98

I'm attempting to migrate an Xcode project to another computer. It gives me the warning "Warning: unable to build chain to self-signed root for signer" and when it runs it crashes immediately similarly to what is shown in this Stack Overflow:

App working on simulator but not on iPhone( dyld`__abort_with_payload dyld`_dyld_start)

My issue seems similar to what is described on the Apple Developer Forums here: https://forums.developer.apple.com/thread/86161

and similar to what is described on this Stack Overflow: Xcode ios app development code signing

except the suggestions of deleting certificates and re-adding them, re-adding my account and restarting didn't seem to help. I have removed my developer cert for the second time and now I don't see it coming back, and I'm at a loss of knowing how to get it back since my dev portal doesn't appear to have a place to download it like it used to.

I've also tried deleting the derived data folder several times.

e: I've determined ANY project on this computer results in the same crash and warning.

Chewie The Chorkie
  • 4,896
  • 9
  • 46
  • 90

15 Answers15

115

If none of the other solutions work, try adding the intermediate signing certificates to your system keychain. I found this while trying to manually create provisioning profile/certificates as nothing else was working - from the Create a New Certificate step of the New Provisioning Profile process on Apple Developer platform:

To use your certificates, you must have the intermediate signing certificate in your system keychain. This is automatically installed by Xcode. However, if you need to reinstall the intermediate signing certificate click the link below: Worldwide Developer Relations Certificate Authority (Expiring 02/07/2023) Worldwide Developer Relations Certificate Authority (Expiring 02/20/2030)

After downloading these two files and double-clicking them to automatically add to the system keychain, the automatic provisioning profile in xcode started working (I didn't need to complete the manual provisioning profile process, but that's where I found the links)

Paul Hristea
  • 1,191
  • 1
  • 7
  • 4
  • 11
    Thank you! For whatever reason, Xcode did not install the 02/20/2030 certificate, and that caused the signing to fail. After manually installing 02/20/2030 it worked. I did have 02/07/2023, but looks like you need the most recent one for brand new certificates. – Root Fool Feb 10 '21 at 19:38
  • 1
    Thank you so much, Im facing this problem for days. I had just one of this two certificates. – Daniel Beltrami Feb 11 '21 at 00:35
  • 1
    @RootFool this. My newly generated Mac App Distribution and Mac Installer Distribution certificates did require the new 2030 Worldwide Developer certificate to be installed as well. This link helped me to realize that I need the 2030 certificate event though I have the 2023 one: https://developer.apple.com/support/wwdr-intermediate-certificate/ – Andrei Smeltsov Jun 23 '21 at 13:47
  • 1
    Thank you, thank you, thank you!!! 3 days of anguish solved. – radioman1000 Jul 19 '21 at 17:29
  • This worked for me! I also had to follow this tip to ensure it was installed to the "System" Keychain (Initially was seeing Error -25294) https://developer.apple.com/forums/thread/675290 – Meekohi Jan 31 '22 at 18:27
  • To emphasize: The key here is *two* files. Or rather, make sure that you import the WWDR certificate with which your developer certificate was signed. I imported the WWDR certificate expiring in 2023 and two hours later finally realized that it didn't work because my developer certificate had been signed with the WWDR certificate expiring in 2030 (AppleWWDRCAG3.cer). – Richard Möhn Mar 30 '22 at 12:03
  • Worked for me too, but I had to delete the existing ones (although they were expiring 2023 and 2030) and then add the new ones – Frank Jul 25 '22 at 23:09
  • It's kinda pita to find out it was actually caused by a WDR CA certificate which is technically not expired based on it's date (02-07-2023)... luckily I found this post, otherwise I went nuts. – Nik Aug 01 '22 at 12:21
  • I believe what finally worked for me was after installing these 2 certificates I had to delete and reinstall my certificate. – Dan Leksell Sep 20 '22 at 16:07
85

I had the same problem and fixed with below steps:

  1. Open Keychain Access
  2. Select login, and click Certificates
  3. Double click Apple Worldwide Developer Relations Certificate Authority
  4. Expand the trust section, then next to "When using this certificate", change the setting from "Always Trust" to "Use System Defaults"
  5. Clean the build folder and run
Josh Brown
  • 52,385
  • 10
  • 54
  • 80
Keshav
  • 2,965
  • 3
  • 25
  • 30
  • 1
    Perfect. It worked for me. – Harish Singh Sep 24 '21 at 21:50
  • 22
    Thank you. For me, it was set to "Use System Defaults". So I changed it to "Always", closed the XCode, again set it to "Use System Defaults". These steps fixed the problem. – Marjan Basiri Oct 18 '21 at 06:12
  • This comment worked for me – Arun Oct 20 '21 at 04:17
  • 5
    3a) look for the little blue plus on the Apple certificate; 4) Open trust section, change from **"Always Trust"** -> **"Use Systems Default"** *("set from A to B" is much clearer phrasing in my brain)* – bshirley Nov 15 '21 at 21:00
  • Doing this caused our builds to fail with the error `Code Signing Error: Invalid trust settings. Restore system default trust settings for certificate "xxx" in order to sign code with it.` We had to download the 2030 certificate as mentioned in https://stackoverflow.com/a/66083449/1880761. – trebor Nov 17 '21 at 18:05
  • Yes this was it. Absolutely crazy but it did the trick! Talk about control freaks [Apple that is]! – Droid Chris Dec 29 '21 at 02:10
  • 2
    @MarjanBasiri comment solved for me, since the option was already "Use System Defaults" – gibertoni Jan 11 '22 at 18:00
  • Great answer.I did so many ways finally it worked. – Sheereen S Nov 04 '22 at 09:49
24

In my case the error was only resolved after I deleted Apple Worldwide Developer Relations Certification Authority which expires in 2023 from both System and login keychains and imported the other certificate that is valid until 2030. It seems that codesign was picking the incorrect one when both were present in the keychain.

Timofey Solonin
  • 1,393
  • 13
  • 20
17

I could fix the issue by downloading a new certificate from here and installing it. Look at https://developer.apple.com/de/support/expiration/ for more detail.

persec10000
  • 820
  • 2
  • 10
  • 17
  • 2
    Kindly add context to any links so your Answer is self contained, meaning the answer needs to be here in the Answer itself. See ["Provide context for links"](https://stackoverflow.com/help/how-to-answer). It would be preferable if you could answer the Question in your own words here and link only as a reference. Can you add some of the details you refer to? – Scratte Feb 18 '21 at 09:49
  • downloading above certificate from the link helped in my case as well. – Alvindra Dutt Aug 22 '23 at 01:32
7

I have been facing same issue for days now. Finally i solved it by just changing my root CA from Key Chain Access. View in System/ Login key chains. which certificate authority is being used as signer for your personal provisioning profile's certificate. Enter a valid CA certificate and you are good to go! Hope it helps. Ciao!

Euros
  • 102
  • 1
  • 6
  • 3
    Thank you. I forget how I finally resolved it, but I think it was a long period of time between the problem and coming up with a solution that not only would work in theory, but where my computer and Xcode were restarted several times. Sometimes it takes restarting Xcode to have everything snap into place as far as certificates and provisions goes. My certificate problem was certainly system-deep and required downloading the certificates from Apple. – Chewie The Chorkie Aug 15 '18 at 15:16
  • Could you add step by step instructions for this @Euros? – P. James Norris Feb 21 '22 at 22:51
  • @ChewieTheChorkie Can you please tell us the steps and elaborate more. I've tried everything today, but still unable to resolve this issue. – Kiran Jasvanee May 27 '22 at 16:54
  • Hi @KiranJasvanee, I would love to help you, but I have not used Xcode in so long, I am a little foggy on the matter at hand. If you tried all the answers here, maybe start a new question, or post on the Apple Developer's forums. – Chewie The Chorkie May 28 '22 at 18:00
  • Please provide steps. – Andrew Aug 26 '22 at 15:55
7

@waaheeda's answer led me in the right direction to fix this.

I have a keychain in my repo which is used for signing on my CI. After renewing my iOS enterprise distribution certificate and provisioning profile and updating the keychain accordingly, my CI signing stopped working. Code signing worked locally on my own machine.

I suddenly stumbled upon this and found this part particular interesting:

Enterprise iOS Distribution Certificates generated after September 2, 2020 require the new intermediate certificate installed on any machines that will be code signing.

I therefore found the "Apple Worldwide Developer Relations Intermediate Certificate Expiration" in my local "login" keychain in Keychain Access and added it to the keychain in my repo, and it seems to have fixed the signing for now (and hopefully until 2030):

enter image description here

kuhr
  • 582
  • 8
  • 18
5

1.change the certificate trust: "Always Trust" ==> "Use System Defaults"

2.change "codesign" command ==> "sudo codesign" command

3.change the "Apple Worldwide Developer Relations Certificate Authority" certificate in login and system items trust: "Always Trust" ==> "Use System Defaults"

worked for me when use codesign command in command line

Princekin
  • 696
  • 9
  • 18
4

This is too late to answer , but if anybody still looking for solution on this thread --

this happens if you are installing certificate for the first time or installing certificate which is created on another machine

In your Xcode project go to signing capabilities enter correct bundle identifier, disable automatic signing , select appropriate profile / import / download profile

then you will find trust repair option below profile , tap on it tap on trust enter your login credentials

this will create and install following certificates

enter image description here

Waaheeda
  • 394
  • 3
  • 14
4

In the machine where you created the certificate

  1. Open keychain
  2. Look for "Apple Worldwide Developer Relations Certificate Authority"
  3. Look at the column "Expires" and check apple.com/CertificateAuthority to see which has the same expiration

In your ci

  1. Install this certificate to your system keychain

    a. via fastlane

    import_certificate(
  certificate_path: "~/Downloads/AppleWWDRCAG3.cer"
)

    b. via cli

    sudo security import ~/Downloads/AppleWWDRCAG3.cer \
-k /Library/Keychains/System.keychain \
-T /usr/bin/codesign \
-T /usr/bin/security \
-T /usr/bin/productbuild
Ted
  • 22,696
  • 11
  • 95
  • 109
2

In my case I had an automatically signed project and my own developer certificate was not trusted (anymore) which was apparent in Keychain > login > certificates. On my own certificate I put Always trust in the Get Info popup.

After that I had to select again the "Automatically manage signing" in the Signing & Capabilities tab, which gave an error like "Repair trust settings". After clicking that it fixed the trust of my developer CA.

Also when it was again broken after this, I copied the G3 Apple Worldwide Developer Relations CA from the login keychain (default keychain) to the System Keychain (System).

Klaasel
  • 461
  • 3
  • 8
2

1.open xcode-> Preferences-> Accounts

2.select you appleid and click on Manage Certificates

3.click + (Add) and select Apple Development

  1. Clean Build Folder and run project
wanted
  • 41
  • 3
1

none of those actually worked for me. I had to delete the derived data; link, remove all the certificates and reinstall them, clean cache and had to reinstall pod files. After messing around for few hours I found a proper solution.

Wimukthi Rajapaksha
  • 961
  • 1
  • 11
  • 23
1

On Xcode 13.1 and received this error when attempting to archive my app, despite it building fine on the simulator. I didn’t have to change anything with my certificates in the keychain, just cleaning the build folder worked for me.

  1. Open “Product” menu
  2. Select “Clean Build Folder”
  3. Build / Archive your app

I’ve seen some other answers reference which certificates they’ve had, so I’ll just add that I also have the 2030 “Apple Worldwide Developer Relations Certification Authority” cert and the old one is still in my keychain as well, which I’ll probably need to delete at some point.

Dwigt
  • 729
  • 6
  • 16
0

In addition to the other answers, make sure that if you are sudoed to root, exit out before you try to codesign, so that you are signing as the login user. My codesign was failing when I forgot that I was running as root.

matthewv789
  • 99
  • 1
  • 4
0

It work for me:

macbook air,m1 2020

  1. delete old root CA(if existed): Apple Worldwide Developer Relations Certification Authority
  2. reinstall root CA from certificateauthority,and double click to intall.
  3. reinstall yourself cer. example: Apple Development: XXX Tang (9DHXXX87D)
Huang Huang
  • 316
  • 4
  • 6