macos Sierra: /usr/bin/security falsely verifies revoked certificate
| Originator: | esdee84 | ||
| Number: | rdar://31499076 | Date Originated: | 07-Apr-2017 |
| Status: | Open | Resolved: | |
| Product: | Developer Tools | Product Version: | 10.12.* |
| Classification: | security | Reproducible: | Always |
Summary: Our iOS CI Server needs to verify distribution certificates before using them to sign a build. This worked perfectly fine for years with the following command: security verify-cert -p codeSign -c ios_distribution.cer In case the cert could be successfully verified, the output was: "...certificate verification successful." (Exit Code 0) If it could not be verified, e.g. because it has been revoked, the output looked like: "Cert Verify Result: CSSMERR_TP_CERT_REVOKED" (and Non-Zero Exit Code). After installing macos Sierra, this stopped working. Calling security verify-cert with revoked certificates always produces the output "...certificate verification successful." and a zero exit code. I've tested this with several certs from different accounts on several machines. Some of the certs were revoked for over 4 weeks. Steps to Reproduce: 1. Create a new developer or distribution certificate on developer.apple.com/membercenter 2. Download this cert on a 10.12.* machine 3. Revoke the certificate on developer.apple.com/membercenter 4. verify the cert with: security verify-cert -p codeSign -c ios_distribution.cer Expected Results: /usr/bin/security should return a non-zero exit code and the string "Cert Verify Result: CSSMERR_TP_CERT_REVOKED" Actual Results: /usr/bin/security returns a zero exit code and the string "...certificate verification successful."
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!