Dear Apple Developer Support,
I am experiencing a critical issue with Developer ID certificates issued for Turkish (C=TR) developer accounts that prevents code signing on macOS.
Issue Summary
All Turkish Developer ID certificates issued on October 4, 2025, contain an Apple proprietary extension (OID 1.2.840.113635.100.6.1.13) marked as "critical" that both OpenSSL and codesign cannot handle.
Technical Details
- Team ID: 4B529G53AG
- Certificate Country: TR (Turkey)
- Issue Date: October 4, 2025
- macOS Version: 15.6.1 (24G90)
- Problematic Extension OID: 1.2.840.113635.100.6.1.13 (marked as critical)
Evidence
I have verified this issue across THREE different Turkish Developer ID certificates:
- Serial: 21F90A51423BA96F74F23629AD48C4B1
- Serial: 461CBAF05C9EDE6E
- Serial: 184B6C2222DB76A376C248EC1E5A9575
All three certificates contain the same critical extension.
Error Messages
OpenSSL: error 34 at 0 depth lookup: unhandled critical extension
Codesign: unable to build chain to self-signed root for signer
errSecInternalComponent
Comparison with Working Certificate
My previous Developer ID certificate from Singapore (before revocation) worked perfectly and did NOT contain this critical extension. This confirms the issue is specific to Turkish certificates.
Impact
Cannot sign applications for distribution, which blocks:
- DMG signing for distribution
- Notarization process
- App distribution to users
Questions
- What is the purpose of OID 1.2.840.113635.100.6.1.13?
- Why is it marked as critical only for Turkish certificates?
- Is this related to Turkish regulatory requirements?
- Can you issue a certificate without this critical extension?
- Is there a macOS update planned to support this extension?
Request
Please either:
- Issue a Developer ID certificate without the critical extension OID 1.2.840.113635.100.6.1.13
- Provide a workaround for signing with current Turkish certificates
- Update the codesign tool to handle this extension
This appears to be a systematic issue affecting all Turkish developers as of October 2025.
Thank you for your urgent attention to this matter.
Best regards,
1- What is the purpose of OID 1.2.840.113635.100.6.1.13?
In general, you can find answers to questions like this in the various docs on the Apple PKI page. In this case, you can find that OID documented in Developer ID CPS, which currently leads to Certification Practice Statement Developer ID, Version 4.0, October 16, 2024. That doc lists the OID as being critical and non-optional.
An to what it means, TN3127 Inside Code Signing: Requirements has this to say on that topic:
the OID 1.2.840.113635.100.6.1.13 … is present in the Developer ID Application signing certificates issued by Apple
2- Why is it marked as critical only for Turkish certificates?
That’s not my experience. Here’s a dump of my individual test Developer ID Application signing identity:
% openssl x509 -inform der -in "Developer ID Application: Quinn Quinn (SKMME9E2Y8).cer" -text
Certificate:
…
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=Developer ID Certification Authority, OU=G2, O=Apple Inc., C=US
Validity
Not Before: Jul 11 13:46:17 2022 GMT
Not After : Jul 12 13:46:16 2027 GMT
Subject: UID=SKMME9E2Y8, CN=Developer ID Application: Quinn Quinn (SKMME9E2Y8), OU=SKMME9E2Y8, O=Quinn Quinn, C=US
…
X509v3 extensions:
…
1.2.840.113635.100.6.1.13: critical
..
…
As you can see, this is issued in the US and has the 1.2.840.113635.100.6.1.13 extension.
As to the actual problem, you wrote:
unable to build chain to self-signed root for signer
That’s almost certainly caused by a missing intermediate. See the Check for a missing issuer section of Fixing an untrusted code signing certificate.
Modern Developer ID certificates use an updated intermediate, and if you’re missing that intermediate you’ll see exactly this error.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"