/usr/bin/security cms failing to sign profiles with correct certificate

Number:rdar://51354699 Date Originated:2019-06-03
Status:Open Resolved:
Product:macOS Product Version:10.14.5
Classification:macOS + SDK Reproducible:
When using `/usr/bin/security cms -S` command to sign profiles, the resulting signed profile is signed by another (seemingly) random certificate from my login keychain.

Steps to Reproduce:
1. Verify a code signing cert is available: `/usr/bin/security find-identity -p codesigning`
2. Grab the nickname of the cert: `/usr/bin/security find-identity -p codesigning -v | awk -F\" '/Developer ID/ {print $2}'`
3. Attempt to sign a profile with the cert's nickname: 
`/usr/bin/security cms -S -G -H SHA256 -N 'Developer ID Application: ROCHESTER INSTITUTE OF TECHNOLOGY (INC) (77JG5V6MM7)' -i '/Users/n8felton/edu.rit.certificates.root.mobileconfig' -o '/Users/n8felton/edu.rit.certificates.root.mobileconfig'`

Expected Results:
`openssl pkcs7 -inform DER -print_certs -in '/Users/n8felton/edu.rit.certificates.root.mobileconfig'`
issuer=/CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US

Actual Results:
`openssl pkcs7 -inform DER -print_certs -in '/Users/n8felton/edu.rit.certificates.root.mobileconfig'`
subject=/O=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F/CN=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F
issuer=/O=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F/CN=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F

ProductName:    Mac OS X
ProductVersion: 10.14.5
BuildVersion:   18F132

Note that signing with the `-Z` option to use the certificate subject key ID works:
`security cms -S -G -H SHA256 -Z '7DEDC3FEAAE2CB96F5233153AF1D459CB80185E7' -i '/Users/n8felton/edu.rit.certificates.root.mobileconfig' -o '/Users/n8felton/edu.rit.certificates.root.mobileconfig'`

PS - The fact that the `-Z` option for the `security cms` command is a certificate subject key ID and not the SHA-1 hash of the certificate, like every other `-Z` option for the security commands is annoying and frustrating, considering `security find-identity -p codesigning` will give you the SHA-1 as another potential option to find certs with.


I've had the very same problem. It turned out that the private key of the certificate was not available in the System keychain, but only in my login keychain. After I moved it to the System keychain, it worked again.

For signing to work properly, both the certificate and its private key must be available in the System keychain!

So the actual bug seems to be that just any other certificate is picked and used instead of displaying an appropriate error message.

By metin.savignano at Dec. 8, 2021, 8:35 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!