Behavior:
I was recently having issues with errSecInternalComponent during codesign when using sudo su but NOT when logged into the non administrator account. Which appears to be due to the intermediate certificate not being in the admin user's keychain.
Workaround:
Add intermediate certificate (in my case the Apple Worldwide Developer Relations Certification Authority (G3) available here) to the Admin (who is running sudo su) user's keychain.
Why this is unexpected:
security find-identity -p codesigning indicates the identity is valid, but codesign fails with Warning: unable to build chain to self-signed root for signer and errSecInternalComponent. This behavior also seems to imply that while using codesign and sudo su, we are using the switched user (myuser)'s keychain for the signing identity, but the admin user's keychain for intermediate certificates.
Setup:
Admin user (referred to as admin)
Regular user (referred to as myuser)
For resting purposes do cp /usr/bin/true /Users/myuser/MyTrue
Steps to reproduce:
- Login to the computer via Mac OS GUI as
myuser - Install developer certificate and intermediates as
myusersuch thatmyuser's keychain has the development certificate and apple WWDR certificate - Verify that development certificate is valid and can codesign
myuser@mymachine % security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 identity found
Valid identities only
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 valid identity found
- Verify that signing works
myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue
/Users/myuser/MyTrue: replacing existing signature
- Login to computer via Mac OS GUI as
admin - As
adminverify your login keychain does NOT contain the Apple Development identity or any intermediate WWDR certificates (delete them if present). - Use
sudo su myuserto switch tomyuserwhile in theadminGUI account.
admin@mymachine % sudo su myuser
myuser@mymachine %
- Verify that development certificate is valid and can codesign after switching
myuser@mymachine % security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 identity found
Valid identities only
1) <REDACTED> "Apple Development: My User (<REDACTED>)"
1 valid identity found
- Verify that codesigning fails
myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue
Warning: unable to build chain to self-signed root for signer: <REDACTED> "Apple Development: My User"
/Users/myuser/MyTrue: errSecInternalComponent
- Verify that after installing the WWDR G3 intermediate in the
adminuser's keychain, signing works as expected.
myuser@mymachine % codesign -s "Apple Development" -f ~/MyTrue
/Users/myuser/MyTrue: replacing existing signature
I call this out in Resolving errSecInternalComponent errors during code signing. My general advice is that you avoid mixing sudo (and su) and code signing. That’s because these Unix-y tools create a mixed execution context; that is, they change the BSD UID/GID values but don’t change the security context [1]. That causes all sorts of weird problems for code, like codesign, that relies on Security framework APIs.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Technote 2083 Daemons and Agents explains these terms. It’s still remarkably accurate given how old it is!