign fails again, and I have to remove the second certificate again to build the application. Seems to be that second certificates is auto downloaded by Xcode, how can i fix it?

1.9k

Posted by

Cuddy

Reply

Replies

We have the same problem.

Posted by

evgeniy.kulichenko

Weird. The presence of the older intermediate should not cause prevent the system from forming a chain of trust via the newer one.

You tagged your thread with Xcode. Does that mean you’re seeing this in Xcode? If so, the next time this happens, just for diagnostic purposes, try signing some code outside of Xcode using the codesign tool. Does that reproduce the problem?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

Codesign tool also fails in this case

—
Cuddy

Yes, the problem is not with Xcode. Codesign tool also fails. If you look in Keychain, it shows that Apple Development certificate is not trusted. If I touch something in keychain, for example, add/remove any certificate, it becomes Trusted. Apparently there is something wrong with the MacOS 13.0 system.

Posted by

Cuddy

Apparently there is something wrong with the MacOS 13.0 system.

Indeed.

For diagnostic purposes only, create a new user account on that machine and add the Apple Development signing identity [1] and both the WWDR intermediates to that account’s login keychain. Does that have the same problem?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] You’ll need to export this as a PKCS#12 (.p12) files.

Posted by

eskimo

I have the same issue. It survives multiple devices, accounts and OS updates! Fix it!

Posted by

iyakov

As for now I use the following walk-around. You need to UNTRUST the following certificates:

Apple Worldwide Developer Relations Certification Authority (exp. 2023)
Developer ID Certification Authority (exp. 2027)

However, it doesn’t work all the time, so I just delete them (xcode will eventually generates them again) :/

Posted by

iyakov

It survives multiple devices, accounts and OS updates

So, to be clear, you ran the test I described in my previous post and the problem persists?

If so, I have some new tests for you to run. While the system is in the broken state, try to sign something with codesign. For example:

% cp /usr/bin/true MyTrue                                               
% codesign -s "Apple Development: UUU" -f -vvv MyTrue
MyTrue: replacing existing signature
MyTrue: signed Mach-O universal (x86_64 arm64e) [MyTrue]

replacing Apple Development: UUU with the name of your signing identity. Presumably this will fail. What does it print?

Then use Keychain Access to export your signing identity’s certificate to a .cer file and run this command:

% security verify-cert -c "Apple Development- UUU.cer" -p codeSign -vvv

where Apple Development: UUU.cer is the name of the .cer file. What does it print?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

@eskimo, here you go:

> % codesign -s "Apple Development ***" -f -vvv MyTrue

MyTrue: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Apple Development ***"
MyTrue: errSecInternalComponent

> % security verify-cert -c "Apple Development ***.cer" -p codeSign -vvv

...certificate verification successful.
---
Certificate chain
 0: Apple Development ***
    <cert(0x12301a200) s: Apple Development *** i: Apple Worldwide Developer Relations Certification Authority>
 1: Apple Worldwide Developer Relations Certification Authority
    <cert(0x12301ac00) s: Apple Worldwide Developer Relations Certification Authority i: Apple Root CA>
 2: Apple Root CA
    <cert(0x123016e00) s: Apple Root CA i: Apple Root CA>
---
Certificate chain properties
(
        {
        error = "No error.";
        title = "Apple Development ***";
    },
        {
        title = "Apple Worldwide Developer Relations Certification Authority";
    },
        {
        title = "Apple Root CA";
    }
)
---
Trust evaluation results
{
    TrustEvaluationDate = "2022-12-15 09:30:41 +0000";
    TrustExpirationDate = "2022-12-15 13:35:57 +0000";
    TrustResultDetails =     (
                {
        },
                {
        },
                {
        }
    );
    TrustResultValue = 4;
    TrustRevocationChecked = 1;
}

> % codesign -s "Apple Development ***" -f -vvv MyTrue

MyTrue: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Apple Development ***"
MyTrue: errSecInternalComponent

When I remove duplicated certificates:

> % codesign -s "Apple Development ***" -f -vvv MyTrue

MyTrue: replacing existing signature
MyTrue: signed Mach-O universal (x86_64 arm64e) [MyTrue]

Posted by

iyakov

Same here

codesign -s "Apple Development: UUU" -f -vvv MyTrue

MyTrue: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Apple Development: UUU"
MyTrue: errSecInternalComponent

% security verify-cert -c "Apple Development- UUU.cer" -p codeSign -vvv

...certificate verification successful.
---
Certificate chain
 0: Apple Development: UUU
    <cert(0x13f016400) s: Apple Development: UUU i: Apple Worldwide Developer Relations Certification Authority>
 1: Apple Worldwide Developer Relations Certification Authority
    <cert(0x13f016e00) s: Apple Worldwide Developer Relations Certification Authority i: Apple Root CA>
 2: Apple Root CA
    <cert(0x13f017600) s: Apple Root CA i: Apple Root CA>
---
Certificate chain properties
(
        {
        error = "No error.";
        title = "Apple Development: UUU";
    },
        {
        title = "Apple Worldwide Developer Relations Certification Authority";
    },
        {
        title = "Apple Root CA";
    }
)
---
Trust evaluation results
{
    TrustEvaluationDate = "2022-12-15 17:41:28 +0000";
    TrustResultDetails =     (
                {
        },
                {
        },
                {
        }
    );
    TrustResultValue = 4;
}

After I add/remove any certificate in Keychain it signs normal

MyTrue: replacing existing signature
MyTrue: signed Mach-O universal (x86_64 arm64e) [MyTrue]

Posted by

Cuddy

This just gets weirder. codesign and security verify-cert use the same system infrastructure to build the chain of trust, so it’s very surprising that the first fails and the second works.

Way back at the beginning Cuddy wrote:

One is valid until 2030 and the other is valid until 2023

I’d like to get a better handle on exactly which certificates are involved here. Unfortunately the output from security verify-cert only includes the Common Name, which is not enough to identify them. Moreover, there are two different intermediates that expire in 2030 )-:

Note For a list of all those intermediates, see the Apple PKI page.

So:

Open Keychain Access.
Find the two WWDR intermediates.
For each one, double click it and look at the Subject Name > Organizational Unit field.
What values do you see?

Also:

Still in Keychain Access.
Find the Apple Development: UUU certificate from the digital identity you’re trying to sign with.
Double click it and look at the Issuer Name > Organizational Unit field.
What value do you see?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

@eskimo, All info in Subject Name section of two WWDR:

Apple Worldwide Developer Relations Certification Authority Expires: Wednesday, 20 February 2030

Common Name Apple Worldwide Developer Relations Certification Authority
Organisational Unit G3
Organisation Apple Inc.
Other Name US

Apple Worldwide Developer Relations Certification Authority Expires: Wednesday, 8 February 2023

Other Name US
Organisation Apple Inc.
Organisational Unit Apple Worldwide Developer Relations
Common Name Apple Worldwide Developer Relations Certification Authority

Also Issuer Name: for Apple Development: UUU

Common Name Apple Worldwide Developer Relations Certification Authority
Organisational Unit G3
Organisation Apple Inc.
Other Name US

So for the first certificate it's Organisational Unit G3 for second it's Organisational Unit Apple Worldwide Developer Relations. My developer certificate based on Organisational Unit G3.

But in my case it's working with these 2 certificate in Keychain. For me сodesign fixes itself for a while after any Keychain modification (e.g. I add any new generated certificate in Keychain). So i don't know how it's connected to the issue.

Posted by

Cuddy

I have exactly the same info :)

Posted by

iyakov

Thanks for the info. I used that to install the right two intermediates and an appropriate Apple Development signing identity on a test machine here in my office. It worked as expected. Given the lack of wider complaints about this issue, I suspect that there’s something specific about your system, or your environment, that’s causing it. However, I’m at a loss as to explain what that might be.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

It is not. As I mentioned the issue can be reproduced 100% for my apple account on any mac or OS version.

—
iyakov
... or Xcode started after version 13.0 was released.

—
iyakov

Did you find a solution to this problem ?

I'm facing a similar issue described here

Posted by

FAC