Will a self signed code-signing certificate get rid of "Unknown Publisher" warnings?
What will be the effect of using a self signed certificate with regards to warnings?
You will still get warnings like untrusted signing authority when using self signed certificates. You usually just self sign on your own servers to test SSL. You don't want to self sign SSL on a production server.
No, a self-signed won't work for that. You'll have to get a code signing cert from a real Ca, see http://codesigning.ksoftware.net or http://www.verisign.com (and there are many more).
Here's what worked for me.
For local testing, yes that is possible.
Right click the installer and go to Properties.
Click on the Digital Signatures tab.
Under Signature list select the signer and click Details
Click View Certificate
Click Install Certificate..., then Next >
Select Place all certificates in the following store radio button
Click Browse and select Trusted Root Certification Authorities
Click OK and click Next >, and then Finish.
A Security Warning will appear informing you that you're doing this at your own risk.
If you want to remove this certificate you can do that by going to certmgr.msc and removing the certificate located under Trusted Root Certification Authorities
If you install your self-signed certificate into the Root Certification Authorities store, you will not get "Unknown Publisher" warnings.
Related
So, I just renewed my Apple developer membership and I started getting this error "Warning unable to build chain to self signed root for signer apple Development".
I am unable to archive my apps in order to upload them to the AppStore, I tried these threads with no luck:
https://developer.apple.com/forums/thread/86161
Always 'Ad Hoc Code Signed' for Embedded Binary Signing Certificate
https://developer.apple.com/forums/thread/662300
PS: I have "this certificate is not trusted" in my Apple development and Apple Distribution certificates in the Certificates section on the keychain access. I don't know if that is related to my issue?
What worked for me was to download the "Apple Worldwide Developer Relations Certification Authority" that expires in 20 Feb 2030 along side with the already existent one that expires in 7 Feb 2023.
That was enough to make the "this certificate is not trusted" go away, and to let me build and archive my app again.
I have this issue recently and I have found out that this is a problem with the OS.
This solution seems like a hack but it works!
Go to Xcode Preferences menu (command+,) and then Accounts tab
click on the gear icon on the bottom left and Export Apple ID and Code Signing Assets...
Set a password for the export
⚠️ You are going to delete all passwords and profiles! Don't forget your password! Writing down your password is highly recommended.
⛔️ This file will contain all your accounts and profiles. Make sure to keep it very secure.
Delete all accounts.
Build and face the new error.
Import them back using your password.
It's should working again now.
I have created certificate to enable Push Services in my app, but every time I try to add certificate in my Keychain, after adding certificate it shows me following error:
This certificate has an invalid issuer
I think I've figured this one out. I imported the new WWDR Certificate that expires in 2023, but I was still getting problems building and my developer certificates were still showing the invalid issuer error.
In keychain access, go to View -> Show Expired Certificates. Then in your login keychain highlight the expired WWDR Certificate and delete it.
I also had the same expired certificate in my System keychain, so I deleted it from there too (important).
After deleting the expired certificate from the login and System keychains, I was able to build for Distribution again.
Download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
and double-click to install to Keychain.
Select "View" -> "Show Expired Certificates" in Keychain app.
Confirm "Certificates" category is selected.
Remove expired Apple Worldwide Developer Relations Certificate Authority certificates from "login" tab and "System" tab.
Here's Apple's answer.
Thanks for bringing this to the attention of the community and apologies for the issues you’ve been having. This issue stems from having a copy of the expired WWDR Intermediate certificate in both your System and Login keychains. To resolve the issue, you should first download and install the new WWDR intermediate certificate (by double-clicking on the file). Next, in the Keychain Access application, select the System keychain. Make sure to select “Show Expired Certificates” in the View menu and then delete the expired version of the Apple Worldwide Developer Relations Certificate Authority Intermediate certificate (expired on February 14, 2016). Your certificates should now appear as valid in Keychain Access and be available to Xcode for submissions to the App Store.
https://forums.developer.apple.com/thread/37208
This is not actually a development issue. It happens due to expiration of the Apple Worldwide Developer Relations Intermediate Certificate issued by Apple Worldwide Developer Relations Certificate Authority. WWDRCA issues the certificate to sign your software for Apple devices, allowing our systems to confirm that your software is delivered to users as intended and has not been modified.
To resolve this issue, you have to follow the below steps:
Open Keychain Access
Go to View -> Show Expired Certificates
Go to System in Keychain
Here you find that "Apple Worldwide Developer Relations Certificate Authority" is marked as expired. So delete it. Also check under Login Tab and delete expired WWDRCA.
Download new WWDR Intermediate Certificate from here(The renewed Apple Worldwide Developer Relations Certification Intermediate Certificate will expire on February 7, 2023).
Install it by double clicking on it.
If you still face any issue with your iOS apps, Mac apps, Safari extensions, Apple Wallet and Safari push notifications, then please follow this link of expiration.
The Apple Worldwide Developer Relations Certification Intermediate
Certificate expires soon and we've issued a renewed certificate that
must be included when signing all new Apple Wallet Passes, push
packages for Safari Push Notifications, and Safari Extensions starting
February 14, 2016.
While most developers and users will not be affected by the
certificate change, we recommend that all developers download and
install the renewed certificate on their development systems and
servers as a best practice. All apps will remain available on the App
Store for iOS, Mac, and Apple TV.
Here is how we fixed this.
Step 1: Open Keychain access, delete "Apple world wide Developer relations certification authority" (which expires on 14th Feb 2016) from both "Login" and "System" sections.
If you can't find it, use “Show Expired Certificates” in the View menu.
Step 2: Download this and add it to Keychain access -> Certificates
(which expires on 8th Feb 2023).
Step 3: Everything should be back to normal and working now.
Reference: Apple Worldwide Developer Relations Intermediate Certificate Expiration
In Apple's Developer's portal, add a new certificate, and when asked "What type of certificate do you need?" choose "WorldWide developer relations certificate". Generate the new certificate, download and install. The moment you do that, you will no longer see the message you have described.
Edit:
The certificate can be downloaded from the following page:
https://www.apple.com/certificateauthority/
You can choose one of the following two certificates:
"WWDR Certificate (Expiring 02/07/23)"
or
"WWDR Certificate (Expiring 02/14/16)"
Follow the below steps:
Download and install from here. Double click and install it.
Select "View" -> "Show Expired Certificates" in Keychain app.
Remove Apple Worldwide Developer Relations Certificate Authority
certificates from "login" tab and "System" tab in Keychain app.
If you don't find your WWDR certificate in Login or System tab, then select category "All items" on the left side. Most probably you will get to see an expired WWDR certificate here, and you can remove it. An expired certificate is always shown with a red asterisk.
If you are facing the "This certificate has an invalid issuer" error for all your certificates then do the following steps.
Steps:
Open Keychain and Click on Login -> All Items from the left panel.
Now, Click on View -> Show Expired Certificates from the top navigation menu.
Now search for "Apple Worldwide Developer Relations Certification Authority" and delete expired certificates.
After deleting expired certificates, visit the following URL and download the new certificate,
https://developer.apple.com/certificationauthority/AppleWWDRCA.cer.
Double click on the newly downloaded certificate, and install it in your keychain.
Double check: List expired certificates by following step number 3.
Now you have a valid "Apple Worldwide Developer Relations Certification Authority" having expiry date 2023-02-07.
Reference:
Apple Worldwide Developer Relations Intermediate Certificate Expiration
As described in the Apple Worldwide Developer Relations Intermediate Certificate Expiration:
The previous Apple Worldwide Developer Relations Certification Intermediate Certificate expired on February 14, 2016 and the renewed certificate must now be used when signing Apple Wallet Passes, push packages for Safari Push Notifications, Safari Extensions, and submissions to the App Store, Mac App Store, and App Store for Apple TV.
All developers should download and install the renewed certificate on their development systems and servers. All apps will remain available on the App Store for iOS, Mac, and Apple TV.
The new valid certificate will look like the following:
It will display (this certificate is valid) with a green mark.
So, go to your Key Chain Access. Just delete the old certificate and replace it with the new one (renewed certificate) as Apple described in the document. Mainly the problem is only with the Apple push notification service and extensions as described in the Apple document.
You can also check the listing of certificates in https://www.apple.com/certificateauthority/
Certificate Revocation List:
Now this updated certificate will expire on 2023-02-08.
If you could not see the old certificate then go to the System Keychains and from edit menu and select the option Show Expired Certificates.
Now you can see the following certificate that you have to delete:
You need to search the World from the top right search bar and delete the expired certificate. Make sure you selected Login and All items.
Just try to set local date earlier than Feb 14. Works for me! Not a complete solution but temporary solve the problem.
All my certificates are installed and expire dates are fine.
I deleted and reinstalled all my certificates, still no luck
In the end, I right-clicked on the certificate, and selected "Get Info". Under the Trust section, I selected "Always Trust" and this solved my problem.
If you got here from the Fastlane then this snippet might fix your CI deployments. Execute it before the signing.
apple_intermediate_certificate_path = "/tmp/AppleWWDRCAG3.cer"
`curl https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer --output #{apple_intermediate_certificate_path}`
other_action.import_certificate(
certificate_path: apple_intermediate_certificate_path,
keychain_name: YOUR_KEYCHAIN_NAME,
keychain_password: YOUR_KEYCHAIN_PASSWORD
)
in 2021:
Download AppleWWDRCAG3.cer (valid untill 2030) from
https://developer.apple.com/support/expiration/
Install it
If you are here from fastlane suggestion and still getting this error
after trying all above fixes
security find-identity -v -p codesigning returns valid identities found
error is happening only on build server
if you log in "manually" everything works
then this is probably due to the fact that the distribution certificate is in the wrong place:
"Login" keychain works while logged in
"System" keychain works with build server run as daemon
Check this answer with screenshot, you can just right click distribution certificate in the login keychain and paste it into system.
When I try to archive my app, I get this error...
I've been doing a lot of research, but can't seem to figure it out. I've tried everything from revoking and recreating my certificates, and recreating the Provisioning Profiles.
What do i do?
According to the Apple Developer Forums, the Apple Worldwide Developer Relations Intermediate Certificate Expiration expired 2/14/2016.
... This issue stems from having a copy of the expired WWDR Intermediate certificate in both your System and Login keychains. To
resolve the issue, you should first download and install the new WWDR
intermediate certificate (by double-clicking on the file). Next, in
the Keychain Access application, select the System keychain. Make sure
to select “Show Expired Certificates” in the View menu and then delete
the expired version of the Apple Worldwide Developer Relations
Certificate Authority Intermediate certificate (expired on February
14, 2016). Your certificates should now appear as valid in Keychain
Access and be available to Xcode for submissions to the App Store.
Follow These Simple Steps:
Open Keychain from top menu go to View > Show Expired Certificates .
Now In Keychain Locate Expired Apple World Wide Developer Relation Certification Authority in Login tab and System tab from left panel and delete it from both tabs.
Download Certificate: https://developer.apple.com/certificationauthority/AppleWWDRCA.cer and double click to install it.
Restart Xcode.
This answer solved my problem...
The problem was that the certificate was not signed by a known authority.
this certificate was signed by an unknown authority
I spent lots of time due to this certificate.After delete wwdr certificate in login and system tab problem is fixed
I tried to upload my App to iTunes Connect resp. AppStore and got the following error:
Failed to locate or generate matching signing assets
Xcode attempted to locate or generate matching signing assets and failed to do so because of the following issues.
Missing iOS Distribution signing identity for ...
Xcode can request one for you.
Before I set up a new development machine, exported the developer accounts via Xcode 7 from the old to the new machine.
What can I do to fix this?
From Apple -
Thanks for bringing this to the attention of the community and
apologies for the issues you’ve been having. This issue stems from
having a copy of the expired WWDR Intermediate certificate in both
your System and Login keychains. To resolve the issue, you should
first download and install the new WWDR intermediate certificate (by
double-clicking on the file). Next, in the Keychain Access
application, select the System keychain. Make sure to select “Show
Expired Certificates” in the View menu and then delete the expired
version of the Apple Worldwide Developer Relations Certificate
Authority Intermediate certificate (expired on February 14, 2016).
Your certificates should now appear as valid in Keychain Access and be
available to Xcode for submissions to the App Store.
As noted in a comment below, the expired certificate also needs to be removed from the login section, as well:
To all that cannot get it working despite the instructions... There
are two expired WWDR certs. One is in login keychain, and the other
one is in the System. You have to delete both of them in order to make
things working
I also faced the same issue today. The following steps fixed my issue.
Download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer
Double-click to install to Keychain.
Then in Keychain, Select View -> "Show Expired Certificates" in Keychain app.
It will list all the expired certifcates.
Delete "Apple Worldwide Developer Relations Certificate Authority certificates" from "login" tab
And also delete it from "System" tab.
Now you are ready go.
I kept running into the issue and saw that all my certs were invalidated -- oh no!
It turns out I never deleted the expired cert. It was not showing up for me, until I selected from Keychain Access application:
View->Show Expired Certificates
then
System->All Items
will finally display that gnarly expired cert. Delete that and retry from XCode will pick up the new valid certs.
Just make sure you search "All Items" in the Keychain Access app. The invalidated certs are a result of pointing to the expired certificate that has not been deleted yet.
The below process will solve the problem,
1: Open KeyChain access, and Delete "Apple world wide Developer relations certification authority" (Which expires on 14th Feb 2016) from both "Login" and "System" sections. If you can't find it, use “Show Expired Certificates” in the 'View' menu.
2: Now download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer and double click the certificate to add it to Keychain access > certificates (which expires on 8th Feb 2023).
Now the valid status of the certificates should turn green like below.
Once check the status.
Apple has made following changes so download new certificate developer.apple.com
renewed certificate and place it as below screen shots .In the keychain as below screen shots click on system and then certificate. Delete the expired certificate . Then drag and drop the AppleWWDRCA.cer that you downloaded from above link
Apple Worldwide Developer Relations Intermediate Certificate Expiration
To help protect customers and developers, we require that all third
party apps, passes for Apple Wallet, Safari Extensions, Safari Push
Notifications, and App Store purchase receipts are signed by a trusted
certificate authority. The Apple Worldwide Developer Relations
Certificate Authority issues the certificates you use to sign your
software for Apple devices, allowing our systems to confirm that your
software is delivered to users as intended and has not been modified.
The Apple Worldwide Developer Relations Certification Intermediate
Certificate expires soon and we've issued a renewed certificate that
must be included when signing all new Apple Wallet Passes, push
packages for Safari Push Notifications, and Safari Extensions starting
February 14, 2016.
While most developers and users will not be affected by the
certificate change, we recommend that all developers download and
install the renewed certificate on their development systems and
servers as a best practice. All apps will remain available on the App
Store for iOS, Mac, and Apple TV.
Since different methods can be used for validating receipts and
delivering remote notifications, we recommend that you test your
services to ensure no implementation-specific issues exist. Your apps
may experience receipt verification failure if the receipt checking
code makes incorrect assumptions about the certificate. Make sure that
your code adheres to the Receipt Validation Programming Guide and
resolve all receipt validation issues before February 14, 2016.
After searching for a while I found out that it is not sufficient to export the developer accounts from Xcode and import these on the new machine, again via Xcode.
Additionally I needed to copy the Certficate named "Apple World Wide Developer Relations Certificate Authority" from the keychain of the former development machine to the keychain of the new one.
This solved the problem for me.
I imported the new Apple WWDR Certificate that expires in 2023, but I was still getting problems and my developer certificates were showing the invalid issuer error.
In keychain access, go to View -> Show Expired Certificates, then in your login keychain highlight the expired WWDR Certificate and delete it.
I also had the same expired certificate in my System keychain, so I deleted it from there too.(Important)
After deleting the expired cert from the login and System keychains, I was able to build for Distribution again.
I removed old AppleWWDRCA, downloaded and installed AppleWWDRCA, but problem remained. I also, checked my distribution and development certificates from Keychain Access, and see below error;
"This certificate has an invalid issuer."
Then,
I revoked both development and distribution certificates on member center.
Re-created CSR file and add development and distribution certificates from zero, downloaded them, and installed.
This fixed certificate problem.
Since old certificates revoked, existing provisioning profiles become invalid. To fix this;
On member center, opened provisioning profiles.
Opened profile detail by clicking "Edit", checked certificate from the list, and clicked "Generate" button.
Downloaded and installed both development and distribution profiles.
I hope this helps.
My answer was different and came along with the message:
resource fork, Finder information, or similar detritus not allowed
The solution was to do with generated graphics:
Code Sign Error in macOS Sierra Xcode 8 : resource fork, Finder information, or similar detritus not allowed
Don't forget to also install the iOS cert for your Apple Developer Account.
Make Sure that in Project Navigator > Signing > Team , A team name must need be selected.
I have an ActiveX control, which is supposed to be installed at the first visit of web-page.
I have self-signed certificate, created with OpenSSL, and its child. The problem is that if I sign an activeX control with root certificate, Windows can't validate it while checking activex, even if it is installed as trusted.
It writes, that
"A certificate's basic extension has not been observed"
and in "view certificate":
"The certificate is not valid because one of certification authorities in the certification path does not appear to be allowed to issue certificates or this certificate cannot be used as an end-entity certificate".
If I use child certificate for signing while root certificate is in trusted, eberything is fine.
I suppose that root certificate can only sign only certificate-related stuff, not files etc, however want to be sure about this.
I think that what that error message is trying to tell you is that the certificate you have generated for your key does not contain the correct certificate extensions. Code-signing requires a certificate that has been generated for code-signing. Other types of certificate -- e.g. those that are generated for signing data -- are subject to less scrutiny by the CA, and so offer a lower level of security that is required for code-signing.
Your own self-signed root certificate should be set up for key-signing, and the child certificate should be set up for code signing. Then your ActiveX signature should be OK, so long as your root certificate is in the browser's trusted key store. Generally a key-signing certificate should be set up only for key-signing and a code-signing certificate should be set op only for code-signing, so you can't use these keys for any other purpose.
That solution is OK within an organization, where you can install your root key on every user's PC in advance. If you want to use your ActiveX control on a webpage on the public internet you will either have to persuade users to trust your certificate (even though they may have no good reason to do so) or you will have to buy a code-signing certificate from one of the commercial CAs whose root certificates are already known to the common browsers.
Finally, I'd really advise against using ActiveX controls for anything as they'll only be able to run on Windows, and then only if they're trusted. Most people who have any sense will have their browser's security set up to reject them. You'll have much more success producing your active content with a different technology (e.g. Javascript)
Using self-signed certificates for digitally signing your binaries pretty much goes against the concept of using digital certificates with programs. The basic idea is to prove the code was created by you (authenticity) and has not been modified since you released it (integrity). This must be done by using a signed certificate that is signed by a trusted Certificate Authority (CA).
I've answered this in a little more detail on the following question.
creating a key and signing executable with signtool