How to Install Apple Development Certificates (CAs)?

  • Hi All,

    This has been bothering me for some time, and I want to try and track
    it down.....

    With a developer account, there are a number of CAs required for code
    signing. Its looks like 4, 5, or 6 are required from
    http://www.apple.com/certificateauthority/. I have four installed:

      * Apple Code Signing Certification Authority
          - exp FEB 2015
      * Apple Root CA
          - exp FEB 2035
      * Apple Timestamp Certification Authority
          - exp APR 2027
      * Apple Worldwide Developer Relations Certification Authority
          - exp FEB 2016
      * Developer ID Certification Authority
          - exp FEB 2027

    The above CAs are installed in the System Keychain *and* enforce X.509
    basic constraints. In addition, I've set all (except Timestamp) to
    allow "Code Signing"; and Timestamp to allow "Time Stamping". The
    developer certificates are in my keychain.

    When I run under the emulator, everything is OK. When I run on a
    device, I receive the following error:

    .../DerivedData/XXX-YYY/Build/Products/Debug-iphoneos/XXX.app:
    CSSMERR_TP_NOT_TRUSTED
    Command /usr/bin/codesign failed with exit code 1

    If I allow the CAs to enjoy "Use System Defaults" (I'm assuming this
    means "do whatever you want and however you like"), then code signing
    works.

    Would anyone know how I can determine which certificate is not trusted?

    Or perhaps something else?

    Jeff
  • The problem appears to be the Apple Worldwide Developer Relations
    Certification Authority. It requires more than Basic Constraints and
    Code Signing.

    Considering Apple's CPS on WWDR
    (http://www.apple.com/certificateauthority/Apple_WWDR_CPS) provides no
    warranty and claims its not fit for any use (see Section 2.4), it
    might be a good idea to fix whatever's broken here. There's no reason
    to allow the development certificate to be used for SSL/TLS, iChat,
    S/MIME, IPSec, etc.

    Radar 13856278; OpenRadar http://openradar.appspot.com/radar?id011403

    Jeff

    On Thu, May 9, 2013 at 9:18 PM, Jeffrey Walton <noloader...> wrote:
    > Hi All,
    >
    > This has been bothering me for some time, and I want to try and track
    > it down.....
    >
    > With a developer account, there are a number of CAs required for code
    > signing. Its looks like 4, 5, or 6 are required from
    > http://www.apple.com/certificateauthority/. I have four installed:
    >
    > * Apple Code Signing Certification Authority
    > - exp FEB 2015
    > * Apple Root CA
    > - exp FEB 2035
    > * Apple Timestamp Certification Authority
    > - exp APR 2027
    > * Apple Worldwide Developer Relations Certification Authority
    > - exp FEB 2016
    > * Developer ID Certification Authority
    > - exp FEB 2027
    >
    > The above CAs are installed in the System Keychain *and* enforce X.509
    > basic constraints. In addition, I've set all (except Timestamp) to
    > allow "Code Signing"; and Timestamp to allow "Time Stamping". The
    > developer certificates are in my keychain.
    >
    > When I run under the emulator, everything is OK. When I run on a
    > device, I receive the following error:
    >
    > .../DerivedData/XXX-YYY/Build/Products/Debug-iphoneos/XXX.app:
    > CSSMERR_TP_NOT_TRUSTED
    > Command /usr/bin/codesign failed with exit code 1
    >
    > If I allow the CAs to enjoy "Use System Defaults" (I'm assuming this
    > means "do whatever you want and however you like"), then code signing
    > works.
    >
    > Would anyone know how I can determine which certificate is not trusted?
    >
    > Or perhaps something else?
previous month may 2013 next month
MTWTFSS
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
Go to today