codesign error : unable to build chain to self-signed root for signer

Code Signing Certificates, Identifiers & Profiles
TomotakaKaneda OP
Created Jul ’22
Replies 2
Boosts 0
Views 3.2k
Participants 3

I want to codesign our development on macOS Monterey, but I get the following error:

% sudo codesign --deep -vvv --timestamp --strict --force --verify --verbose = 4 --sign "Developer ID Application: ZZZZZZZZZZ, Inc. (ZZZZZZZZZZ)" AAAAA.framework

Warning: unable to build chain to self-signed root for signer "Developer ID Application: ZZZZZZZZZZ, Inc. (ZZZZZZZZZZ)"

AAAAA.framework: errSecInternalComponent

In subcomponent: /Users/XXXXX/AAAAA.framework/Versions/Current/Frameworks/BBBBBB.dylib

If I check "Developer ID Application: ZZZZZZZZZZ, Inc. (ZZZZZZZZZZ)" in Keychain Access, It says "This certificate is valid".

Download and install Apple Root Certificates and Apple Intermediate certificates from the following websites. https://www.apple.com/certificateauthority/

If I enter "apple" or "developer id cert" in the search window at the top right of the Keychain Access screen, The same certificate downloaded and installed above but with Keychain "System Roots" will be detected.

Is it correct that the same certificate of "login" and "System Roots" coexist in Keychain? Attempting to delete the "System Roots" certificate results in a deletion error and cannot be deleted. -> An error occurred while deleting "(certificate name)" / UNIX [Operation not permitted] / [OK] button

Why can't I codesign our development? Could you give me some advice? Thank you.

Answered by DTS Engineer in 721491022

See this post for my general advice on this topic.

TomotakaKaneda wrote:

% sudo codesign …

Do not mix sudo and codesign. Code signing relies heavily on the Security framework and sudo runs the supplied program in a mixed context, where the BSD context is switch and the security context is not. This can cause significant confusion.

% sudo codesign --deep …

Do not sign code with --deep. See --deep Considered Harmful for an explanation as to why that’s a bad idea.

% sudo codesign … --verify … --sign …

Doing a verify and a sign in the same command is a recipe for confusing. If you want to verify and sign, or sign and then verify, run codesign twice.

Is it correct that the same certificate of "login" and "System Roots" coexist in Keychain?

As long as you don’t change trust settings (per the post referenced above), having the same certificate in multiple keychains won’t cause problems.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  2
Boosts  0
Views  3.2k
Participants  3
CloudCMD-Drew OP
Jul ’22

I'm having the same issue. What a massive pain this is.

0
DTS Engineer OP
Apple
Jul ’22
Accepted Answer

See this post for my general advice on this topic.

TomotakaKaneda wrote:

% sudo codesign …

Do not mix sudo and codesign. Code signing relies heavily on the Security framework and sudo runs the supplied program in a mixed context, where the BSD context is switch and the security context is not. This can cause significant confusion.

% sudo codesign --deep …

Do not sign code with --deep. See --deep Considered Harmful for an explanation as to why that’s a bad idea.

% sudo codesign … --verify … --sign …

Doing a verify and a sign in the same command is a recipe for confusing. If you want to verify and sign, or sign and then verify, run codesign twice.

Is it correct that the same certificate of "login" and "System Roots" coexist in Keychain?

As long as you don’t change trust settings (per the post referenced above), having the same certificate in multiple keychains won’t cause problems.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
codesign error : unable to build chain to self-signed root for signer
First post date Last post date
 
 
Q