'Apple Mac OS Application Signing' vs. 'Developer ID Application: <team>'

Looking at the certificate chains for various binaries (using Apple's APIs or codesign --vvd) shows several patterns for the common names.

I am wondering why some code has the structure

Apple Root CA
Developer ID Certification Authority
Developer ID Application: Google LLC (EQHXZ8M8AV)

while others have the pattern

Apple Root CA
Apple Worldwide Developer Relations Certification Authority
Apple Mac OS Application Signing

Note, the second pattern does not include an organizational name.

Why is there a difference?

Is the second pattern an older pattern and the first (with the organization name) the new pattern?

(There are other certificate patterns like for Apple's binaries and development code I am testing)

Up vote post of Todd_at_Ennetix Down vote post of Todd_at_Ennetix
941 views
Posted by
Todd_at_Ennetix
Reply
Add a Comment

Accepted Reply

Why is there a difference?

Your second example is from code signed by the Mac App Store. When the App Store distributes code, it re-signs it using a signing identity that’s controlled by Apple. It uses the same signing identity for all code, which is why there are no developer-specific markers there.

Your first example, OTOH, is code signed by a third-party developer for independent distribution. The signing identity is composed of a private key that’s controlled by the developer and a certificate that’s issued by Apple. Each certificate is tied to a specific private key, so Apple is able to add developer-specific markers.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

Why is there a difference?

Your second example is from code signed by the Mac App Store. When the App Store distributes code, it re-signs it using a signing identity that’s controlled by Apple. It uses the same signing identity for all code, which is why there are no developer-specific markers there.

Your first example, OTOH, is code signed by a third-party developer for independent distribution. The signing identity is composed of a private key that’s controlled by the developer and a certificate that’s issued by Apple. Each certificate is tied to a specific private key, so Apple is able to add developer-specific markers.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

This certificate has been revoked

EQHXZ8M8AV

Does anyone know why this is still showing in my swcutil_show report? Or how to fix the issue, every time I download a Google App it pops back up.

Posted by
unhackher
Up vote reply of unhackher Down vote reply of unhackher

  • Maybe they just got a new certificate for the same Team ID. I just ran

    % codesign -dvvv '/Applications/Google Chrome.app'

    and it shows a timestamp of Sep 8.

    Authority=Developer ID Application: Google LLC (EQHXZ8M8AV) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Sep 8, 2023 at 8:03:25 PM

    Todd_at_Ennetix
Add a Comment