Certificate not trusted

I just upgraded to macOS 12.5, installed XCode 13.4.1, built a .DMG installation file for my app (using Qt Creator), and proceeded to use my Apple Developer status for the first time (ta-da!) to acquire a Developer ID Installer certificate.

That certificate is now visible in Keychain Access. However, it is noted as 'certificate is not trusted'. I did read that old intermediary certificates could be the cause of this but I also read that new versions of XCode automatically updates those intermediary certificates.

Questions:

(1) How do I check that the necessary intermediate certificates are OK?

(2) Am I missing some action I need to do in XCode? So far I did nothing but launch XCode and close it again.

(3) Given that I will get my certificate trusted at some point, what are the steps I should go through (in XCode or in Terminal) to codesign my .DMG file, so that it will install without warnings on another Mac computer? I have found it impossible to find instructions for this straightforward task. -- I am not going to use the App Store.

Up vote post of NielsHolst Down vote post of NielsHolst
3.5k views
Posted by
NielsHolst
Reply
Add a Comment

Replies

However, it is noted as 'certificate is not trusted'.

There are two common causes for this, as described in this post.

Modern versions of Xcode should install the relevant intermediate certificates on first launch. If you find that this problem was caused by a missing intermediate, please file a bug against Xcode with the details.

Given that I will get my certificate trusted at some point, what are the steps I should go through (in XCode or in Terminal) to codesign my .DMG file, so that it will install without warnings on another Mac computer?

Xcode is unable to build and sign disk images. You have to do that in Terminal [1]. For instructions, see Packaging Mac Software for Distribution.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Or use one of the various third-party products that support this.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Step 1. I checked the Intermediate Certificate and it was outdated (expiring in 2023) . I installed three new ones all expiring in 2030, but my certificate was still untrusted:

I also tried adding the one expiring in 2036 but that changed nothing in the following.

Step 2. I evaluated my certificate choosing 'Generic' and was told it had no root:

Step 3. I evaluated my certificate again now choosing 'Code signing' I found two certificates above mine. They were all reported valid but had the status 'Invalid Extended Key Usage':

Step 4. I followed the key chain as you suggested and found that all three certificates had the right trust settings:

Step 5. What should I do?

Posted by
NielsHolst
Up vote reply of NielsHolst Down vote reply of NielsHolst
Add a Comment

Doing a Code Signing trust evaluation as per step 3 is not correct. A Developer ID Installer signing identity is used to sign installer packages. It can’t be used to sign code or disk images. For that you need a Developer ID Application signing identity.

Coming back to your original post, you wrote:

Given that I will get my certificate trusted at some point, what are the steps I should go through (in XCode or in Terminal) to codesign my .DMG file, so that it will install without warnings on another Mac computer?

Are you trying to sign your disk image with your Developer ID Installer identity? That won’t work. Consider:

% codesign -s "Developer ID Installer" "Test.dmg"
Developer ID Installer: Quinn Quinn (SKMME9E2Y8): this identity cannot be used for signing code

Unless you have an installer package in the mix, I don’t think you need to fix this problem (-:

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo

  • Thanks for clearing up the difference between the Developer ID Application and Developer ID Installer identities. I will pursue that, once I am back at my Mac machine. With any luck, when I get a Developer ID Application identity it will be trusted.

    NielsHolst

  • I went to Keychain Access and deleted my Developer ID Installer certificate. Then I generated a Developer ID Application certificate.

    Now, I control-click my new certificate and choose Evaluate:

    Generic button -> Certificate not trusted, Evaluation Status: No root certificate found, Certificate status: Good. Code Signning button -> This certificate is valid.

    Does this mean that my certificate is valid for codesigning? Despite the "certificate not trusted"?

    NielsHolst

  • I tried % codesign -s "Developer ID Application" my.dmg but got the error message: "Unable to build chain to self-signed root for signer". It sounds as if the "No root certificate found" status is the (root! :-)) problem. I did go through the certificates in the chain and set them all to “Use System Defaults” and “no value specified”.

    NielsHolst
Add a Comment