John,
My apologies, I re-ran my setup and realized what was putting the certificate there for me. I install Xcode by default for my folks and the "Apple Worldwide Developer Relations Certification Authority" certificate is installed when you launch Xcode for
the first time.
Not that it may help at this point, but your third-party developer should have signed it with the "Apple Code Signing Certification Authority" intermediate certificate, as that certificate is installed by default on 10.7.5 and higher.
I've got a post on adding trusted root certificates to the keychain available here:
The main change you should need to make is that instead of running this command:
sudo security add-trusted-cert -d -r trustRoot -k "/Library/Keychains/System.keychain" "/path/to/certname.cer"
You would run this one:
sudo security add-trusted-cert -d -r trustAsRoot -k "/Library/Keychains/System.keychain" "/path/to/certname.cer"
Thanks,
Rich
On Feb 14, 2013, at 5:17 PM, John Oliver wrote:
My iMac runs Lion, and the only place that certificate appears is my login.keychain The system where this issue cropped up is Mountain Lion.
I see no sign that it comes with wither version… it simply isn't there. It does exist in /Library/Keychains/System.keychain on the problem system now because I put it there, but it isn't trusted.
On another Mountain Lion system:
sahara:~ joliver$ security find-certificate -a -Z /Library/Keychains/System.keychain | grep "Apple Worldwide Developer Relations Certification Authority"
sahara:~ joliver$
From: "Trouton, Rich R" < email@hidden>
Date: Thursday, February 14, 2013 2:09 PM
To: John Oliver < email@hidden>
Cc: Apple Fed-Talk < email@hidden>
Subject: Re: [Fed-Talk] Adding a trusted certificate?
John,
Are you running Mac OS X 10.7.5 or 10.8.x? That certificate should already be in your System keychain, as it is added by the OS (in 10.7.5 for 10.7.x and it's been in 10.8.x from the get-go.)
Thanks,
Rich
On Feb 14, 2013, at 4:57 PM, John Oliver wrote:
Long
story short... I have a package that bombs out with an error about an untrusted cert. That package is signed by a third-party developer cert which is signed by "Apple Worldwide Developer Relations Certification Authority" However, that certificate is not included
with the OS or the package, so I need to add it as a trusted certificate, and I need to do that from the command line.
My
first question is, why is this certificate not included with the OS? It shows up in my login.keychain on another system, and I can download it from Apple's web site, but it seems like it should be included.
Next...
since it is not included by default, and there may be a valid reason for that, what's the most appropriate keychain to add it to? It isn't a root certificate, so /S/L/K/SystemRootCertificates.keychain is out. I'd say /S/L/K/SystemCACertificates.keychain, but
that keychain is not loaded by default, and seems to be mainly for DoD PKI. I could make an argument for /L/K/System.keychain Or, not knowing, adding it to $USERs ~/L/K/login.keychain seems "safe"
OK!
So, I tried:
imac:~
jnojr$ security add-trusted-cert -k ~/Library/Keychains/login.keychain ~/AppleWWDRCA.cer
SecTrustSettingsSetTrustSettings:
One or more parameters passed to a function were not valid.
The
man page suggests that should work, but doesn't give any more examples.
Googling
turns up numerous results that suggest:
security
add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/exported/certfile
The
'-d' adds a certificate to an admin store, instead of the user. So let's try that...
imac:~
jnojr$ sudo security add-trusted-cert -d -k /Library/Keychains/System.keychain ~/AppleWWDRCA.cer
Password:
SecTrustSettingsSetTrustSettings:
One or more parameters passed to a function were not valid.
imac:~
jnojr$ sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ~/AppleWWDRCA.cer
Hey,
that worked! Except... it didn't. The certificate was added to the keychain, but the installer still bombs, and 'security dump-trust-settings -d' tells me:
Cert
1: Apple Worldwide Developer Relations Certification Authority
Number
of trust settings : 0
So...
how do I get this cert to be trusted?
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
---
JFRC Help Desk
phone: x4030
The best way to get in touch with me is through email.
---
JFRC Help Desk
phone: x4030
The best way to get in touch with me is through email.
|