Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

51354699: /usr/bin/security cms failing to sign profiles with correct certificate #21299

Open
openradar-mirror opened this issue Jun 4, 2019 · 1 comment
Open

51354699: /usr/bin/security cms failing to sign profiles with correct certificate #21299

openradar-mirror opened this issue Jun 4, 2019 · 1 comment

Comments

@openradar-mirror
Copy link

Description

When using /usr/bin/security cms -S command to sign profiles, the resulting signed profile is signed by another (seemingly) random certificate from my login keychain.

Steps to Reproduce:

  1. Verify a code signing cert is available: /usr/bin/security find-identity -p codesigning
  2. Grab the nickname of the cert: /usr/bin/security find-identity -p codesigning -v | awk -F\" '/Developer ID/ {print $2}'
  3. Attempt to sign a profile with the cert's nickname:
    /usr/bin/security cms -S -G -H SHA256 -N 'Developer ID Application: ROCHESTER INSTITUTE OF TECHNOLOGY (INC) (77JG5V6MM7)' -i '/Users/n8felton/edu.rit.certificates.root.mobileconfig' -o '/Users/n8felton/edu.rit.certificates.root.mobileconfig'

Expected Results:
openssl pkcs7 -inform DER -print_certs -in '/Users/n8felton/edu.rit.certificates.root.mobileconfig'

subject=/UID=77JG5V6MM7/CN=Developer ID Application: ROCHESTER INSTITUTE OF TECHNOLOGY (INC) (77JG5V6MM7)/OU=77JG5V6MM7/O=ROCHESTER INSTITUTE OF TECHNOLOGY (INC)/C=US
issuer=/CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US

Actual Results:
openssl pkcs7 -inform DER -print_certs -in '/Users/n8felton/edu.rit.certificates.root.mobileconfig'

subject=/O=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F/CN=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F
issuer=/O=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F/CN=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F

Version/Build:
ProductName: Mac OS X
ProductVersion: 10.14.5
BuildVersion: 18F132

Note that signing with the -Z option to use the certificate subject key ID works:
security cms -S -G -H SHA256 -Z '7DEDC3FEAAE2CB96F5233153AF1D459CB80185E7' -i '/Users/n8felton/edu.rit.certificates.root.mobileconfig' -o '/Users/n8felton/edu.rit.certificates.root.mobileconfig'

PS - The fact that the -Z option for the security cms command is a certificate subject key ID and not the SHA-1 hash of the certificate, like every other -Z option for the security commands is annoying and frustrating, considering security find-identity -p codesigning will give you the SHA-1 as another potential option to find certs with.

Product Version: 10.14.5
Created: 2019-06-04T11:55:40.563961
Originated: 2019-06-03T00:00:00
Open Radar Link: http://www.openradar.me/51354699
@cubistico
Copy link

I've had the very same problem. It turned out that the private key of the certificate was not available in the System keychain, but only in my login keychain. After I moved it to the System keychain, it worked again.

For security cms -S to work properly, both the certificate and its private key must be available in the System keychain!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@openradar-mirror @cubistico