Sign with self-signed leaf certificate?

Question

Created Apr ’18

Replies 1

Boosts 0

Views 2.3k

Participants 2

I am working on a small team developing a Mac app whose components need to validate each other's codesignature. So I need all developers to be able to build and sign the app, using a self-signed root for now.

Here's what I've done:

1. Created a self-signed root CA "Dev Authority" in Keychain, and trusted it

2. Created a codesigning leaf certificate "Testing 123" off that root

3. Selected the leaf certificate as my Code Signing Identity in Xcode

However, this does not work. Xcode complains before it even prompts for Keychain access:

> Code Signing Error: Signing certificate is invalid. Signing certificate "Testing 123", serial number "B0EE34", is not valid for code signing. It may have been revoked or expired.

This certificate is definitely not revoked or expired. If I use Keychain to "Evaluate" it, it claims Success/Good under the Code Signing policy. I can't figure out what call Xcode is using to get more verbose information about the failure.

What's especially confusing is that I do NOT get the error if I select the "Dev Authority" directly as the Code Signing Identity. Is there something specifically unsupported about self-signed chains in Xcode? Nothing I've found mentions this, they all seem to imply it's possible but it seems to make Xcode upset :-/

For example, in the Code Signing Guide at https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html:

> If you choose to manage your signing identities manually because you are using a certificate authority other than Apple, you create them using the Certificate Assistant, which is provided as part of the Keychain Access application. You use this tool to create a public/private key pair, add these keys to your keychain, and generate a certificate request that you send to a certificate authority. In response, the certificate authority sends you a signed certificate that, in combination with the private key stored only on your system and known only to you, completes your digital identity. These are essentially the same steps Xcode carries out on your behalf (using Apple as the certificate authority) when it manages your code signing identity.

Or in another collection of tips at https://wincent.com/wiki/Code_signing:

> You can actually follow along by using the Certificate Assistant (out of Keychain Access) - it can act as a simple Certificate Authority. […] Generate a new root certificate (call it R). Give it a meaningful Organization ("O") name. Now generate a new code-signing (leaf) certificate from R (call it A). Give it the *same* exact Organization name as R. You can now sign your code with A.

Boost

Answer 1

ABHKamal OP

2w

It seems you are on the right track but are encountering a specific issue with Xcode's handling of self-signed certificates. Here are some steps to troubleshoot and potentially resolve the problem:

Ensure Certificate Trust Settings: Verify that both the root CA "Dev Authority" and the leaf certificate "Testing 123" are trusted for code signing in Keychain Access.
- Open Keychain Access.
- Find "Dev Authority", right-click, and select "Get Info".
- Go to the "Trust" section and set "Code Signing" to "Always Trust".
- Do the same for the "Testing 123" certificate.
Verify Key Usage Extensions: Ensure that the leaf certificate has the appropriate key usage extensions for code signing.
- Open Keychain Access.
- Find "Testing 123", right-click, and select "Get Info".
- Check under the "Details" tab to see if it includes "Digital Signature" under "Key Usage" and "Code Signing" under "Extended Key Usage".
Check Certificate Validity Period: Ensure that the certificate is valid for the current date and has not expired.
- This can be checked in the "Details" tab of the certificate's info in Keychain Access.
Certificate Chain: Ensure that the certificate chain is correctly recognized by macOS.
- Open Keychain Access.
- Go to the "System" keychain and make sure both "Dev Authority" and "Testing 123" are present there.
- Ensure that the "Testing 123" certificate correctly shows "Dev Authority" as its issuer.
Check Organizational Unit (OU): Sometimes, the Organizational Unit (OU) needs to be set in a certain way for Xcode to accept the certificate.
- Open Keychain Access.
- Find "Testing 123", right-click, and select "Get Info".
- Ensure that the "Organization Unit" field is filled out and matches the "Organization Unit" of "Dev Authority".
Revocation Checks: Disable online certificate revocation checks temporarily to see if it resolves the issue.
- Open Terminal and run the following command:
```
defaults write com.apple.security.revocation OCSPStyle NoCheck
defaults write com.apple.security.revocation CRLStyle NoCheck
```
- Note: This is not recommended for production use as it can reduce security.
Xcode Settings: Sometimes, Xcode caches certain settings. Try cleaning the build folder and resetting Xcode's code signing settings.
- In Xcode, go to "Product" > "Clean Build Folder".
- In Xcode, go to "Xcode" > "Preferences" > "Accounts" and refresh your developer account.
Manual Signing in Xcode: Double-check the manual signing settings.
- Go to your project's settings in Xcode.
- Under the "Signing & Capabilities" tab, ensure "Automatically manage signing" is disabled.
- Select "Testing 123" as the signing certificate manually.

If the issue persists after these steps, it may be helpful to use the codesign command in the terminal to get more verbose information about the failure:

codesign -vvv -d /path/to/your/app

This should provide detailed output about the code signature and might help identify why Xcode is rejecting the certificate.

If none of these steps resolve the issue, there may be an underlying restriction in Xcode regarding self-signed certificates. In that case, reaching out to Apple Developer Support might provide additional insights.

Edit: https://canapeking.co.uk/collections/palm-leaf

0