I am working on a small team developing a Mac app whose components need to validate each other's codesignature. So I need all developers to be able to build and sign the app, using a self-signed root for now.
Here's what I've done:
1. Created a self-signed root CA "Dev Authority" in Keychain, and trusted it
2. Created a codesigning leaf certificate "Testing 123" off that root
3. Selected the leaf certificate as my Code Signing Identity in Xcode
However, this does not work. Xcode complains before it even prompts for Keychain access:
> Code Signing Error: Signing certificate is invalid. Signing certificate "Testing 123", serial number "B0EE34", is not valid for code signing. It may have been revoked or expired.
This certificate is definitely not revoked or expired. If I use Keychain to "Evaluate" it, it claims Success/Good under the Code Signing policy. I can't figure out what call Xcode is using to get more verbose information about the failure.
What's especially confusing is that I do NOT get the error if I select the "Dev Authority" directly as the Code Signing Identity. Is there something specifically unsupported about self-signed chains in Xcode? Nothing I've found mentions this, they all seem to imply it's possible but it seems to make Xcode upset :-/
For example, in the Code Signing Guide at https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html:
> If you choose to manage your signing identities manually because you are using a certificate authority other than Apple, you create them using the Certificate Assistant, which is provided as part of the Keychain Access application. You use this tool to create a public/private key pair, add these keys to your keychain, and generate a certificate request that you send to a certificate authority. In response, the certificate authority sends you a signed certificate that, in combination with the private key stored only on your system and known only to you, completes your digital identity. These are essentially the same steps Xcode carries out on your behalf (using Apple as the certificate authority) when it manages your code signing identity.
Or in another collection of tips at https://wincent.com/wiki/Code_signing:
> You can actually follow along by using the Certificate Assistant (out of Keychain Access) - it can act as a simple Certificate Authority. […] Generate a new root certificate (call it R). Give it a meaningful Organization ("O") name. Now generate a new code-signing (leaf) certificate from R (call it A). Give it the *same* exact Organization name as R. You can now sign your code with A.
