/usr/bin/security cms failing to sign profiles with correct certificate

Originator:n8felton
Number:rdar://51354699 Date Originated:2019-06-03
Status:Open Resolved:
Product:macOS Product Version:10.14.5
Classification:macOS + SDK Reproducible:
 
When using `/usr/bin/security cms -S` command to sign profiles, the resulting signed profile is signed by another (seemingly) random certificate from my login keychain.

Steps to Reproduce:
1. Verify a code signing cert is available: `/usr/bin/security find-identity -p codesigning`
2. Grab the nickname of the cert: `/usr/bin/security find-identity -p codesigning -v | awk -F\" '/Developer ID/ {print $2}'`
3. Attempt to sign a profile with the cert's nickname: 
`/usr/bin/security cms -S -G -H SHA256 -N 'Developer ID Application: ROCHESTER INSTITUTE OF TECHNOLOGY (INC) (77JG5V6MM7)' -i '/Users/n8felton/edu.rit.certificates.root.mobileconfig' -o '/Users/n8felton/edu.rit.certificates.root.mobileconfig'`

Expected Results:
`openssl pkcs7 -inform DER -print_certs -in '/Users/n8felton/edu.rit.certificates.root.mobileconfig'`
<snip>
subject=/UID=77JG5V6MM7/CN=Developer ID Application: ROCHESTER INSTITUTE OF TECHNOLOGY (INC) (77JG5V6MM7)/OU=77JG5V6MM7/O=ROCHESTER INSTITUTE OF TECHNOLOGY (INC)/C=US
issuer=/CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US
<snip>

Actual Results:
`openssl pkcs7 -inform DER -print_certs -in '/Users/n8felton/edu.rit.certificates.root.mobileconfig'`
<snip>
subject=/O=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F/CN=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F
issuer=/O=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F/CN=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F
<snip>

Version/Build:
ProductName:    Mac OS X
ProductVersion: 10.14.5
BuildVersion:   18F132

Note that signing with the `-Z` option to use the certificate subject key ID works:
`security cms -S -G -H SHA256 -Z '7DEDC3FEAAE2CB96F5233153AF1D459CB80185E7' -i '/Users/n8felton/edu.rit.certificates.root.mobileconfig' -o '/Users/n8felton/edu.rit.certificates.root.mobileconfig'`

PS - The fact that the `-Z` option for the `security cms` command is a certificate subject key ID and not the SHA-1 hash of the certificate, like every other `-Z` option for the security commands is annoying and frustrating, considering `security find-identity -p codesigning` will give you the SHA-1 as another potential option to find certs with.

Comments


Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!