英文:
Mac Developer cert "no root certificate found", but it's right there in my keychain
问题
我正在为开发设置一台macOS 10.15 Intel机器,试图获取一个代码签名证书。从Apple PKI网页上,我下载了以下文件:
- Apple Inc. Root
- Apple Computer, Inc. Root
- Apple Root CA – G3 Root
- Developer Authentication
- Developer ID - G1
- Worldwide Developer Relations – G3 (到期日期:2030年2月20日)
我启动了System Keychain应用程序,并选择了登录密钥链,然后将.cer文件拖到其中。然后,我点击了"Apple Worldwide Developer Relations Certification Authority"并使用菜单项_Certificate Assistant_ ▹ Request a certificate from a certificate authority。我填写了正确的信息,保存了请求文件,然后去了Apple的网站,上传了请求,获得了一个Mac Developer证书。我下载了它并将其拖到了Keychain Access中。经过所有这些步骤后,结果如下:
security命令行工具找到了这些标识(这里我用...替换了它们的部分以模糊标识符):
> security find-identity -p codesigning
策略:代码签名
匹配的标识
1) 431753F56EB2677FDBDCA2... "Mac Developer: Michael Hucka (D7AL...)"
找到1个标识
仅有效的标识
1) 431753F56EB2677FDBDCA2... "Mac Developer: Michael Hucka (D7AL...)"
找到1个有效的标识
尽管所有这些,当我在Keychain Access中选择我的证书并使用菜单项_Certificate Assistant_ ▹ _Evaluate "Mac Developer ..."_时,它告诉我"no root certificate found"。
我已经重新启动了系统,尝试了许多变化(使用系统密钥链而不是登录密钥链,删除似乎不相关的证书等),但尽管所有证书都被报告为"有效","no root certificate found"的通知仍然存在。
我面临的问题是,我无法在实际开发中使用该证书。我正在使用的工具链(PyInstaller)调用了codesign,而该程序失败并显示错误代码errSecInternalComponent。我假设"no root certificate found"必须是导致这个问题的原因。
我做错了什么?我可以尝试什么来解决这个问题?
英文:
I'm setting up a macOS 10.15 Intel machine for development and am trying to get a code signing certificate. From the Apple PKI web page, I downloaded
- Apple Inc. Root
- Apple Computer, Inc. Root
- Apple Root CA – G3 Root
- Developer Authentication
- Developer ID - G1
- Worldwide Developer Relations – G3 (Expiring 2/20/2030)
I started the System Keychain application and selected the login keychain, then dragged the .cer files to it. Then I clicked on Apple Worldwide Developer Relations Certification Authority and used the menu item Certificate Assistant ▹ Request a certificate from a certificate authority. I filled out the correct info, saved the request file, went to Apple's site, uploaded the request, and got a Mac Developer certificate. I downloaded that and dragged it to Keychain Access. The result after all that looks like this:
The security command line tool finds the identities (and here I've obfuscated the identifiers by replacing parts of them with ...):
> security find-identity -p codesigning
Policy: Code Signing
Matching identities
1) 431753F56EB2677FDBDCA2... "Mac Developer: Michael Hucka (D7AL...)"
1 identities found
Valid identities only
1) 431753F56EB2677FDBDCA2... "Mac Developer: Michael Hucka (D7AL...)"
1 valid identities found
Despite all this, when I select my certificate in Keychain Access and use the menu item Certificate Assistant ▹ Evaluate "Mac Developer ...", it tells me "no root certificate found".
I've restarted the system, tried a number of variations (used the system keychain instead of the login keychain, eliminate certificates that don't seem relevant, etc.) but while all the certs are reported as "valid", the "no root certificate found" notice persists.
The problem that I'm facing is that I'm not able to use the certificate in actual development. The toolchain I'm using (PyInstaller) invokes codesign, and that program fails with the error code errSecInternalComponent. I assume the "no root certificate found" must be the cause.
What have I done wrong? What can I try next to resolve this problem?
答案1
得分: 1
附加的搜索和实验导致了理解和解决方案。解决方案来自于另一个问题,最初似乎不适用,直到我意识到我实际上在做什么。
我与我正在使用的macOS 10.15计算机建立了屏幕共享连接,我在其中进行所有的Keychain Access和证书工作,但同时,我尝试通过SSH在同一台计算机上执行我的构建命令。[*] 问题在于,我在ssh中的独立iTerm2窗口中执行命令:codesign 显然无法访问Keychain中的密钥,而我假设我会看到任何程序需要显示的对话框(毕竟,我同时正在通过屏幕共享查看计算机的桌面),但这个假设是错误的:事实证明,即使同一用户同时通过屏幕共享登录,如果在ssh上运行,它也不会这样做。
解决方案是:
- 在屏幕共享中启动终端窗口
- 在该终端窗口中运行我的构建命令
- 会显示一个GUI对话框以输入密码
- 输入密码并点击“始终允许”
这基本上是与上面链接的Stack Overflow问题的这个答案。
[*] 因为我正在努力自动化构建,并且从本地iTerm2窗口运行要比在屏幕共享内运行的iTerm2窗口更舒适。最终,我需要能够在不必通过屏幕共享与系统交互的情况下通过ssh运行所有内容。
英文:
Additional search and experimentation led to an understanding and a solution. The solution came from answers to another question, which did not at first seem applicable – until I realized what I was actually doing.
I had a Screen Sharing connection to the macOS 10.15 computer I was using, where I was doing all the Keychain Access and certificate work, but simultaneously I was trying to execute my build commands over SSH to the same machine. [*] The fact that I was executing commands in a separate iTerm2 window over ssh was the problem: codesign apparently can't access the keys in the Keychain, and while I assumed I would see any dialogs that any program would need to show (after all, I was looking at the computer's desktop via Screen Sharing at the same time), this assumption was wrong: it turns out it won't do that if running over ssh, even if the same user is simultaneously logged in over Screen Sharing.
The solution turned out to be:
- Start a terminal window within Screen Sharing
- Run my build commands in that terminal window
- A GUI dialog will be presented for your password
- Enter the password and click "Always allow"
That's essentially this answer to the Stack Overflow question linked above.
[*] Because I'm working on automating the builds, and it's more comfortable to do from a local iTerm2 window that in an iTerm2 window running inside Screen Sharing. Eventually I need to be able to run everything over ssh without having to interact with the system over Screen Sharing.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论