'Apple Mac OS Application Signing' vs. 'Developer ID Application: <team>'

Looking at the certificate chains for various binaries (using Apple's APIs or codesign --vvd) shows several patterns for the common names.

I am wondering why some code has the structure

Apple Root CA
Developer ID Certification Authority
Developer ID Application: Google LLC (EQHXZ8M8AV)

while others have the pattern

Apple Root CA
Apple Worldwide Developer Relations Certification Authority
Apple Mac OS Application Signing

Note, the second pattern does not include an organizational name.

Why is there a difference?

Is the second pattern an older pattern and the first (with the organization name) the new pattern?

(There are other certificate patterns like for Apple's binaries and development code I am testing)

Answered by DTS Engineer in 751481022

Why is there a difference?

Your second example is from code signed by the Mac App Store. When the App Store distributes code, it re-signs it using a signing identity that’s controlled by Apple. It uses the same signing identity for all code, which is why there are no developer-specific markers there.

Your first example, OTOH, is code signed by a third-party developer for independent distribution. The signing identity is composed of a private key that’s controlled by the developer and a certificate that’s issued by Apple. Each certificate is tied to a specific private key, so Apple is able to add developer-specific markers.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Accepted Answer

Why is there a difference?

Your second example is from code signed by the Mac App Store. When the App Store distributes code, it re-signs it using a signing identity that’s controlled by Apple. It uses the same signing identity for all code, which is why there are no developer-specific markers there.

Your first example, OTOH, is code signed by a third-party developer for independent distribution. The signing identity is composed of a private key that’s controlled by the developer and a certificate that’s issued by Apple. Each certificate is tied to a specific private key, so Apple is able to add developer-specific markers.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

This certificate has been revoked

EQHXZ8M8AV

Does anyone know why this is still showing in my swcutil_show report? Or how to fix the issue, every time I download a Google App it pops back up.

'Apple Mac OS Application Signing' vs. 'Developer ID Application: &lt;team&gt;'
 
 
Q