Long story short... I have a package that bombs
out with an error about an untrusted cert. That package is
signed by a third-party developer cert which is signed by
"Apple Worldwide Developer Relations Certification Authority"
However, that certificate is not included with the OS or the
package, so I need to add it as a trusted certificate, and I
need to do that from the command line.
My first question is, why is this certificate
not included with the OS? It shows up in my login.keychain on
another system, and I can download it from Apple's web site,
but it seems like it should be included.
Next... since it is not included by default, and
there may be a valid reason for that, what's the most
appropriate keychain to add it to? It isn't a root
certificate, so /S/L/K/SystemRootCertificates.keychain is out.
I'd say /S/L/K/SystemCACertificates.keychain, but that
keychain is not loaded by default, and seems to be mainly for
DoD PKI. I could make an argument for /L/K/System.keychain Or,
not knowing, adding it to $USERs ~/L/K/login.keychain seems
"safe"
OK! So, I tried:
imac:~ jnojr$ security add-trusted-cert -k
~/Library/Keychains/login.keychain ~/AppleWWDRCA.cer
SecTrustSettingsSetTrustSettings: One or more
parameters passed to a function were not valid.
The man page suggests that should work, but
doesn't give any more examples.
Googling turns up numerous results that suggest:
security add-trusted-cert -d -r trustRoot -k
/Library/Keychains/System.keychain /path/to/exported/certfile
The '-d' adds a certificate to an admin store,
instead of the user. So let's try that...
imac:~ jnojr$ sudo security add-trusted-cert -d
-k /Library/Keychains/System.keychain ~/AppleWWDRCA.cer
Password:
SecTrustSettingsSetTrustSettings: One or more
parameters passed to a function were not valid.
imac:~ jnojr$ sudo security add-trusted-cert -d
-r trustRoot -k /Library/Keychains/System.keychain
~/AppleWWDRCA.cer
Hey, that worked! Except... it didn't. The
certificate was added to the keychain, but the installer still
bombs, and 'security dump-trust-settings -d' tells me:
Cert 1: Apple Worldwide Developer Relations
Certification Authority
Number of trust settings : 0
So... how do I get this cert to be trusted?
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden