Skip to main content

Apple signing errors and solutions

The following errors may occur during Apple signing.

No identity found

Error message:

88 da 70 81 9d 87 86 5a e2 19 96 cb 88 9d 9e 60 ab ff 7c 9d: no identity found

Description:

This error is caused if the spaces were not removed when using the SHA-1 fingerprint in the signing command.

Solution:

Remove the spaces in the SHA-1 fingerprint in the signing command.

Could not find appropriate signing identity

Error message:

Could not find appropriate signing identity for "Developer ID Installer: Example Inc (DHPK4B64QS)

Description:

This error occurs when you use the productsign command and reference an incompatible certificate.

Solution:

Use a compatible certificate (Mac Installer Distribution or Developer ID Installer) in the productsign command.

This identity cannot be used for signing code

Error message:

Developer ID Installer: Example Inc (DHPK4B64QS): this identity cannot be used for signing code

Description:

This error occurs when you use the codesign command and reference an incompatible certificate.

Solution:

Use a compatible certificate (Developer ID Application) in the codesign command.

TokenExtension not connected

The pluginkit command should show the Secure Software Manager TokenExtension driver after starting the Digicert SSM Signing Clients.app. If it does not:

  1. Delete the Digicert SSM Signing Clients.app.

    1. Reinstall Digicert SSM Signing Clients.app.

    2. Restart your MacOS and retry the pluginkit command .

  2. Remove the TokenExtension driver manually using:

    pluginkit -r “/Applications/Digicert SSM Signing Clients.app/Contents/PlugIns/TokenExtension.appx”
  3. Logs are written with Apple logging framework.

    1. To check the logs for DigiCert SSM Signing Clients:

      log stream | grep Digicert SSM Signing Clients
    2. To check the logs of the token:

      log stream | grep TokenExtension
  4. Run man commands for more details about codesign and productsign.

    1. To see more details about codesign, run:

      man codesign
    2. To see more details about productsign, run:

      man productsign
  5. Make sure the Host, API key, client certificate password, and proxy settings are correct. Look for logs to check for error messages received from server.

Failed to sign hash

Error message:

Logs:

2023-11-16 08:39:08.441813+0000 0x1149     Default     0x4d03               557    0    TokenExtension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -25264 MAC verification failed during PKCS12 import (wrong password?)
2023-11-16 08:39:08.441908+0000 0x1149     Default     0x4d03               557    0    TokenExtension: (SSMAPIClient) Info: SecPKCS12Import status -25264

SMCTL:

User is not multi-factor authenticated. Missing Client Authentication Certificate. As per compliance rules, user needs to be authenticated using multi-factor for performing sign operation.

Description:

OpenSSL 3.x changed their default algorithm. This new algorithm is not compatible with macOS SSL libraries starting from Ventura OS. This issue affects Apple Keychain's ability to read DigiCert ONE client authentication certificates (cert.12) because it relies on LibreSSL.

Solution:

Use the OpenSSL -legacy flag available on OpenSSL version 3.x to convert your DigiCert ONE client authentication certificate to cert.pem and then convert it into a PKCS#12 certificate which is readable with LibreSSL and therefore compatible with Apple Keychain.

  1. Confirm which OpenSSL version you're using:

    OpenSSL version

    Nota

    If the output is LibreSSL, continue with the steps below on the machine with OpenSSL 3.x installed.

  2. Convert the certificate from .p12 to .pem:

    openssl pkcs12 -in cert.p12 -out cert.pem
  3. Create a new .cert file:

    1. Copy the contents of the .pem file from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----.

    2. Paste the contents into a plain text editor or IDE.

    3. Save the file as certname.crt.

  4. Create a new .key:

    1. Copy the contents of the .pem file from -----BEGIN ENCRYPTED PRIVATE KEY----- to -----END ENCRYPTED PRIVATE KEY-----.

    2. Paste the contents into a plain text editor or IDE.

    3. Save the file as encrypted.key.

  5. Decrypt the encrypted .key file:

    openssl rsa -in encrypted.key -out decryptedKey.key
  6. Run the following command to create a certificate file compatible with Ventura and Sonoma OS:

    1. Link the decrypted private key (decryptedKey.key) and its associated X.509 certificate (certname.crt), and export them as a PKCS#12 file (newcert.pfx):

      openssl pkcs12 -inkey decryptedKey.key -in certname.crt -export -legacy -out  newcert.pfx
    2. Save newcert.pfx in the environment variables of the CTK.

    3. Save newcert.pfx password in the environment variables of the CTK.

For these changes to apply and start signing, you must:

  1. Remove the existing token:

    /Applications/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert\ SSM\ Signing\ Clients smctl token remove-token
  2. Add a new token:

    /Applications/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert\ SSM\ Signing\ Clients smctl token add-token
  3. Move the required keys to the new token:

    /Applications/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert\ SSM\ Signing\ Clients smctl keypair add-keys <keypair ID>

Nota

For more information about how to complete these steps, refer to CryptoTokenKit (CTK).

Failed to save configuration to keychain: -25308\

Error message:

Failed to save configuration into Keychain. configurationError(message: "Failed to save configuration to keychain: -25308")
Failed to set environment Veraibles. configurationError(message: "Failed to save configuration into Keychain. configurationError(message: \"Failed to save configuration to keychain: -25308\")")

Description:

This error is occurs when your environment variables cannot be saved to Keychain because one or more variables are incorrect.

Solution:

Use the following macOS "security" command to unlock Keychain and provide the correct variables:

% security unlock-keychain -p <password> ~/Library/Keychains/login.keychain

Cuidado

This macOS command stores your password in plaintext in your history file (.zsh_history), it is therefore important that you manually erase this line from your history file so that your plaintext password cannot be accessed by others.

Unlocking the Keychain increases your system's vulnerability until it is locked again. Any command typed in the terminal window will be saved in a history file.