Apple signing errors and solutions
The following errors may occur during Apple signing.
No identity found
Error message:
88 da 70 81 9d 87 86 5a e2 19 96 cb 88 9d 9e 60 ab ff 7c 9d: no identity found
Description:
This error is caused if the spaces were not removed when using the SHA-1 fingerprint in the signing command.
Solution:
Remove the spaces in the SHA-1 fingerprint in the signing command.
Could not find appropriate signing identity
Error message:
Could not find appropriate signing identity for "Developer ID Installer: Example Inc (DHPK4B64QS)
Description:
This error occurs when you use the productsign command and reference an incompatible certificate.
Solution:
Use a compatible certificate (Mac Installer Distribution or Developer ID Installer) in the productsign command.
This identity cannot be used for signing code
Error message:
Developer ID Installer: Example Inc (DHPK4B64QS): this identity cannot be used for signing code
Description:
This error occurs when you use the codesign command and reference an incompatible certificate.
Solution:
Use a compatible certificate (Developer ID Application) in the codesign command.
TokenExtension not connected
The pluginkit
command should show the Secure Software Manager TokenExtension driver after starting the Digicert SSM Signing Clients.app. If it does not:
Delete the Digicert SSM Signing Clients.app.
Reinstall Digicert SSM Signing Clients.app.
Restart your MacOS and retry the
pluginkit
command .
Remove the TokenExtension driver manually using:
pluginkit -r “/Applications/Digicert SSM Signing Clients.app/Contents/PlugIns/TokenExtension.appx”
Logs are written with Apple logging framework.
To check the logs for DigiCert SSM Signing Clients:
log stream | grep Digicert SSM Signing Clients
To check the logs of the token:
log stream | grep TokenExtension
Run man commands for more details about
codesign
andproductsign
.To see more details about codesign, run:
man codesign
To see more details about productsign, run:
man productsign
Make sure the Host, API key, client certificate password, and proxy settings are correct. Look for logs to check for error messages received from server.
Failed to sign hash
Error message:
Logs:
2023-11-16 08:39:08.441813+0000 0x1149 Default 0x4d03 557 0 TokenExtension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -25264 MAC verification failed during PKCS12 import (wrong password?) 2023-11-16 08:39:08.441908+0000 0x1149 Default 0x4d03 557 0 TokenExtension: (SSMAPIClient) Info: SecPKCS12Import status -25264
SMCTL:
User is not multi-factor authenticated. Missing Client Authentication Certificate. As per compliance rules, user needs to be authenticated using multi-factor for performing sign operation.
Description:
OpenSSL 3.x changed their default algorithm. This new algorithm is not compatible with macOS SSL libraries starting from Ventura OS. This issue affects Apple Keychain's ability to read DigiCert ONE client authentication certificates (cert.12) because it relies on LibreSSL.
Solution:
Use the OpenSSL -legacy
flag available on OpenSSL version 3.x to convert your DigiCert ONE client authentication certificate to cert.pem and then convert it into a PKCS#12 certificate which is readable with LibreSSL and therefore compatible with Apple Keychain.
Confirm which OpenSSL version you're using:
OpenSSL version
Anmerkung
If the output is LibreSSL, continue with the steps below on the machine with OpenSSL 3.x installed.
Convert the certificate from .p12 to .pem:
openssl pkcs12 -in cert.p12 -out cert.pem
Create a new .cert file:
Copy the contents of the .pem file from
-----BEGIN CERTIFICATE-----
to-----END CERTIFICATE-----
.Paste the contents into a plain text editor or IDE.
Save the file as certname.crt.
Create a new .key:
Copy the contents of the .pem file from
-----BEGIN ENCRYPTED PRIVATE KEY-----
to-----END ENCRYPTED PRIVATE KEY-----
.Paste the contents into a plain text editor or IDE.
Save the file as encrypted.key.
Decrypt the encrypted .key file:
openssl rsa -in encrypted.key -out decryptedKey.key
Run the following command to create a certificate file compatible with Ventura and Sonoma OS:
Link the decrypted private key (decryptedKey.key) and its associated X.509 certificate (certname.crt), and export them as a PKCS#12 file (newcert.pfx):
openssl pkcs12 -inkey decryptedKey.key -in certname.crt -export -legacy -out newcert.pfx
Save newcert.pfx in the environment variables of the CTK.
Save newcert.pfx password in the environment variables of the CTK.
For these changes to apply and start signing, you must:
Remove the existing token:
/Applications/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert\ SSM\ Signing\ Clients smctl token remove-token
Add a new token:
/Applications/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert\ SSM\ Signing\ Clients smctl token add-token
Move the required keys to the new token:
/Applications/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert\ SSM\ Signing\ Clients smctl keypair add-keys <keypair ID>
Anmerkung
For more information about how to complete these steps, refer to CryptoTokenKit (CTK).
Failed to save configuration to keychain: -25308\
Error message:
Failed to save configuration into Keychain. configurationError(message: "Failed to save configuration to keychain: -25308") Failed to set environment Veraibles. configurationError(message: "Failed to save configuration into Keychain. configurationError(message: \"Failed to save configuration to keychain: -25308\")")
Description:
This error is occurs when your environment variables cannot be saved to Keychain because one or more variables are incorrect.
Solution:
Use the following macOS "security" command to unlock Keychain and provide the correct variables:
% security unlock-keychain -p <password> ~/Library/Keychains/login.keychain
Achtung
This macOS command stores your password in plaintext in your history file (.zsh_history), it is therefore important that you manually erase this line from your history file so that your plaintext password cannot be accessed by others.
Unlocking the Keychain increases your system's vulnerability until it is locked again. Any command typed in the terminal window will be saved in a history file.