4

I generated a mac installer certificate for use with code signing and am getting an error that is preventing me from using certificate to sign installer

When evaluating certificate in keychain access, I got an error: Invalid Extended Key Usage.

Here is the sequence of errors when trying to evaluate an installer certificate for code signing.

Step Step 2 Step 3 Final Error

THN
  • 3,351
  • 3
  • 26
  • 40
Chris Muench
  • 17,444
  • 70
  • 209
  • 362

2 Answers2

3

I find this process works better when generating code signing keys with Xcode rather than through the Keychain access app directly. This will help you create your code signing certificate with the correct provisioning and signing parameters for the type of app you are developing. If you don't yet have a paid developer account with Apple, you can still create a self signed certificate for code signing to generate signed apps without uploading them to app store.

First you have to add your Apple ID to Accounts preferences in Xcode.

  • Start Xcode
  • Select Xcode > Preferences from the navigation bar.
  • At the top of the window select Accounts.
  • Click on the + on the lower left corner and select Add Apple ID...

Adding your Apple ID

A dialog will appear. Add your Apple ID and your password, then select Sign in. If you don't have an account you can create your Apple ID by selecting Create Apple ID.

Signing in to your Apple ID

Select your Apple ID and your team from the right side bar, then click on View Details....

A dialog will appear where you will see your code signing identities and the provisioning profiles.

Choosing correct signing identity

For iOS development, under the signing identities locate the iOS Development and iOS Distribution profiles.

  • If you have not created them you will see a Create button next to them.
  • Simply select it and Xcode will issue and download your code signing identities for you with the correct developer certificate params for iOS app development.
  • Note: If you already have Code Signing Identities issued to your developer account: you will see a Reset button next to them. You can issue new certificates with it, that Xcode will generate and download, however note that this will invalidate your previous certificate, so only do this if you've lost those files or if you know what you are doing!

In future, once you have it all working I also suggest clicking the option in Xcode to allow it to automatically manage code signing. This will automatically renew your certification whenever it expires, so there won't be extra steps to renew. This option should be available in the general project settings of your app, it can also be reached by selecting project > Targets > General > Signing

Hope that helps you, best of luck!

DrewT
  • 4,983
  • 2
  • 40
  • 53
  • Thanks @DrewT for the answer but I am not able to get my problem resolved by the above steps can you please help me further on this? – iYoung Dec 04 '19 at 10:14
  • @iYoung - That depends on what problem you are having. If you are getting `Invalid Extended Key Usage` it likely means you haven't chosen the correct certificate type, which is why I suggested using the GUI creator since it's easier to assess the situation and choose the correct cert type. – DrewT Dec 07 '19 at 16:21
  • I tried the GUI as well but still getting the same error – iYoung Dec 10 '19 at 05:16
  • @iYoung - I think you are misunderstanding. It has nothing to do with which installer you use and everything to do with choosing the correct certificate type – DrewT Dec 10 '19 at 17:29
  • What do you mean by correct certificate type? Sorry but I am trying to create an installer for desktop app for mac – iYoung Dec 11 '19 at 11:53
  • @iYoung - Last photo of my post shows all of the different types of app development certificates that can be created. If you create the wrong type of certificate it won't be valid and you will get the error `Invalid Extended Key Usage` as you'd be trying to use the cert for a purpose it was not intended for. For installers: to distribute the installer outside of the app store you need Developer ID Installer certificate; but to submit your app to app store, you need Mac Installer Distribution certificate. So it largely depends on what you're trying to do and how are you building the program – DrewT Dec 12 '19 at 16:45
0

There are some possible reasons for certificate evaluation failure:

  1. The certificate may be not for code signing (similar to this). In this case, you should obtain a new certificate that supports code signing.
  2. The certificate may be for code signing but damaged (similar to this). In this case, you should delete this certificate and install it again.

Note that you can create a self-signed code signing certificate in keychain app for test purpose, following this and this tutorials. Make sure to enable it in "Get Info" > "Trust" set as "Always Trust".

THN
  • 3,351
  • 3
  • 26
  • 40
  • I tried recreating using xcode instead of doing a CSR and am still having issues. What certificate do I need for using bitrock install builder...maybe I am doing the wrong type? https://installbuilder.bitrock.com/docs/installbuilder-userguide/ar01s16.html – Chris Muench Jul 18 '18 at 17:18
  • I generated the wrong type of certificate. It needed to be an application NOT installer – Chris Muench Jul 18 '18 at 17:26
  • @ChrisMuench Hrmm, I thought that was the problem. I should have read all the comments before I posted an answer lol! but my answer should still be valid to fix the issue, so I will leave it up for anyone who finds this thread. – DrewT Jul 18 '18 at 17:33
  • Uh, OK. So that is that. – THN Jul 19 '18 at 03:08