codesign error : unable to build chain to self-signed root for signer

I want to codesign our development on macOS Monterey, but I get the following error:

% sudo codesign --deep -vvv --timestamp --strict --force --verify --verbose = 4 --sign "Developer ID Application: ZZZZZZZZZZ, Inc. (ZZZZZZZZZZ)" AAAAA.framework

Warning: unable to build chain to self-signed root for signer "Developer ID Application: ZZZZZZZZZZ, Inc. (ZZZZZZZZZZ)"

AAAAA.framework: errSecInternalComponent

In subcomponent: /Users/XXXXX/AAAAA.framework/Versions/Current/Frameworks/BBBBBB.dylib

If I check "Developer ID Application: ZZZZZZZZZZ, Inc. (ZZZZZZZZZZ)" in Keychain Access, It says "This certificate is valid".

Download and install Apple Root Certificates and Apple Intermediate certificates from the following websites. https://www.apple.com/certificateauthority/

If I enter "apple" or "developer id cert" in the search window at the top right of the Keychain Access screen, The same certificate downloaded and installed above but with Keychain "System Roots" will be detected.

Is it correct that the same certificate of "login" and "System Roots" coexist in Keychain? Attempting to delete the "System Roots" certificate results in a deletion error and cannot be deleted. -> An error occurred while deleting "(certificate name)" / UNIX [Operation not permitted] / [OK] button

Why can't I codesign our development? Could you give me some advice? Thank you.

Up vote post of TomotakaKaneda Down vote post of TomotakaKaneda
2.0k views
Posted by
TomotakaKaneda
Reply
Add a Comment

Accepted Reply

See this post for my general advice on this topic.

TomotakaKaneda wrote:

% sudo codesign …

Do not mix sudo and codesign. Code signing relies heavily on the Security framework and sudo runs the supplied program in a mixed context, where the BSD context is switch and the security context is not. This can cause significant confusion.

% sudo codesign --deep …

Do not sign code with --deep. See --deep Considered Harmful for an explanation as to why that’s a bad idea.

% sudo codesign … --verify … --sign …

Doing a verify and a sign in the same command is a recipe for confusing. If you want to verify and sign, or sign and then verify, run codesign twice.

Is it correct that the same certificate of "login" and "System Roots" coexist in Keychain?

As long as you don’t change trust settings (per the post referenced above), having the same certificate in multiple keychains won’t cause problems.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • I succeeded in codesign by omitting sudo. It was also helpful for --deep and --verify + --sign. Thank you very much.

    TomotakaKaneda
Add a Comment

Replies

I'm having the same issue. What a massive pain this is.

Posted by
CloudCMD-Drew
Up vote reply of CloudCMD-Drew Down vote reply of CloudCMD-Drew

  • As you can see in another Replay, we succeeded in codesign by omitting sudo. Please refer to it.

    TomotakaKaneda
Add a Comment

See this post for my general advice on this topic.

TomotakaKaneda wrote:

% sudo codesign …

Do not mix sudo and codesign. Code signing relies heavily on the Security framework and sudo runs the supplied program in a mixed context, where the BSD context is switch and the security context is not. This can cause significant confusion.

% sudo codesign --deep …

Do not sign code with --deep. See --deep Considered Harmful for an explanation as to why that’s a bad idea.

% sudo codesign … --verify … --sign …

Doing a verify and a sign in the same command is a recipe for confusing. If you want to verify and sign, or sign and then verify, run codesign twice.

Is it correct that the same certificate of "login" and "System Roots" coexist in Keychain?

As long as you don’t change trust settings (per the post referenced above), having the same certificate in multiple keychains won’t cause problems.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved

  • I succeeded in codesign by omitting sudo. It was also helpful for --deep and --verify + --sign. Thank you very much.

    TomotakaKaneda
Add a Comment