Looking at the certificate chains for various binaries (using Apple's APIs or codesign --vvd
) shows several patterns for the common names.
I am wondering why some code has the structure
Apple Root CA
Developer ID Certification Authority
Developer ID Application: Google LLC (EQHXZ8M8AV)
while others have the pattern
Apple Root CA
Apple Worldwide Developer Relations Certification Authority
Apple Mac OS Application Signing
Note, the second pattern does not include an organizational name.
Why is there a difference?
Is the second pattern an older pattern and the first (with the organization name) the new pattern?
(There are other certificate patterns like for Apple's binaries and development code I am testing)
Why is there a difference?
Your second example is from code signed by the Mac App Store. When the App Store distributes code, it re-signs it using a signing identity that’s controlled by Apple. It uses the same signing identity for all code, which is why there are no developer-specific markers there.
Your first example, OTOH, is code signed by a third-party developer for independent distribution. The signing identity is composed of a private key that’s controlled by the developer and a certificate that’s issued by Apple. Each certificate is tied to a specific private key, so Apple is able to add developer-specific markers.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"