Skip to content
This repository has been archived by the owner on Jan 26, 2025. It is now read-only.

51354699: /usr/bin/security cms failing to sign profiles with correct certificate #21299

Open
openradar-mirror opened this issue Jun 4, 2019 · 1 comment

Comments

@openradar-mirror
Copy link

Description

When using /usr/bin/security cms -S command to sign profiles, the resulting signed profile is signed by another (seemingly) random certificate from my login keychain.

Steps to Reproduce:

  1. Verify a code signing cert is available: /usr/bin/security find-identity -p codesigning
  2. Grab the nickname of the cert: /usr/bin/security find-identity -p codesigning -v | awk -F\" '/Developer ID/ {print $2}'
  3. Attempt to sign a profile with the cert's nickname:
    /usr/bin/security cms -S -G -H SHA256 -N 'Developer ID Application: ROCHESTER INSTITUTE OF TECHNOLOGY (INC) (77JG5V6MM7)' -i '/Users/n8felton/edu.rit.certificates.root.mobileconfig' -o '/Users/n8felton/edu.rit.certificates.root.mobileconfig'

Expected Results:
openssl pkcs7 -inform DER -print_certs -in '/Users/n8felton/edu.rit.certificates.root.mobileconfig'

subject=/UID=77JG5V6MM7/CN=Developer ID Application: ROCHESTER INSTITUTE OF TECHNOLOGY (INC) (77JG5V6MM7)/OU=77JG5V6MM7/O=ROCHESTER INSTITUTE OF TECHNOLOGY (INC)/C=US
issuer=/CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US

Actual Results:
openssl pkcs7 -inform DER -print_certs -in '/Users/n8felton/edu.rit.certificates.root.mobileconfig'

subject=/O=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F/CN=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F
issuer=/O=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F/CN=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F

Version/Build:
ProductName: Mac OS X
ProductVersion: 10.14.5
BuildVersion: 18F132

Note that signing with the -Z option to use the certificate subject key ID works:
security cms -S -G -H SHA256 -Z '7DEDC3FEAAE2CB96F5233153AF1D459CB80185E7' -i '/Users/n8felton/edu.rit.certificates.root.mobileconfig' -o '/Users/n8felton/edu.rit.certificates.root.mobileconfig'

PS - The fact that the -Z option for the security cms command is a certificate subject key ID and not the SHA-1 hash of the certificate, like every other -Z option for the security commands is annoying and frustrating, considering security find-identity -p codesigning will give you the SHA-1 as another potential option to find certs with.

Product Version: 10.14.5
Created: 2019-06-04T11:55:40.563961
Originated: 2019-06-03T00:00:00
Open Radar Link: http://www.openradar.me/51354699

@cubistico
Copy link

I've had the very same problem. It turned out that the private key of the certificate was not available in the System keychain, but only in my login keychain. After I moved it to the System keychain, it worked again.

For security cms -S to work properly, both the certificate and its private key must be available in the System keychain!

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Development

No branches or pull requests

2 participants