Thanks for being a part of WWDC25!

How did we do? We’d love to know your thoughts on this year’s conference. Take the survey here

unable to build chain to self-signed root for signer

Code Signing General
Darrilla
Darrilla OP
Created 1w
Replies 8
Boosts 0
Views 108
Participants 2

Having reviewed every document, this has been going on for nearly two months. Originally, it was thought that the problem might be related to the fact I had created the developer ID signing certificate on an intel mac, and trying to import and use it on an M1 Mac-Mini. That turned out to not be the case. Completely started over with a new account (the company changed names), requested and was granted the entitlements we needed. Create a new CSR from this new m1 machine, created a Developer ID certificate, installed the certificate on this machine. But no matter what, the codesign fails.

Troubleshooting

  • Environment:
    • Brand new Apple Developer account and Developer ID Application certificate (generated CSR on this Mac, installed cert and private key in login keychain)
    • macOS build/signing machine, not running codesign as root
    • Working from Terminal app in GUI session, not via SSH/cron
  • Keychain & Certificate Chain:
    • Verified Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ) certificate and private key are present in login keychain
    • Verified certificate is marked as trusted and has a private key attached
    • Developer ID Certification Authority present and trusted in System keychain (removed any extra from login)
    • Evaluate certificate assistant shows everything is good
    • Apple Root CA present and trusted in System keychain
    • Set all trust settings back to System Defaults after testing with “Always Trust”
    • No expired or duplicate Developer ID intermediates present
    • codesign Troubleshooting:
  • Ran:
    • codesign --force --timestamp --options runtime --sign "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)" ./fidelisevents
  • Consistently received:
    • Warning: unable to build chain to self-signed root for signer ...
    • errSecInternalComponent
  • Confirmed correct identity using:
    • security find-identity -v -p codesigning
      • (Shows my Developer ID Application cert as valid)
  • Keychain order confirmed with security list-keychains
  • Tried explicit --keychain argument in codesign (no change)
  • Additional Steps Attempted:
    • Downloaded and re-installed all relevant Apple intermediates/root certificates from https://www.apple.com/certificateauthority/
    • Rebooted the Mac and killed/restarted the securityd daemon
    • Confirmed no use of sudo or root for codesigning
    • Verified keychain is unlocked
    • Checked that partition list grants access to codesign (set with security set-key-partition-list -S "apple:codesign:" -s -k "<pw>" ~/Library/Keychains/login.keychain-db)
    • Attempted to codesign a copy of /usr/bin/true (same error)
    • Ran codesign both with and without --timestamp, both on app bundle and binary
  • Keychain Access showing:
  • Certificate and private key present and linked
  • Correct trust chain
  • System keychain containing all Apple intermediates/roots
  • No trust warnings or red Xs

Downloaded the latest Apple CA and Developer ID Root certificates and installed those.

None of the forum searches have helped. AI is likewise confused.

Replies  8
Boosts  0
Views  108
Participants  2
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
1w

I have a bunch of info suggestions on this front in Resolving errSecInternalComponent errors during code signing, but it looks like you’ve already done most of what I cover there.

So, the key problem here is:

Working from Terminal app in GUI session, not via SSH/cron

Let’s leave cron out of this for the moment. That’s a much trickier problem. However, you should be able to get this working from SSH.

Just to confirm, you’re using the same user for both the Terminal and SSH test, right?

Also, in SSH, after logging in, you’re doing a security unlock-keychain, right?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Darrilla
Darrilla OP
6d

Yes, I have been unlocking the keychain. I have been using screen share and terminal, but I have also used SSH with the same result.

0
Darrilla
Darrilla OP
6d

To add additional informmation, I tried creating a new user account and importing the certificate there, but in order to do that, I need to export the .p12 from the original account. The problem is that when I try to export it, I get “An invalid key was encountered”, despite the fact the CSR was generated on that account, and certificate assistant evaluates the certificate as good for both general and signing.

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
6d
The problem is that when I try to export it, I get “An invalid key was encountered”

Hmmm, that’s weird. I’m not sure what’s causing that, but its sounds like something you’d want to fix before going further, if for no other reason than it being important to have an independent backup of your Developer ID signing identities [1].

Here’s a test for you to run:

  1. Log out of that account.

  2. Log in to some other account.

  3. Make a copy of the keychain from the old account, that is, ~xyz/Library/Keychains/login.keychain-db, where xyz is the old account name.

  4. Rename it.

  5. Add it to Keychain Access on the new account (File > Add Keychain).

  6. Can you then export it from there?

In fact, it’d be even better to copy it to a completely different machine!

That’ll tell you whether the keychain itself is borked, or whether there’s something about your account, or indeed your machine, that’s triggering these problems. For example, I’ve seen problems like this caused by… shall we say… over-enthusiastic enterprise security software running on the Mac that causes all sorts of odd failures.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Per The Care and Feeding of Developer ID.

0
Darrilla
Darrilla OP
2d

Well, it's clear that the keychain is hosed. I'm going to create a new keychain and resubmit for a developer ID. I hate to burn another one, and my hope is that maybe you have the access to revoke and/or delete the previous one I created? If so, please let me know the process for that. The private key is lost/corrupted anyway, and we have not yet successfully signed or released any product with that ID.

0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
1d
maybe you have the access to revoke and/or delete the previous one I created?

I do not. However, even if I did that wouldn’t be a good option.

Developer ID certificates are fundamentally different from Apple Development and Apple Distribution certificates. If you revoke one, any software you signed with that certificate stops working. Quoting Developer > Support > Certificates:

If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate.

While I’m not involved in this process, my understanding is that we only revoke Developer ID certificates if the private key has been compromised.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Darrilla
Darrilla OP
1d

Additional Update on Developer ID Signing Issue (errSecInternalComponent)

Since my previous update, I've taken the following steps:

  • Fully reset the default login keychain and metadata on the affected macOS build machine, resulting in a completely clean, empty login keychain.

  • Imported the Developer ID Application certificate and private key (Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)) from the previous backup into the new login keychain.

  • Verified trust settings and access control for the imported certificate and private key:

    • Certificate shows fully trusted and valid.
    • Private key access control explicitly allows use by codesign.

  • Successfully exported the certificate and private key from the new login keychain without issues, confirming no export-related problems remain.

  • Ran the simplest possible signing test from Terminal:

    cp "/usr/bin/true" "MyTrue"
codesign --force --timestamp --options runtime \
  --sign "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)" \
  ./MyTrue

  • This resulted in the identical error as before:

    ./MyTrue: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)"
./MyTrue: errSecInternalComponent

Additionally, the output from security find-identity -p codesigning (obfuscated for privacy) is as follows:

Policy: Code Signing
  Matching identities
  1) [ID] "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)"
     1 identities found

  Valid identities only
  1) [ID] "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)"
     1 valid identities found
0
Apple Staff, DTS Engineer
DTS Engineer OP
Apple
18h

I’m glad you were able to recover your Developer ID signing identity. That allows for a bunch more tests. Let’s start with a simple one:

  1. Create a new user account on the affected machine.

  2. Import that .p12 into your keychain.

  3. Import the Developer ID intermediate certificates from Apple PKI page, specifically, Developer ID - G1 and Developer ID - G2.

  4. Re-run your signing test from Terminal.

Does this work?

If not, retry this process with a new user account on a different Mac.

Note In step 3, it’s fine to import both intermediates. The system will use the right one.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
unable to build chain to self-signed root for signer
First post date Last post date
 
 
Q