Developer ID Certificate (How to replace damaged certificate?)

How do I replace an Apple Developer ID Certificate that indicates it is not trusted?

When I look at my Certificate Expiring 02-20-2025, I see a valid status displayed. (See annotation #1.)

However, when I look at my Apple Developer ID Certificate renewal, I see the words not trusted. (See annotation #2.)

I downloaded the renewal certificate and double double-clicked the downloaded item to place it in my KeyChain. This certificate period is from 01-21-2025 to 01-22-2030.


QUESTIONS

  1. Why does the renewal certificate say "certificate is not trusted"? (Its period is 01-21-2025 to 01-22-2030. Today is 01-27-2025.)
  2. How did the renewal certificate get damaged?
  3. What must I do to get the damaged certificate replaced with a valid one?
Answered by DTS Engineer in 822860022

I suspect that the new certificate relies on a new intermediate and that’s not present on your Mac. I talk about this in detail in Fixing an untrusted code signing certificate.

ps If you’re working with Developer ID signing identities, I recommend that you read through The Care and Feeding of Developer ID.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Have you used VPN? That's a cause of this happening - the fix if that was the cause in your case is to delete it from the keychain and re-add it, or reboot your Mac.

@mungbeans

@mungbeans

Thanks for responding.

Have you used VPN? That's a cause of this happening

No, I am not using a Virtual Private Network.

My Mac is rebooted each day.

The problem persists after rebooting: the certificate remains untrusted.

I suspect that the new certificate relies on a new intermediate and that’s not present on your Mac. I talk about this in detail in Fixing an untrusted code signing certificate.

ps If you’re working with Developer ID signing identities, I recommend that you read through The Care and Feeding of Developer ID.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@Quinn

I appreciate your respponse.

The issue appears to be a missing issuer since I see a red cross. (See annotation #2 in my original post.)

In your post Fixing an untrusted code signing certificate, you write in the section titled "Check for a missing issuer",

If there’s a missing issuer in the chain of trust between your code signing identity’s certificate and a trusted anchor, Keychain Access shows a red cross with the text “… certificate is not trusted”.

So what do I need to do?


QUESTIONS

  1. How do I obtain the missing issuer?

  2. How do I correct the Developer ID Application so its status becomes "This certificate is valid"?

@Quinn

You write that the "most common cause is a missing issuer" for an invalid certificate.

You suggest downloading the Apple Intermediaries that match the following two fields in the invalid certificate's Issue Name section from the Apple PKI page.

  1. Common Name
  2. Organizational Unit

My invalid certificate shows two names (see annotation #3).

On the Apple PKI page, I see these Apple Intermediate Certificates (see annotation #4).

However, the Common Name and Organizational Unit names do not precisely match the Apple Intermediate Certificates page names.


QUESTIONS

  1. Which Apple Intermediate Certificates do I download and install in KeyChain?
  2. How do I install the intermediary certificates? (Do I double-click the downloaded certificate?)

Usually I just download them all (-: The system is good at finding intermediates that it needs and ignoring any extras.

However, as you’re asking, the one you’re looking for is Developer ID - G2 (Expiring 09/17/2031 00:00:00 UTC). If you download that and Quick Look it in the Finder, you’ll see its Subject Name details match the Issuer Name details from your screen shot.

On the installation front, adding it to your login keychain should be fine. The system doesn’t need this intermediate to verify code [1], it only needs it to sign code. And you do that from your user context, which has access to your login keychain.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] When you sign code the codesign embeds the complete certificate chain into the code signature. This has two consequences:

  • The system verifying it has all the certificates it needs to do that verification.

  • The system doing the signing needs the intermediate, which is why you’re getting this error in the first place.

@Quinn

OK, following your advice:

the one you’re looking for is Developer ID - G2 (Expiring 09/17/2031 00:00:00 UTC). If you download that and Quick Look it in the Finder, you’ll see its Subject Name details match the Issuer Name details from your screen shot.

I downloaded and saw a file named DeveloperIDG2CA.cer (see annotation #5).

In the Finder, I selected DeveloperIDG2CA.cer in the Downloads folder and chose File -> QuickLook (see annotation #6).

The names in DeveloperIDG2CA.cer match the names in my untrusted Developer ID Application. (That's the one with the period from 01-21-2025 to 01-22-2030.)


QUESTIONS

  1. Will adding DeveloperIDG2CA.cer to my login keychain change my untrusted Developer ID Application (from 01-21-2025 to 01-22-2030) to trusted (i.e., become valid)?
  2. How do I add DeveloperIDG2CA.cer to my login keychain?
Written by jbf in 823280022
1. Will adding DeveloperIDG2CA.cer to my login keychain …

I expect so.

Written by jbf in 823280022
2. How do I add DeveloperIDG2CA.cer to my login keychain?

Run Keychain Access, select login on the left, and then drag the .cer file from the Finder to the main list.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Developer ID Certificate (How to replace damaged certificate?)
 
 
Q