Issues with Notarization and Stapling

Code Signing Notarization
innrvoice OP
Created 1w
Replies 25
Boosts 0
Views 403
Participants 2

Hello, I am trying without luck to create a .dmg or .pkg for my electron app that can be opened by any user on a mac. Every time I fail. All is happening by the same pattern. Here is the last try with creating a .pkg instead of .dmg.

  1. The app is built and it is signed correctly (I suppose)
codesign --verify --verbose=1 dist/mac-universal/VIVIDTIME.app
dist/mac-universal/VIVIDTIME.app: valid on disk
dist/mac-universal/VIVIDTIME.app: satisfies its Designated Requirement
  1. I created a .pkg
pkgbuild --root "dist/mac-universal/VIVIDTIME.app" \
  --install-location "/Applications/VIVIDTIME.app" \
  --identifier "app.vividtime.mac" \
  --version "1.1.0" \
  --sign "Developer ID Installer: Pavel Bochkov-Rastopchin (2QKDCTR5Y3)" \
  dist/VIVIDTIME.pkg
pkgbuild: Inferring bundle components from contents of dist/mac-universal/VIVIDTIME.app
pkgbuild: Adding component at Contents/Frameworks/Mantle.framework
pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper.app
pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (GPU).app
pkgbuild: Adding component at Contents/Frameworks/Electron Framework.framework
pkgbuild: Adding component at Contents/Frameworks/Squirrel.framework
pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (Renderer).app
pkgbuild: Adding component at Contents/Frameworks/VIVIDTIME Helper (Plugin).app
pkgbuild: Adding component at Contents/Frameworks/ReactiveObjC.framework
pkgbuild: Using timestamp authority for signature
pkgbuild: Signing package with identity "Developer ID Installer: Pavel Bochkov-Rastopchin (2QKDCTR5Y3)" from keychain /Users/innrvoice/Library/Keychains/login.keychain-db
pkgbuild: Adding certificate "Developer ID Certification Authority"
pkgbuild: Adding certificate "Apple Root CA"
pkgbuild: Wrote package to dist/VIVIDTIME.pkg
Answered by DTS Engineer in 826500022

Yeah, so that’s not good. It indicates that someone has overridden the default trust settings, which is a known source of problems like this. For example, it commonly causes code signing problems, as explained in Fixing an untrusted code signing certificate.

That post also explains how to clear these trust settings using Keychain Access. I recommend that you do that and then retest.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  25
Boosts  0
Views  403
Participants  2
DTS Engineer OP
Apple
1w

Ah, so that’s the problem! Consider this snippet of your log:

Downloaded ticket has been stored at file:///var/folders/c3/622zwf656yz6h_v79t4_h8k40000gn/T/f1a6400c-7e79-423d-9638-d20092132813.ticket.
--
Could not validate ticket for /Users/innrvoice/Documents/GitHub/vividtime-macos/app/electron/dist/VIVIDTIME.pkg

The first line indicates that it was able to find a ticket for your installer package. So its very likely that the notary service has done its job correctly.

The second line indicates that the ticket isn’t valid. There are two possibilities here:

  • The ticket got corrupted in flight somehow.

  • The client’s trust evaluation of the ticket failed.

The first option is very unlikley, so I'm going to focus on the second.

I’ve seen the second option a number of times. It’s often caused by state tied to your user account. If you move the installer package to a different Mac and try to staple there, does that work?

Note You don’t have to pull across all your CI infrastructure. stapler doesn’t need your code signing identities and so on. And if you don’t have Xcode installed, it’ll trigger an installation of the (much lighter weight) command-line tools package.

If you don’t have a different Mac, you could try this on a VM. Or, failing that, create a new user account and try it from there.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
innrvoice OP
1w

Thank you very much again for you help!

Its amazing but seems like it worked on other mac without problem.

xcrun stapler staple -v "VIVIDTIME.pkg"
Processing: /Users/pbochkov/_repo/VIVIDTIME.pkg
Properties are {
    NSURLIsDirectoryKey = 0;
    NSURLIsPackageKey = 0;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Installer flat package";
    NSURLTypeIdentifierKey = "com.apple.installer-package-archive";
    "_NSURLIsApplicationKey" = 0;
}
Sig Type is RSA. Length is 3
Sig Type is CMS. Length is 3
Package VIVIDTIME.pkg uses a checksum of size 20
JSON Data is {
    records =     (
                {
            recordName = "2/1/e5df4a77845f8a931674280e3b1bfd9e86c6004b";
        }
    );
}
 Headers: {
    "Content-Type" = "application/json";
}
Domain is api.apple-cloudkit.com
Response is  { URL: https://api.apple-cloudkit.com/database/1/com.apple.gk.ticket-delivery/production/public/records/lookup } { Status Code: 200, Headers {
    Connection =     (
        "keep-alive"
    );
    "Content-Encoding" =     (
        gzip
    );
    "Content-Type" =     (
        "application/json; charset=UTF-8"
    );
    Date =     (
        "Thu, 20 Feb 2025 11:19:46 GMT"
    );
    Server =     (
        "AppleHttpServer/d2dcc6a0a5e3"
    );
    "Strict-Transport-Security" =     (
        "max-age=31536000; includeSubDomains;"
    );
    "Transfer-Encoding" =     (
        Identity
    );
    Via =     (
        "xrail:st53p00ic-qujn14040502.me.com:8301:25R54:grp60,631194250daa17e24277dea86cf30319:85af602b9427bc4a739454c6d0449646:defra2"
    );
    "X-Apple-CloudKit-Version" =     (
        "1.0"
    );
    "X-Apple-Edge-Response-Time" =     (
        102
    );
    "X-Apple-Request-UUID" =     (
        "9a1960cd-a860-4097-8df4-07bd660579c8"
    );
    "X-Responding-Instance" =     (
        "ckdatabasews:16307101:st42p63ic-ztfb09163501:8807:2504B309:3da88d485006aaaa330c26d67a64727573f3464a"
    );
    "access-control-expose-headers" =     (
        "X-Apple-Request-UUID,X-Responding-Instance,Via"
    );
    "x-apple-user-partition" =     (
        63
    );
} }
Size of data is 3657
JSON Response is: {
    records =     (
                {
            created =             {
                deviceID = 2;
                timestamp = 1739891042179;
                userRecordName = "_b133e60953755a92966d7ca08d9c731a";
            };
            deleted = 0;
            fields =             {
                signedTicket =                 {
                    type = BYTES;
                    value = "czhjaAEAAADwBQAAowIAADCCBewwggL+MIICpKADAgECAggS6z81d0Y99DAKBggqhkjOPQQDAjByMSYwJAYDVQQDDB1BcHBsZSBTeXN0ZW0gSW50ZWdyYXRpb24gQ0EgNDEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTI0MDIyNzE5MDk1MloXDTI1MDMyODE5MDk1MVowRDEgMB4GA1UEAwwXU29mdHdhcmUgVGlja2V0IFNpZ25pbmcxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEP2wYbs8l1tdjjC4moUmxwtFcJCXIM1ryytRBDDhag/RqLXVZ0Xmu5UeGj/PFrS0mzpJY1et/5VbkzAoAFNdXy6OCAVAwggFMMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUeke6OIoVJEgiRs2+jxokezQDKmkwQQYIKwYBBQUHAQEENTAzMDEGCCsGAQUFBzABhiVodHRwOi8vb2NzcC5hcHBsZS5jb20vb2NzcDAzLWFzaWNhNDAyMIGWBgNVHSAEgY4wgYswgYgGCSqGSIb3Y2QFATB7MHkGCCsGAQUFBwICMG0Ma1RoaXMgY2VydGlmaWNhdGUgaXMgdG8gYmUgdXNlZCBleGNsdXNpdmVseSBmb3IgZnVuY3Rpb25zIGludGVybmFsIHRvIEFwcGxlIFByb2R1Y3RzIGFuZC9vciBBcHBsZSBwcm9jZXNzZXMuMB0GA1UdDgQWBBSIfta1TfagZ+w9FUWszkFcIx8azzAOBgNVHQ8BAf8EBAMCB4AwEAYKKoZIhvdjZAYBHgQCBQAwCgYIKoZIzj0EAwIDSAAwRQIgF94lgs2mkB511fXwFmsL9xvVjbE95eYTuWh08hkPOyQCIQCi0JxTRPx4fK4ICs1IlOD6y4Jj2/AyGD8YCVKFqJCDuzCCAuYwggJtoAMCAQICCDMN7vi/TGguMAoGCCqGSM49BAMDMGcxGzAZBgNVBAMMEkFwcGxlIFJvb3QgQ0EgLSBHMzEmMCQGA1UECwwdQXBwbGUgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkxEzARBgNVBAoMCkFwcGxlIEluYy4xCzAJBgNVBAYTAlVTMB4XDTE3MDIyMjIyMjMyMloXDTMyMDIxODAwMDAwMFowcjEmMCQGA1UEAwwdQXBwbGUgU3lzdGVtIEludGVncmF0aW9uIENBIDQxJjAkBgNVBAsMHUFwcGxlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MRMwEQYDVQQKDApBcHBsZSBJbmMuMQswCQYDVQQGEwJVUzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABAZrpFZvfZ8n0c42jpIbVs1UNmRKyZRomfrJIH7i9VgP3OJq6xlHLy7vO6QBtAETRHxaJq2gnCkliuXmBm9PfFqjgfcwgfQwDwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBS7sN6hWDOImqSKmd6+veuv2sskqzBGBggrBgEFBQcBAQQ6MDgwNgYIKwYBBQUHMAGGKmh0dHA6Ly9vY3NwLmFwcGxlLmNvbS9vY3NwMDMtYXBwbGVyb290Y2FnMzA3BgNVHR8EMDAuMCygKqAohiZodHRwOi8vY3JsLmFwcGxlLmNvbS9hcHBsZXJvb3RjYWczLmNybDAdBgNVHQ4EFgQUeke6OIoVJEgiRs2+jxokezQDKmkwDgYDVR0PAQH/BAQDAgEGMBAGCiqGSIb3Y2QGAhEEAgUAMAoGCCqGSM49BAMDA2cAMGQCMBUMqY7Gr5Zpa6ef3VzUA1lsrlLUYMaLduC3xaLxCXzgmuNrseN8McQneqeOif2rdwIwYTMg8Sn/+YcyrinIZD12e1Gk0gIvdr5gIpHx1Tp13LTixiqW/sYJ3EpP1STw/MqyZzh0awIAFAAfAAAAAAAAAGKhtGcAAAAAAeXfSneEX4qTFnQoDjsb/Z6GxgBLAlGI4sbzlbYWO3UOjoNvnugDkx3lAmuOU1LKUOs7qbCbR27SG3s7Z14BArySLdqFqjVQC2YDzPASK2tTwa9IAp56yalglePxRYeysO//taSxyECrAtNvstmY+mn6dID6E8ZuoEJgy2WiAk0ZX52Xco/mThrqGi+hVckmVVKdAgO7N+DAIeVhzPbrrHUi9X3uoeQwAuzexd5eQNYWIU4QT0/z6iBAeM+GAjenxYC8I56BGvihN7TKnG97rfIKAg+As6UVL4BI8v5scD61GY4UeiH/AvoqvgomIdXTjll2S/3mYoSGII1wAmhLM62bRY/K7XI0Obwdk3C8X+ogAt13**4cwMWJ86TU7NeCzftAnPEOAuWMt+MXDdVaMK+6fXAMqrQqnDvxAqfJXmF+pS0HzH7KwZsAZl+163kNAoIWOWjMjn8mB8N0tu17uEfMtW1sAn2HLOUOD+T9v3eRDBmoWC8+wNyMAseZgJkWPuNRhA0XQh2dgiYoZIX9AnjpjdyGHtxoz3BgZn4trzUmfgxzAlVR9xK0buk0YJAT/tSefWuTOg0eAr3UzPtxyDSOAfGdGSDWNtIW7sS6ArMQJjKo6MeqWZQJWPwwqKgVGXdCAivJzDWTlZ0QmCk4dmyqauZsXwiTAp1b1ol2GCFp3ZHBpD5GjuD7ByowAv8HRY2oO5pEnxmOZ0oD2u1AQcCbAijK5I0GYXwAe2eTPLAop8OJsVfxAqA6T/7+tzI44YB/gvqHZZiItzH0At3bxS/M8n6dOzUrhhGvjv3DvOTqAnrQYyIHIELRUETS5oNKnI+bMddgAiRZI3IYyoH/03yc2Yn4K86+VwuTMEYCIQCz1g4eiBklppwKjwlhx2lKTlVfhKLoYiXCpm1nTmt0/wIhAOywjpAjUtRLpKyTjX2zzY2zvMKq1RSp50++k5mB6ezd";
                };
            };
            modified =             {
                deviceID = 2;
                timestamp = 1739891042179;
                userRecordName = "_b133e60953755a92966d7ca08d9c731a";
            };
            pluginFields =             {
            };
            recordChangeTag = m7am7c73;
            recordName = "2/1/e5df4a77845f8a931674280e3b1bfd9e86c6004b";
            recordType = DeveloperIDTicket;
        }
    );
}
Downloaded ticket has been stored at file:///var/folders/kv/v02hwc4d37g1zt261w5rc2sc0000gn/T/9a1960cd-a860-4097-8df4-07bd660579c8.ticket.
Attempting to attach a new ticket to VIVIDTIME.pkg. Let's see how that works out.
Cloned /Users/pbochkov/_repo/VIVIDTIME.pkg to /var/folders/kv/v02hwc4d37g1zt261w5rc2sc0000gn/T/TemporaryItems/NSIRD_stapler_CHt7Vf/VIVIDTIME.pkg
We do not know how to deal with trailer version 7351. Exepected 1
Processing: /Users/pbochkov/_repo/VIVIDTIME.pkg
Properties are {
    NSURLIsDirectoryKey = 0;
    NSURLIsPackageKey = 0;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Installer flat package";
    NSURLTypeIdentifierKey = "com.apple.installer-package-archive";
    "_NSURLIsApplicationKey" = 0;
}
Terminator Trailer size must be 0, not 2283
{magic: t8lr, version: 1, type: 2, length: 2283}
Found expected ticket at 210507512 with length of 2283
Sig Type is RSA. Length is 3
Sig Type is CMS. Length is 3
Package VIVIDTIME.pkg uses a checksum of size 20
The staple and validate action worked!

Now its bugging me, what is the problem with my other mac? All I can say that they are on the same network and that one is m1 and the other is m3. what can cause stapler to always fail on my home m3 macbook pro? can it be related to some installed software or some misconfiguration?

0
innrvoice OP
1w

and here is the other check result:

spctl --assess --type install --verbose=4 VIVIDTIME.pkg
VIVIDTIME.pkg: accepted
source=Notarized Developer ID
0
innrvoice OP
1w

the other strange thing for me is that when I try to copy the stapled pkg to my home m3 mac (where stapling is not working) via airdrop or telegram, I get strange results:

  1. trying to run this pkg resulting in a window with:

"VIVIDTIME.pkg" Not Opened Apple could not verify "VIVIDTIME.pkg" is free of malware that may harm you Mac or compomise your privacy.

With Done and Move to Trash buttons

  1. checking this copied .pkg is showing something strange:
xcrun stapler validate -v "dist/stapled/VIVIDTIME 2.pkg"

Processing: /Users/innrvoice/Documents/GitHub/vividtime-macos/app/electron/dist/stapled/VIVIDTIME 2.pkg
Properties are {
    NSURLIsDirectoryKey = 0;
    NSURLIsPackageKey = 0;
    NSURLIsSymbolicLinkKey = 0;
    NSURLLocalizedTypeDescriptionKey = "Installer flat package";
    NSURLTypeIdentifierKey = "com.apple.installer-package-archive";
    "_NSURLIsApplicationKey" = 0;
}
Sig Type is RSA. Length is 3
Sig Type is CMS. Length is 3
Package VIVIDTIME 2.pkg uses a checksum of size 20
Terminator Trailer size must be 0, not 2283
{magic: t8lr, version: 1, type: 2, length: 2283}
Found expected ticket at 210507512 with length of 2283

I tried 2 times. Everytime I checked on my M1 Mac and it always says "The validate action worked!" now. But after copying via airdrop or telegram to my m3 home mac, I get the results I described above.

I do not understand what is happening and what I am doing wrong. Can you please help with this too?

0
DTS Engineer OP
Apple
1w
Written by innrvoice in 825832022
Its amazing but seems like it worked on other mac without problem.

Cool.

Written by innrvoice in 825832022
Now its bugging me, what is the problem with my other mac?

It’s almost certainly some sort of setting, either on the Mac as a whole or in your user account. To tease these apart, create a new user account on the problematic Mac and try stapling from there. If that works, the problems is tied to your user account.

Please try this test and lemme know what you see.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
innrvoice OP
1w

I created 2 new users. One with icloud and all other settings and one super simple without setting up icloud and everything. And I get same Error 65 on both of them. So I guess its Mac issue, not account specific.

0
DTS Engineer OP
Apple
1w

Interesting.

Note that having an Apple Account associated with your local account shouldn’t be a factor in this.

I’m running short on ideas as to what might be causing this. One possibility is trust settings. If you dump the trust settings, do you see anything out of the ordinary?

Pasted in at the end of this post is an example of what I’d expect to see (this is on macOS 15.2, but these things don’t change a lot). Notably, the user and admin trust settings are empty. There are lots of system trust settings, but that’s normal.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

% security dump-trust-settings 
SecTrustSettingsCopyCertificates: No Trust Settings were found.
% security dump-trust-settings -d
SecTrustSettingsCopyCertificates: No Trust Settings were found.
% security dump-trust-settings -s
Number of trusted certs = 153
Cert 0: Go Daddy Root Certificate Authority - G2
   Number of trust settings : 0
Cert 1: HARICA TLS ECC Root CA 2021
   Number of trust settings : 0
Cert 2: NAVER Global Root Certification Authority
   Number of trust settings : 0
Cert 3: DigiCert TLS ECC P384 Root G5
   Number of trust settings : 0
Cert 4: Sectigo Public Time Stamping Root R46
   Number of trust settings : 0
Cert 5: OISTE WISeKey Global Root GA CA
   Number of trust settings : 0
Cert 6: Trustwave Global ECC P384 Certification Authority
   Number of trust settings : 0
Cert 7: Actalis Authentication Root CA
   Number of trust settings : 0
Cert 8: D-TRUST Root CA 3 2013
   Number of trust settings : 0
Cert 9: Apple Root CA - G2
   Number of trust settings : 0
Cert 10: SSL.com EV Root Certification Authority ECC
   Number of trust settings : 0
Cert 11: GlobalSign
   Number of trust settings : 0
Cert 12: DigiCert SMIME RSA4096 Root G5
   Number of trust settings : 0
Cert 13: Hellenic Academic and Research Institutions RootCA 2015
   Number of trust settings : 0
Cert 14: ePKI Root Certification Authority
   Number of trust settings : 0
Cert 15: AAA Certificate Services
   Number of trust settings : 0
Cert 16: VeriSign Class 3 Public Primary Certification Authority - G5
   Number of trust settings : 0
Cert 17: SSL.com TLS RSA Root CA 2022
   Number of trust settings : 0
Cert 18: Apple Root CA - G3
   Number of trust settings : 0
Cert 19: IdenTrust Public Sector Root CA 1
   Number of trust settings : 0
Cert 20: QuoVadis Root CA 3 G3
   Number of trust settings : 0
Cert 21: ACCVRAIZ1
   Number of trust settings : 0
Cert 22: Buypass Class 3 Root CA
   Number of trust settings : 0
Cert 23: Starfield Services Root Certificate Authority - G2
   Number of trust settings : 0
Cert 24: Atos TrustedRoot Root CA RSA TLS 2021
   Number of trust settings : 0
Cert 25: SSL.com TLS ECC Root CA 2022
   Number of trust settings : 0
Cert 26: TrustCor ECA-1
   Number of trust settings : 0
Cert 27: AffirmTrust Commercial
   Number of trust settings : 0
Cert 28: GlobalSign Root E46
   Number of trust settings : 0
Cert 29: HARICA TLS RSA Root CA 2021
   Number of trust settings : 0
Cert 30: Hongkong Post Root CA 3
   Number of trust settings : 0
Cert 31: Sectigo Public Server Authentication Root E46
   Number of trust settings : 0
Cert 32: Certainly Root R1
   Number of trust settings : 0
Cert 33: QuoVadis Root CA 1 G3
   Number of trust settings : 0
Cert 34: GlobalSign Secure Mail Root E45
   Number of trust settings : 0
Cert 35: Atos TrustedRoot Root CA ECC G2 2020
   Number of trust settings : 0
Cert 36: Network Solutions Certificate Authority
   Number of trust settings : 0
Cert 37: Visa Information Delivery Root CA
   Number of trust settings : 0
Cert 38: ISRG Root X1
   Number of trust settings : 0
Cert 39: XRamp Global Certification Authority
   Number of trust settings : 0
Cert 40: TrustCor RootCert CA-2
   Number of trust settings : 0
Cert 41: Certum EC-384 CA
   Number of trust settings : 0
Cert 42: SSL.com Client RSA Root CA 2022
   Number of trust settings : 0
Cert 43: D-TRUST Root Class 3 CA 2 EV 2009
   Number of trust settings : 0
Cert 44: Sectigo Public Email Protection Root R46
   Number of trust settings : 0
Cert 45: OISTE WISeKey Global Root GB CA
   Number of trust settings : 0
Cert 46: ComSign Global Root CA
   Number of trust settings : 0
Cert 47: Izenpe.com
   Number of trust settings : 0
Cert 48: COMODO Certification Authority
   Number of trust settings : 0
Cert 49: TrustCor RootCert CA-1
   Number of trust settings : 0
Cert 50: GlobalSign
   Number of trust settings : 0
Cert 51: AC RAIZ FNMT-RCM
   Number of trust settings : 0
Cert 52: DigiCert Trusted Root G4
   Number of trust settings : 0
Cert 53: TWCA Root Certification Authority
   Number of trust settings : 0
Cert 54: Starfield Class 2 Certification Authority
   Number of trust settings : 0
Cert 55: HARICA Client RSA Root CA 2021
   Number of trust settings : 0
Cert 56: SecureTrust CA
   Number of trust settings : 0
Cert 57: Entrust Root Certification Authority - G2
   Number of trust settings : 0
Cert 58: DigiCert TLS RSA4096 Root G5
   Number of trust settings : 0
Cert 59: Baltimore CyberTrust Root
   Number of trust settings : 0
Cert 60: HARICA Client ECC Root CA 2021
   Number of trust settings : 0
Cert 61: CA Disig Root R2
   Number of trust settings : 0
Cert 62: GlobalSign Root CA
   Number of trust settings : 0
Cert 63: QuoVadis Root CA 2 G3
   Number of trust settings : 0
Cert 64: DigiCert Assured ID Root CA
   Number of trust settings : 0
Cert 65: DigiCert Assured ID Root G3
   Number of trust settings : 0
Cert 66: Trustwave Global Certification Authority
   Number of trust settings : 0
Cert 67: SSL.com Client ECC Root CA 2022
   Number of trust settings : 0
Cert 68: GDCA TrustAUTH R5 ROOT
   Number of trust settings : 0
Cert 69: T-TeleSec GlobalRoot Class 2
   Number of trust settings : 0
Cert 70: T-TeleSec GlobalRoot Class 3
   Number of trust settings : 0
Cert 71: DigiCert Assured ID Root G2
   Number of trust settings : 0
Cert 72: Security Communication RootCA2
   Number of trust settings : 0
Cert 73: Entrust.net Certification Authority (2048)
   Number of trust settings : 0
Cert 74: AffirmTrust Networking
   Number of trust settings : 0
Cert 75: Autoridad de Certificacion Firmaprofesional CIF A62634068
   Number of trust settings : 0
Cert 76: Amazon Root CA 3
   Number of trust settings : 0
Cert 77: DigiCert SMIME ECC P384 Root G5
   Number of trust settings : 0
Cert 78: Amazon Root CA 2
   Number of trust settings : 0
Cert 79: Atos TrustedRoot Root CA ECC TLS 2021
   Number of trust settings : 0
Cert 80: AffirmTrust Premium ECC
   Number of trust settings : 0
Cert 81: Apple Root Certificate Authority
   Number of trust settings : 0
Cert 82: SwissSign Gold CA - G2
   Number of trust settings : 0
Cert 83: Go Daddy Class 2 Certification Authority
   Number of trust settings : 0
Cert 84: SSL.com Root Certification Authority ECC
   Number of trust settings : 0
Cert 85: CFCA EV ROOT
   Number of trust settings : 0
Cert 86: certSIGN ROOT CA G2
   Number of trust settings : 0
Cert 87: OISTE WISeKey Global Root GC CA
   Number of trust settings : 0
Cert 88: Amazon Root CA 1
   Number of trust settings : 0
Cert 89: Buypass Class 2 Root CA
   Number of trust settings : 0
Cert 90: ISRG Root X2
   Number of trust settings : 0
Cert 91: emSign Root CA - G1
   Number of trust settings : 0
Cert 92: GeoTrust Primary Certification Authority - G2
   Number of trust settings : 0
Cert 93: TWCA Global Root CA
   Number of trust settings : 0
Cert 94: Secure Global CA
   Number of trust settings : 0
Cert 95: Amazon Root CA 4
   Number of trust settings : 0
Cert 96: Certum Trusted Network CA 2
   Number of trust settings : 0
Cert 97: AffirmTrust Premium
   Number of trust settings : 0
Cert 98: SwissSign Silver CA - G2
   Number of trust settings : 0
Cert 99: Atos TrustedRoot Root CA RSA G2 2020
   Number of trust settings : 0
Cert 100: NetLock Arany (Class Gold) Főtanúsítvány
   Number of trust settings : 0
Cert 101: emSign ECC Root CA - G3
   Number of trust settings : 0
Cert 102: Sectigo Public Email Protection Root E46
   Number of trust settings : 0
Cert 103: HiPKI Root CA - G1
   Number of trust settings : 0
Cert 104: Apple Root CA
   Number of trust settings : 0
Cert 105: Chambers of Commerce Root - 2008
   Number of trust settings : 0
Cert 106: Certum Trusted Root CA
   Number of trust settings : 0
Cert 107: COMODO ECC Certification Authority
   Number of trust settings : 0
Cert 108: GlobalSign Secure Mail Root R45
   Number of trust settings : 0
Cert 109: GTS Root R1
   Number of trust settings : 0
Cert 110: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
   Number of trust settings : 0
Cert 111: Trustwave Global ECC P256 Certification Authority
   Number of trust settings : 0
Cert 112: Entrust Root Certification Authority - EC1
   Number of trust settings : 0
Cert 113: Entrust Root Certification Authority
   Number of trust settings : 0
Cert 114: Atos TrustedRoot 2011
   Number of trust settings : 0
Cert 115: D-TRUST Root Class 3 CA 2 2009
   Number of trust settings : 0
Cert 116: DigiCert High Assurance EV Root CA
   Number of trust settings : 0
Cert 117: Certum Trusted Network CA
   Number of trust settings : 0
Cert 118: Sectigo Public Server Authentication Root R46
   Number of trust settings : 0
Cert 119: GlobalSign Root R46
   Number of trust settings : 0
Cert 120: Global Chambersign Root - 2008
   Number of trust settings : 0
Cert 121: Telia Root CA v2
   Number of trust settings : 0
Cert 122: IdenTrust Commercial Root CA 1
   Number of trust settings : 0
Cert 123: GTS Root R2
   Number of trust settings : 0
Cert 124: GlobalSign
   Number of trust settings : 0
Cert 125: Entrust Root Certification Authority - G4
   Number of trust settings : 0
Cert 126: GlobalSign
   Number of trust settings : 0
Cert 127: TeliaSonera Root CA v1
   Number of trust settings : 0
Cert 128: COMODO RSA Certification Authority
   Number of trust settings : 0
Cert 129: GTS Root R3
   Number of trust settings : 0
Cert 130: SSL.com Root Certification Authority RSA
   Number of trust settings : 0
Cert 131: Cisco Root CA 2048
   Number of trust settings : 0
Cert 132: certSIGN ROOT CA
   Number of trust settings : 0
Cert 133: SSL.com EV Root Certification Authority RSA R2
   Number of trust settings : 0
Cert 134: USERTrust ECC Certification Authority
   Number of trust settings : 0
Cert 135: Security Communication ECC RootCA1
   Number of trust settings : 0
Cert 136: Microsec e-Szigno Root CA 2009
   Number of trust settings : 0
Cert 137: Microsoft ECC Root Certificate Authority 2017
   Number of trust settings : 0
Cert 138: Certigna
   Number of trust settings : 0
Cert 139: GLOBALTRUST 2020
   Number of trust settings : 0
Cert 140: GTS Root R4
   Number of trust settings : 0
Cert 141: QuoVadis Root CA 3
   Number of trust settings : 0
Cert 142: DigiCert Global Root G2
   Number of trust settings : 0
Cert 143: Sectigo Public Time Stamping Root E46
   Number of trust settings : 0
Cert 144: Starfield Root Certificate Authority - G2
   Number of trust settings : 0
Cert 145: Hellenic Academic and Research Institutions ECC RootCA 2015
   Number of trust settings : 0
Cert 146: DigiCert Global Root CA
   Number of trust settings : 0
Cert 147: DigiCert Global Root G3
   Number of trust settings : 0
Cert 148: Certainly Root E1
   Number of trust settings : 0
Cert 149: QuoVadis Root CA 2
   Number of trust settings : 0
Cert 150: Certum CA
   Number of trust settings : 0
Cert 151: USERTrust RSA Certification Authority
   Number of trust settings : 0
Cert 152: Microsoft RSA Root Certificate Authority 2017
   Number of trust settings : 0
0
innrvoice OP
1w

I got some trust settings from 2 first commands and I do not know why. 😣

Here is my full output:

security dump-trust-settings

Number of trusted certs = 2
Cert 0: Apple Root CA
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 1: Apple Worldwide Developer Relations Certification Authority
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustAsRoot

 security dump-trust-settings -d
Number of trusted certs = 2
Cert 0: Apple Root CA - G2
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
Cert 1: Apple Root CA - G3
   Number of trust settings : 10
   Trust Setting 0:
      Policy OID            : SSL
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 1:
      Policy OID            : SSL
      Allowed Error         : Host name mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 2:
      Policy OID            : SMIME
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 3:
      Policy OID            : SMIME
      Allowed Error         : S/MIME Email address mismatch
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 4:
      Policy OID            : EAP
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 5:
      Policy OID            : IPSec
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 6:
      Policy OID            : Code Signing
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 7:
      Policy OID            : Unknown OID length 9, value { 2A 86 48 86 F7 63 64 01 14  }
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 8:
      Policy OID            : Apple X509 Basic
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot
   Trust Setting 9:
      Allowed Error         : CSSMERR_TP_CERT_EXPIRED
      Result Type           : kSecTrustSettingsResultTrustRoot

security dump-trust-settings -s
Number of trusted certs = 153
Cert 0: Go Daddy Root Certificate Authority - G2
   Number of trust settings : 0
Cert 1: HARICA TLS ECC Root CA 2021
   Number of trust settings : 0
Cert 2: NAVER Global Root Certification Authority
   Number of trust settings : 0
Cert 3: DigiCert TLS ECC P384 Root G5
   Number of trust settings : 0
Cert 4: Sectigo Public Time Stamping Root R46
   Number of trust settings : 0
Cert 5: OISTE WISeKey Global Root GA CA
   Number of trust settings : 0
Cert 6: Trustwave Global ECC P384 Certification Authority
   Number of trust settings : 0
Cert 7: Actalis Authentication Root CA
   Number of trust settings : 0
Cert 8: D-TRUST Root CA 3 2013
   Number of trust settings : 0
Cert 9: Apple Root CA - G2
   Number of trust settings : 0
Cert 10: SSL.com EV Root Certification Authority ECC
   Number of trust settings : 0
Cert 11: GlobalSign
   Number of trust settings : 0
Cert 12: DigiCert SMIME RSA4096 Root G5
   Number of trust settings : 0
Cert 13: Hellenic Academic and Research Institutions RootCA 2015
   Number of trust settings : 0
Cert 14: ePKI Root Certification Authority
   Number of trust settings : 0
Cert 15: AAA Certificate Services
   Number of trust settings : 0
Cert 16: VeriSign Class 3 Public Primary Certification Authority - G5
   Number of trust settings : 0
Cert 17: SSL.com TLS RSA Root CA 2022
   Number of trust settings : 0
Cert 18: Apple Root CA - G3
   Number of trust settings : 0
Cert 19: IdenTrust Public Sector Root CA 1
   Number of trust settings : 0
Cert 20: QuoVadis Root CA 3 G3
   Number of trust settings : 0
Cert 21: ACCVRAIZ1
   Number of trust settings : 0
Cert 22: Buypass Class 3 Root CA
   Number of trust settings : 0
Cert 23: Starfield Services Root Certificate Authority - G2
   Number of trust settings : 0
Cert 24: Atos TrustedRoot Root CA RSA TLS 2021
   Number of trust settings : 0
Cert 25: SSL.com TLS ECC Root CA 2022
   Number of trust settings : 0
Cert 26: TrustCor ECA-1
   Number of trust settings : 0
Cert 27: AffirmTrust Commercial
   Number of trust settings : 0
Cert 28: GlobalSign Root E46
   Number of trust settings : 0
Cert 29: HARICA TLS RSA Root CA 2021
   Number of trust settings : 0
Cert 30: Hongkong Post Root CA 3
   Number of trust settings : 0
Cert 31: Sectigo Public Server Authentication Root E46
   Number of trust settings : 0
Cert 32: Certainly Root R1
   Number of trust settings : 0
Cert 33: QuoVadis Root CA 1 G3
   Number of trust settings : 0
Cert 34: GlobalSign Secure Mail Root E45
   Number of trust settings : 0
Cert 35: Atos TrustedRoot Root CA ECC G2 2020
   Number of trust settings : 0
Cert 36: Network Solutions Certificate Authority
   Number of trust settings : 0
Cert 37: Visa Information Delivery Root CA
   Number of trust settings : 0
Cert 38: ISRG Root X1
   Number of trust settings : 0
Cert 39: XRamp Global Certification Authority
   Number of trust settings : 0
Cert 40: TrustCor RootCert CA-2
   Number of trust settings : 0
Cert 41: Certum EC-384 CA
   Number of trust settings : 0
Cert 42: SSL.com Client RSA Root CA 2022
   Number of trust settings : 0
Cert 43: D-TRUST Root Class 3 CA 2 EV 2009
   Number of trust settings : 0
Cert 44: Sectigo Public Email Protection Root R46
   Number of trust settings : 0
Cert 45: OISTE WISeKey Global Root GB CA
   Number of trust settings : 0
Cert 46: ComSign Global Root CA
   Number of trust settings : 0
Cert 47: Izenpe.com
   Number of trust settings : 0
Cert 48: COMODO Certification Authority
   Number of trust settings : 0
Cert 49: TrustCor RootCert CA-1
   Number of trust settings : 0
Cert 50: GlobalSign
   Number of trust settings : 0
Cert 51: AC RAIZ FNMT-RCM
   Number of trust settings : 0
Cert 52: DigiCert Trusted Root G4
   Number of trust settings : 0
Cert 53: TWCA Root Certification Authority
   Number of trust settings : 0
Cert 54: Starfield Class 2 Certification Authority
   Number of trust settings : 0
Cert 55: HARICA Client RSA Root CA 2021
   Number of trust settings : 0
Cert 56: SecureTrust CA
   Number of trust settings : 0
Cert 57: Entrust Root Certification Authority - G2
   Number of trust settings : 0
Cert 58: DigiCert TLS RSA4096 Root G5
   Number of trust settings : 0
Cert 59: Baltimore CyberTrust Root
   Number of trust settings : 0
Cert 60: HARICA Client ECC Root CA 2021
   Number of trust settings : 0
Cert 61: CA Disig Root R2
   Number of trust settings : 0
Cert 62: GlobalSign Root CA
   Number of trust settings : 0
Cert 63: QuoVadis Root CA 2 G3
   Number of trust settings : 0
Cert 64: DigiCert Assured ID Root CA
   Number of trust settings : 0
Cert 65: DigiCert Assured ID Root G3
   Number of trust settings : 0
Cert 66: Trustwave Global Certification Authority
   Number of trust settings : 0
Cert 67: SSL.com Client ECC Root CA 2022
   Number of trust settings : 0
Cert 68: GDCA TrustAUTH R5 ROOT
   Number of trust settings : 0
Cert 69: T-TeleSec GlobalRoot Class 2
   Number of trust settings : 0
Cert 70: T-TeleSec GlobalRoot Class 3
   Number of trust settings : 0
Cert 71: DigiCert Assured ID Root G2
   Number of trust settings : 0
Cert 72: Security Communication RootCA2
   Number of trust settings : 0
Cert 73: Entrust.net Certification Authority (2048)
   Number of trust settings : 0
Cert 74: AffirmTrust Networking
   Number of trust settings : 0
Cert 75: Autoridad de Certificacion Firmaprofesional CIF A62634068
   Number of trust settings : 0
Cert 76: Amazon Root CA 3
   Number of trust settings : 0
Cert 77: DigiCert SMIME ECC P384 Root G5
   Number of trust settings : 0
Cert 78: Amazon Root CA 2
   Number of trust settings : 0
Cert 79: Atos TrustedRoot Root CA ECC TLS 2021
   Number of trust settings : 0
Cert 80: AffirmTrust Premium ECC
   Number of trust settings : 0
Cert 81: Apple Root Certificate Authority
   Number of trust settings : 0
Cert 82: SwissSign Gold CA - G2
   Number of trust settings : 0
Cert 83: Go Daddy Class 2 Certification Authority
   Number of trust settings : 0
Cert 84: SSL.com Root Certification Authority ECC
   Number of trust settings : 0
Cert 85: CFCA EV ROOT
   Number of trust settings : 0
Cert 86: certSIGN ROOT CA G2
   Number of trust settings : 0
Cert 87: OISTE WISeKey Global Root GC CA
   Number of trust settings : 0
Cert 88: Amazon Root CA 1
   Number of trust settings : 0
Cert 89: Buypass Class 2 Root CA
   Number of trust settings : 0
Cert 90: ISRG Root X2
   Number of trust settings : 0
Cert 91: emSign Root CA - G1
   Number of trust settings : 0
Cert 92: GeoTrust Primary Certification Authority - G2
   Number of trust settings : 0
Cert 93: TWCA Global Root CA
   Number of trust settings : 0
Cert 94: Secure Global CA
   Number of trust settings : 0
Cert 95: Amazon Root CA 4
   Number of trust settings : 0
Cert 96: Certum Trusted Network CA 2
   Number of trust settings : 0
Cert 97: AffirmTrust Premium
   Number of trust settings : 0
Cert 98: SwissSign Silver CA - G2
   Number of trust settings : 0
Cert 99: Atos TrustedRoot Root CA RSA G2 2020
   Number of trust settings : 0
Cert 100: NetLock Arany (Class Gold) Főtanúsítvány
   Number of trust settings : 0
Cert 101: emSign ECC Root CA - G3
   Number of trust settings : 0
Cert 102: Sectigo Public Email Protection Root E46
   Number of trust settings : 0
Cert 103: HiPKI Root CA - G1
   Number of trust settings : 0
Cert 104: Apple Root CA
   Number of trust settings : 0
Cert 105: Chambers of Commerce Root - 2008
   Number of trust settings : 0
Cert 106: Certum Trusted Root CA
   Number of trust settings : 0
Cert 107: COMODO ECC Certification Authority
   Number of trust settings : 0
Cert 108: GlobalSign Secure Mail Root R45
   Number of trust settings : 0
Cert 109: GTS Root R1
   Number of trust settings : 0
Cert 110: TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1
   Number of trust settings : 0
Cert 111: Trustwave Global ECC P256 Certification Authority
   Number of trust settings : 0
Cert 112: Entrust Root Certification Authority - EC1
   Number of trust settings : 0
Cert 113: Entrust Root Certification Authority
   Number of trust settings : 0
Cert 114: Atos TrustedRoot 2011
   Number of trust settings : 0
Cert 115: D-TRUST Root Class 3 CA 2 2009
   Number of trust settings : 0
Cert 116: DigiCert High Assurance EV Root CA
   Number of trust settings : 0
Cert 117: Certum Trusted Network CA
   Number of trust settings : 0
Cert 118: Sectigo Public Server Authentication Root R46
   Number of trust settings : 0
Cert 119: GlobalSign Root R46
   Number of trust settings : 0
Cert 120: Global Chambersign Root - 2008
   Number of trust settings : 0
Cert 121: Telia Root CA v2
   Number of trust settings : 0
Cert 122: IdenTrust Commercial Root CA 1
   Number of trust settings : 0
Cert 123: GTS Root R2
   Number of trust settings : 0
Cert 124: GlobalSign
   Number of trust settings : 0
Cert 125: Entrust Root Certification Authority - G4
   Number of trust settings : 0
Cert 126: GlobalSign
   Number of trust settings : 0
Cert 127: TeliaSonera Root CA v1
   Number of trust settings : 0
Cert 128: COMODO RSA Certification Authority
   Number of trust settings : 0
Cert 129: GTS Root R3
   Number of trust settings : 0
Cert 130: SSL.com Root Certification Authority RSA
   Number of trust settings : 0
Cert 131: Cisco Root CA 2048
   Number of trust settings : 0
Cert 132: certSIGN ROOT CA
   Number of trust settings : 0
Cert 133: SSL.com EV Root Certification Authority RSA R2
   Number of trust settings : 0
Cert 134: USERTrust ECC Certification Authority
   Number of trust settings : 0
Cert 135: Security Communication ECC RootCA1
   Number of trust settings : 0
Cert 136: Microsec e-Szigno Root CA 2009
   Number of trust settings : 0
Cert 137: Microsoft ECC Root Certificate Authority 2017
   Number of trust settings : 0
Cert 138: Certigna
   Number of trust settings : 0
Cert 139: GLOBALTRUST 2020
   Number of trust settings : 0
Cert 140: GTS Root R4
   Number of trust settings : 0
Cert 141: QuoVadis Root CA 3
   Number of trust settings : 0
Cert 142: DigiCert Global Root G2
   Number of trust settings : 0
Cert 143: Sectigo Public Time Stamping Root E46
   Number of trust settings : 0
Cert 144: Starfield Root Certificate Authority - G2
   Number of trust settings : 0
Cert 145: Hellenic Academic and Research Institutions ECC RootCA 2015
   Number of trust settings : 0
Cert 146: DigiCert Global Root CA
   Number of trust settings : 0
Cert 147: DigiCert Global Root G3
   Number of trust settings : 0
Cert 148: Certainly Root E1
   Number of trust settings : 0
Cert 149: QuoVadis Root CA 2
   Number of trust settings : 0
Cert 150: Certum CA
   Number of trust settings : 0
Cert 151: USERTrust RSA Certification Authority
   Number of trust settings : 0
Cert 152: Microsoft RSA Root Certificate Authority 2017
   Number of trust settings : 0
0
DTS Engineer OP
Apple
6d
Accepted Answer
Recommended

Yeah, so that’s not good. It indicates that someone has overridden the default trust settings, which is a known source of problems like this. For example, it commonly causes code signing problems, as explained in Fixing an untrusted code signing certificate.

That post also explains how to clear these trust settings using Keychain Access. I recommend that you do that and then retest.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
innrvoice OP
5d

Hello, Quinn! I finally managed to solve this puzzle, all thanks to you. All I did is that I found 2 certificates (Apple Root CA - G2 and Apple Root CA - G3) with overridden defaults for trust settings. I think sometime in the past I changed the trust setting for those 2 certificates to "Always Trust" for some reason I can't even remember. All I did is change those settings back to Use System Defaults. Now stapling works all the time.

Thank you again from the bottom of my heart for guiding me through this maze!

0
Issues with Notarization and Stapling
First post date Last post date
 
 
Q