search

lionheart / openradar-mirror

A mirror of radars pulled from http://openradar.me/.
245 stars 17 forks source link

51354699: /usr/bin/security cms failing to sign profiles with correct certificate #21299

Open openradar-mirror opened 5 years ago

openradar-mirror commented 5 years ago

Description

When using /usr/bin/security cms -S command to sign profiles, the resulting signed profile is signed by another (seemingly) random certificate from my login keychain.

Steps to Reproduce:

  1. Verify a code signing cert is available: /usr/bin/security find-identity -p codesigning
  2. Grab the nickname of the cert: /usr/bin/security find-identity -p codesigning -v | awk -F\" '/Developer ID/ {print $2}'
  3. Attempt to sign a profile with the cert's nickname: /usr/bin/security cms -S -G -H SHA256 -N 'Developer ID Application: ROCHESTER INSTITUTE OF TECHNOLOGY (INC) (77JG5V6MM7)' -i '/Users/n8felton/edu.rit.certificates.root.mobileconfig' -o '/Users/n8felton/edu.rit.certificates.root.mobileconfig'

Expected Results: openssl pkcs7 -inform DER -print_certs -in '/Users/n8felton/edu.rit.certificates.root.mobileconfig'

subject=/UID=77JG5V6MM7/CN=Developer ID Application: ROCHESTER INSTITUTE OF TECHNOLOGY (INC) (77JG5V6MM7)/OU=77JG5V6MM7/O=ROCHESTER INSTITUTE OF TECHNOLOGY (INC)/C=US issuer=/CN=Developer ID Certification Authority/OU=Apple Certification Authority/O=Apple Inc./C=US Actual Results: `openssl pkcs7 -inform DER -print_certs -in '/Users/n8felton/edu.rit.certificates.root.mobileconfig'` subject=/O=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F/CN=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F issuer=/O=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F/CN=member: A7483DA9-FAFD-43ED-A0D7-BB9E3BFF02A1 F17B58C4-D512-4DFB-9839-C1C51D6FAC4F Version/Build: ProductName: Mac OS X ProductVersion: 10.14.5 BuildVersion: 18F132 Note that signing with the `-Z` option to use the certificate subject key ID works: `security cms -S -G -H SHA256 -Z '7DEDC3FEAAE2CB96F5233153AF1D459CB80185E7' -i '/Users/n8felton/edu.rit.certificates.root.mobileconfig' -o '/Users/n8felton/edu.rit.certificates.root.mobileconfig'` PS - The fact that the `-Z` option for the `security cms` command is a certificate subject key ID and not the SHA-1 hash of the certificate, like every other `-Z` option for the security commands is annoying and frustrating, considering `security find-identity -p codesigning` will give you the SHA-1 as another potential option to find certs with. - Product Version: 10.14.5 Created: 2019-06-04T11:55:40.563961 Originated: 2019-06-03T00:00:00 Open Radar Link: http://www.openradar.me/51354699
cubistico commented 2 years ago

I've had the very same problem. It turned out that the private key of the certificate was not available in the System keychain, but only in my login keychain. After I moved it to the System keychain, it worked again.

For security cms -S to work properly, both the certificate and its private key must be available in the System keychain!