Dev ID Application - "Certificate is not trusted"

The same warning is seen on each of Mac nodes that I have installed the new certs on.

“Mac nodes”? Do you mean you’ve tried this on multiple Macs and they all have the same problem?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes correct. I created the certificate on my local Mac - and then I exported and shared same to 2 Macs and they also show same "Certificate is not trusted".

cert

Try this:

1. In Keychain Access, select your Developer ID Application certificate, the one that’s listed as “not trusted”.

2. Choose Keychain Access > Certificate Assistant > Evaluate “Developer ID Application: TTT”.

3. In Certificate Assistant, select Code Signing and click Continue.

That’ll present a result like this:

What do you see there?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I did cert evaluation for the 2 WDRCA certs also:- 

#1 - Developer ID Application with Expiry in 2027 (referenece the screenshot attached) Evaluation Status : No root certificate found. Certificate Status: Good  

#2 - WDRCA Expring 20-Feb 2030 Evalution Status : Invalid Extended Key Usage Certificate Status: Invalid Key Usage: Invalid Extended Key Usage 

Apple Root CA Expiring 9-Feb 2035 Evaluation Status : Invalid Extended Key Usage Certification Status : Trusted Root 

#3 - WDRCA Expiring 7-Feb 2023 Evalution Status : Invalid Extended Key Usage Certificate Status: Invalid Extended Key Usage 

Apple Root CA Expring 9-Feb 2035 Evaluation Status : Invalid Extended Key Usage Certification Status : Trusted Root

The screen shot you posted confirms that the trust evaluation machinery is unable to build a chain of trust from your leaf to a trusted root. The most likely cause of that is a missing intermediate. Inspect your Developer ID Application certificate, look at the issuer fields, and then download and install the corresponding intermediate from the Apple PKI page.

For example, my current Developer ID Application certificate was issued by:

• Common Name Developer ID Certification Authority
• Organisation Unit Apple Certification Authority
• Organisation Apple Inc.
• Country or Region US

The Apple PKI page has two Developer ID intermediates:

• Developer ID - G1 (Expiring 02/01/2027 22:12:15 UTC)
• Developer ID - G2 (Expiring 09/17/2031 00:00:00 UTC)

I downloaded both and found that the first one has subject fields that match the issuer in my certificate, so that’s the one that needs to be installed on my system.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I downloaded the Developer ID - G2 … and it is now showing as Trusted.

Cool.

My Developer ID certificate was issued by the G1 intermediate, so it’s interesting to know that modern ones are coming from the G2.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I encountered an issue when migrating to another Mac: the assistant didn't transfer the certificates. Here's how I resolved it:

1. Access Apple Certificate Authority.
2. Download the following certificates:

• Developer ID - G1 (Expiring 02/01/2027 22:12:15 UTC)
• Developer ID - G2 (Expiring 09/17/2031 00:00:00 UTC)
• Apple Inc. Root (if it's not already on your computer)

For other certificates, I followed these steps on my old Mac:

1. Open the certificate in Keychain Access.
2. Find the intermediate certificates.
3. Export and import them to the new Mac.

For Apple certificates, I prefer to download them from the official site as mentioned above.