unable to build chain to self-signed root for signer

I have a bunch of info suggestions on this front in Resolving errSecInternalComponent errors during code signing, but it looks like you’ve already done most of what I cover there.

So, the key problem here is:

Working from Terminal app in GUI session, not via SSH/cron

Let’s leave cron out of this for the moment. That’s a much trickier problem. However, you should be able to get this working from SSH.

Just to confirm, you’re using the same user for both the Terminal and SSH test, right?

Also, in SSH, after logging in, you’re doing a security unlock-keychain, right?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Yes, I have been unlocking the keychain. I have been using screen share and terminal, but I have also used SSH with the same result.

To add additional informmation, I tried creating a new user account and importing the certificate there, but in order to do that, I need to export the .p12 from the original account. The problem is that when I try to export it, I get “An invalid key was encountered”, despite the fact the CSR was generated on that account, and certificate assistant evaluates the certificate as good for both general and signing.

The problem is that when I try to export it, I get “An invalid key was encountered”

Hmmm, that’s weird. I’m not sure what’s causing that, but its sounds like something you’d want to fix before going further, if for no other reason than it being important to have an independent backup of your Developer ID signing identities [1].

Here’s a test for you to run:

1. Log out of that account.

2. Log in to some other account.

3. Make a copy of the keychain from the old account, that is, ~xyz/Library/Keychains/login.keychain-db, where xyz is the old account name.

4. Rename it.

5. Add it to Keychain Access on the new account (File > Add Keychain).

6. Can you then export it from there?

In fact, it’d be even better to copy it to a completely different machine!

That’ll tell you whether the keychain itself is borked, or whether there’s something about your account, or indeed your machine, that’s triggering these problems. For example, I’ve seen problems like this caused by… shall we say… over-enthusiastic enterprise security software running on the Mac that causes all sorts of odd failures.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Per The Care and Feeding of Developer ID.

Well, it's clear that the keychain is hosed. I'm going to create a new keychain and resubmit for a developer ID. I hate to burn another one, and my hope is that maybe you have the access to revoke and/or delete the previous one I created? If so, please let me know the process for that. The private key is lost/corrupted anyway, and we have not yet successfully signed or released any product with that ID.

maybe you have the access to revoke and/or delete the previous one I created?

I do not. However, even if I did that wouldn’t be a good option.

Developer ID certificates are fundamentally different from Apple Development and Apple Distribution certificates. If you revoke one, any software you signed with that certificate stops working. Quoting Developer > Support > Certificates:

If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate.

While I’m not involved in this process, my understanding is that we only revoke Developer ID certificates if the private key has been compromised.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Additional Update on Developer ID Signing Issue (errSecInternalComponent)

Since my previous update, I've taken the following steps:

• Fully reset the default login keychain and metadata on the affected macOS build machine, resulting in a completely clean, empty login keychain.

• Imported the Developer ID Application certificate and private key (Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)) from the previous backup into the new login keychain.

• Verified trust settings and access control for the imported certificate and private key:

  • Certificate shows fully trusted and valid.
  • Private key access control explicitly allows use by codesign.

• Successfully exported the certificate and private key from the new login keychain without issues, confirming no export-related problems remain.

• Ran the simplest possible signing test from Terminal:

  cp "/usr/bin/true" "MyTrue"
  codesign --force --timestamp --options runtime \
    --sign "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)" \
    ./MyTrue
  

• This resulted in the identical error as before:

  ./MyTrue: replacing existing signature
  Warning: unable to build chain to self-signed root for signer "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)"
  ./MyTrue: errSecInternalComponent
  

Additionally, the output from security find-identity -p codesigning (obfuscated for privacy) is as follows:

Policy: Code Signing
  Matching identities
  1) [ID] "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)"
     1 identities found

  Valid identities only
  1) [ID] "Developer ID Application: Fidelis Security LLC (J4WGF5B6KZ)"
     1 valid identities found

I’m glad you were able to recover your Developer ID signing identity. That allows for a bunch more tests. Let’s start with a simple one:

1. Create a new user account on the affected machine.

2. Import that .p12 into your keychain.

3. Import the Developer ID intermediate certificates from Apple PKI page, specifically, Developer ID - G1 and Developer ID - G2.

4. Re-run your signing test from Terminal.

Does this work?

If not, retry this process with a new user account on a different Mac.

Note In step 3, it’s fine to import both intermediates. The system will use the right one.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

A coworker created a new dev certificate through xcode, and that one is working for us. It also seems to have fixed the certificate chain for the original one. Go figure!