Mac Developer cert "no root certificate found", but it's right there in my keychain

Question

I'm setting up a macOS 10.15 Intel machine for development and am trying to get a code signing certificate. From the Apple PKI web page, I downloaded

• Apple Inc. Root
• Apple Computer, Inc. Root
• Apple Root CA – G3 Root
• Developer Authentication
• Developer ID - G1
• Worldwide Developer Relations – G3 (Expiring 2/20/2030)

I started the System Keychain application and selected the login keychain, then dragged the .cer files to it. Then I clicked on Apple Worldwide Developer Relations Certification Authority and used the menu item Certificate Assistant ▹ Request a certificate from a certificate authority. I filled out the correct info, saved the request file, went to Apple's site, uploaded the request, and got a Mac Developer certificate. I downloaded that and dragged it to Keychain Access. The result after all that looks like this: The security command line tool finds the identities (and here I've obfuscated the identifiers by replacing parts of them with ...):

> security find-identity -p codesigning

Policy: Code Signing
  Matching identities
  1) 431753F56EB2677FDBDCA2... "Mac Developer: Michael Hucka (D7AL...)"
     1 identities found

  Valid identities only
  1) 431753F56EB2677FDBDCA2... "Mac Developer: Michael Hucka (D7AL...)"
     1 valid identities found

Despite all this, when I select my certificate in Keychain Access and use the menu item Certificate Assistant ▹ Evaluate "Mac Developer ...", it tells me "no root certificate found". I've restarted the system, tried a number of variations (used the system keychain instead of the login keychain, eliminate certificates that don't seem relevant, etc.) but while all the certs are reported as "valid", the "no root certificate found" notice persists.

The problem that I'm facing is that I'm not able to use the certificate in actual development. The toolchain I'm using (PyInstaller) invokes codesign, and that program fails with the error code errSecInternalComponent. I assume the "no root certificate found" must be the cause.

What have I done wrong? What can I try next to resolve this problem?

Answer 1

Additional search and experimentation led to an understanding and a solution. The solution came from answers to another question, which did not at first seem applicable – until I realized what I was actually doing.

I had a Screen Sharing connection to the macOS 10.15 computer I was using, where I was doing all the Keychain Access and certificate work, but simultaneously I was trying to execute my build commands over SSH to the same machine. [*] The fact that I was executing commands in a separate iTerm2 window over ssh was the problem: codesign apparently can't access the keys in the Keychain, and while I assumed I would see any dialogs that any program would need to show (after all, I was looking at the computer's desktop via Screen Sharing at the same time), this assumption was wrong: it turns out it won't do that if running over ssh, even if the same user is simultaneously logged in over Screen Sharing.

The solution turned out to be:

1. Start a terminal window within Screen Sharing
2. Run my build commands in that terminal window
3. A GUI dialog will be presented for your password
4. Enter the password and click "Always allow"

That's essentially this answer to the Stack Overflow question linked above.

[*] Because I'm working on automating the builds, and it's more comfortable to do from a local iTerm2 window that in an iTerm2 window running inside Screen Sharing. Eventually I need to be able to run everything over ssh without having to interact with the system over Screen Sharing.