Certificate not trusted

Question

Created Aug ’22

Replies 3

Boosts 0

Views 5.6k

Participants 2

I just upgraded to macOS 12.5, installed XCode 13.4.1, built a .DMG installation file for my app (using Qt Creator), and proceeded to use my Apple Developer status for the first time (ta-da!) to acquire a Developer ID Installer certificate.

That certificate is now visible in Keychain Access. However, it is noted as 'certificate is not trusted'. I did read that old intermediary certificates could be the cause of this but I also read that new versions of XCode automatically updates those intermediary certificates.

Questions:

(1) How do I check that the necessary intermediate certificates are OK?

(2) Am I missing some action I need to do in XCode? So far I did nothing but launch XCode and close it again.

(3) Given that I will get my certificate trusted at some point, what are the steps I should go through (in XCode or in Terminal) to codesign my .DMG file, so that it will install without warnings on another Mac computer? I have found it impossible to find instructions for this straightforward task. -- I am not going to use the App Store.

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’22

However, it is noted as 'certificate is not trusted'.

There are two common causes for this, as described in this post.

Modern versions of Xcode should install the relevant intermediate certificates on first launch. If you find that this problem was caused by a missing intermediate, please file a bug against Xcode with the details.

Given that I will get my certificate trusted at some point, what are the steps I should go through (in XCode or in Terminal) to codesign my .DMG file, so that it will install without warnings on another Mac computer?

Xcode is unable to build and sign disk images. You have to do that in Terminal [1]. For instructions, see Packaging Mac Software for Distribution.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Or use one of the various third-party products that support this.

0

Answer 2

NielsHolst OP

Aug ’22

Step 1. I checked the Intermediate Certificate and it was outdated (expiring in 2023) . I installed three new ones all expiring in 2030, but my certificate was still untrusted:

I also tried adding the one expiring in 2036 but that changed nothing in the following.

Step 2. I evaluated my certificate choosing 'Generic' and was told it had no root:

Step 3. I evaluated my certificate again now choosing 'Code signing' I found two certificates above mine. They were all reported valid but had the status 'Invalid Extended Key Usage':

Step 4. I followed the key chain as you suggested and found that all three certificates had the right trust settings:

Step 5. What should I do?

0

Answer 3

DTS Engineer OP

Apple

Aug ’22

Doing a Code Signing trust evaluation as per step 3 is not correct. A Developer ID Installer signing identity is used to sign installer packages. It can’t be used to sign code or disk images. For that you need a Developer ID Application signing identity.

Coming back to your original post, you wrote:

Given that I will get my certificate trusted at some point, what are the steps I should go through (in XCode or in Terminal) to codesign my .DMG file, so that it will install without warnings on another Mac computer?

Are you trying to sign your disk image with your Developer ID Installer identity? That won’t work. Consider:

% codesign -s "Developer ID Installer" "Test.dmg"
Developer ID Installer: Quinn Quinn (SKMME9E2Y8): this identity cannot be used for signing code

Unless you have an installer package in the mix, I don’t think you need to fix this problem (-:

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0