Xcode Command /usr/bin/codesign failed with exit code 1 : errSecInternalComponent

Question

I am trying to add new provisioning profile to my Xcode, to test an app on the device. Here are the steps I followed:

1. Deleted all certificates and provisioning profiles

2. Create/Add IOS Dev Certificate

3. Add My IOS Device Online

4. Create IOS Provisioning Profile

5. Add IOS Provisioning Profile

6. Clean App

7. Build Then Run App

8. Set Codesigning nd Provisioning Profile In Build Settings

9. Lots of Googling > to no successes

Here is the error I get:

CSSM_SignData returned: 800108E6
/Users/alexpelletier/Library/Developer/Xcode/DerivedData/MyExpense-efnqzvoqwngzcmazaotyalepiice/Build/Products/Debug-iphoneos/MyExpense.app:     errSecInternalComponent
Command /usr/bin/codesign failed with exit code 1

Answer 1

To be able to sign your app, your certificate has to be valid, You can check that by selecting your imported certificate in keychain access for the following:

For your certificate to be considered valid, when you creating a new certificate, you have to import these certificates into your system keychains, before creating your certificate:

Answer 2

Open "Keychain Access" app, and check on the several keychains if you have any expired developer certificates.

If so, remove the ones that have expired, that should solve the problem, and now you should be able to build and run your code.

Answer 3

I ran into a similar problem trying to sign a macOS app with a Developer ID Application certificate. I could sign with it after a reboot, until I connected to my company VPN, at which point signing broke. I narrowed it down to this little test:

$ cp -f /usr/bin/true /tmp/true; codesign -s SECRET1234 -f /tmp/true
/tmp/true: replacing existing signature
Warning: unable to build chain to self-signed root for signer "Developer ID Application: My Company, Inc. (SECRET1234)"
/tmp/true: errSecInternalComponent

My company uses the Cisco AnyConnect VPN and on top of that uses Duo two-factor authentication. I also had updated my Intel MacBook Pro from macOS Ventura 13.5.1 to 13.5.2 recently.

Ultimately, I fixed it as follows:

1. I looked at my certificate in Keychain Access and found that the issuer is common name "Developer ID Certification Authority", organizational unit "G2", expiring in September 2031.

2. I went to the Apple PKI page and downloaded the "Developer ID - G2 (Expiring 09/17/2031 00:00:00 UTC)" certificate to file DeveloperIDG2CA.cer.

3. In Keychain Access, I deleted the "Developer ID Certification Authority" certificate.

4. In Keychain Access, I imported the certificate file DeveloperIDG2CA.cer.

After those steps, I was able to sign even after connecting the VPN.

The post “Fixing an untrusted code signing certificate” from Apple engineer Quinn on Apple's developer forum was helpful.

Answer 4

The above methods are useless to me.

I resolved it by:

1. Open keychain access.
2. Click Login Menu.
3. Remove all personal certificates.
4. Clean the project.
5. Rebuild.

That's it. Hope it helps to anyone.

Answer 5

Just do partitioning:

security set-key-partition-list -S "apple:" /Users/jenkins/Library/Keychains/login.keychain-db

Answer 6

If you have a code signing certificate with the same name in the keychain, make sure you remove it. I had one which XCode reported as "Missing private key". I had to remove it via Keychain Access before the correct certificate was used by codesign.

Answer 7

For me, I was able to sign files when using the Mac directly or via VNC, but not via ssh. I figured it must be something to do with access to the certificate within the keychain. I was already doing a security unlock-keychain [keychain name] but this didn't appear good enough.

What finally fixed it for me was (within a direct/VNC connection, not ssh):

1. Make sure the keychain in which your certificate resides is locked. Close Keychain Access.
2. Open Terminal
3. Do not run security unlock-keychain [keychain name].
4. Run a signing process using codesign tool. You will be challenged for a password to the keychain.
5. Enter the password and click "Always allow"

From now on I was able to use codesign via ssh, so long as I included security unlock-keychain [keychain name] before the command.

Answer 8

Posting a work-around that we finally had to resort to, in case someone else is running out of things to try...

After installing a new Apple Distribution certificate in our "login" keychain, our Jenkins job suddenly started to fail singning iOS apps with the same errSecInternalComponent error:

Command /usr/bin/codesign failed with exit code 1

Our build pipeline calls security unlock-keychain, and we have no problems with our Enterprise Distribution cert (which was coincidentally updated and installed in the same Keychain just a few weeks prior), where the unlocking works as expected.

After trying all the usual things mentioned in this thread and elsewhere, we ended up running codesign manually as the Jenkins user in a new Terminal window, taking the exact same command as found in the Jenkins log: /usr/bin/codesign --force --sign...

This prompted entering the password to unlock the Keychain, which we did, and then selected "Always Allow".

After that Jenkins manages to sign (as expected).

This is obviously a bit of a work-around since we might have to do this again when the cert has expired, and it's really strange that unlocking works for Enterprise certs, but not the cert used for distributing through App Store... They literally share the same pipeline.

Answer 9

If you get errSecInternalComponent after

Warning: unable to build chain to self-signed root for signer …

, you might have the wrong Apple World Wide Developer Relations root certificate in your keychain. In this case, make sure that you import the WWDR certificate with which your developer certificate was signed. I imported the WWDR certificate expiring in 2023 and two hours later finally realized that it didn't work because my developer certificate had been signed with the WWDR certificate expiring in 2030 (AppleWWDRCAG3.cer). Download page: https://www.apple.com/certificateauthority/

Answer 10

This occurs when the login keychain is locked. To unlock the login keychain, run:

security unlock-keychain login.keychain

If your keychain is password-protected, specify the password using the -p option:

security unlock-keychain -p PASSWORD login.keychain

If you're using a continuous integration system, you'll likely want to inject the password via an environment variable/token, which most CI systems offer in their settings.

The error code in question is described in Apple's docs as an internal error, so it's entirely possible this occurs in other cases too.

Answer 11

Just wanted to callout if someone face similar issue what I did. In my case my apple dev and distribution certificates, keys and provisioning profiles where upto date. My iOS code build was working in user mode without any issue however it does not work due to code sign issue when the code build runs with root privileges i.e. % sudo or invoking the Xcode using sudo through command line.

So, I copied the corresponding working certificates and keys the login to the system location in the keychain tool. Then it started working without any code sign issue.

Similarly, we can export the required certificates, keys for build from the working machine and import those into non working machine's keychain tool may solve the issue.

Answer 12

In my case, this solved.

xcode -> preferences -> accounts -> select the account -> manage certificate -> (+) in bottom left -> Apple development

Ref: https://stackoverflow.com/a/62646138/234110

Answer 13

Nothing work for me from the above Solution.

Fallowing Solution Work for me...

1. First Open Keychain Access
2. Then Select Login And click Certificates
3. Double click Apple Worldwide Developer Relations Certificate Authority Open trust section, and set to "Use System Defaults" from "Always Trust"
4. Clean the build folder and run

Answer 14

In my case BUCK was trying to sign the IPA for development, but there were not any development certificates installed. Changing the build config to release (this is what I needed - to build for iTunes) fixed it for me.

Answer 15

I had to:

1) delete the certificate associated to the project

2) Back to the Xcode and revoke the app certificate

3) The Xcode require a new certificate

4) Lock all KeyChain

5) Clean the project

6) Rebuild

That's it. Hope it helps to anyone.

Answer 16

Right clicking on the private key associated with the codesigning cert in the keychain, and then clicking on 'allow all applications' instead of relying on a prompt fixed it for me, since the build was happening via ssh.

Answer 17

for anyone that encountered this issue from jenkins and ssh:

high possibility that you have not granted access to the private key in keychain, i tried but not sure why all of these are not working:

1. security import .p12 file with -A or -T /usr/bin/codesign
2. security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k #{password} #{keychainPath}
3. change all provisioning profile to [UUID].mobileprovision and copy them to '~/Library/MobileDevice/Provisioning\ Profiles' on jenkins server
4. clean derived data and reboot jenkins server
5. make sure default keychain is login keychain and unlocked it.

finally resolved by:

1.ssh [user]@[jenkinsServerIP] -L 5900:localhost:5900, log into jenkins server

2.open 'vnc://localhost'

this will launch a remote screen, if your jenkins server allow this...

then open keychain.app to grant access of /usr/bin/codesign to the private key

good luck

Answer 18

As pointed out by @Equilibrium in one of the comments, if you are in command line env. like Jenkins(my case), you might need to pass the password to the security-unlock command mentioned in the solutions.

So instead of using,

security unlock-keychain login.keychain

use:

security unlock-keychain -p <login-keychain-password> <path-to-login-keychain>

where path-to-login keychain can be $HOME/Library/Keychains/login.keychain(my case) or simply login.keychain

Answer 19

Open Keychain Access, then in the File menu select Lock All Keychains.

Then go back to Xcode and clean and rebuild. It will prompt you for your password again to unlock the keychain.

After this, assuming you have no other compile issues, it will succeed!

Answer 20

I ran security unlock-keychain login.keychain and my login password didn't work. So I rebooted, and then just ran Xcode again and it worked. Running the command works as well. Strange issue.

Answer 21

I had the same issue Found out the problem is with code signing the app.

Opened the developer account and accepted the updated agreement and it worked.  

Answer 22

Just try it once using mac terminal but not from ssh session

security unlock-keychain login.keychain

And choose always allow in the prompted dialog. And then you could xcodebuild in the remote session.

Answer 23

If trying to sign from ssh run command:

security unlock-keychain login.keychain

before trying to sign app bundle

or from UI

Update key access control to "Allow all applications to access this item"

Thx to @Equilibrium and @Jon McClung

Answer 24

Had the same issue on High Sierra/Xcode 9.4.1, all attempts to sign ended in errSecInternalComponent

1. • Go to Keychain Access
   • Go to the login keychain
   • Select the category "My Certificates"
   • Find the certificate you're signing with and expand it to see the key.
   • Double click the key
   • Go to the "Access control" tab.
   • Update key access control to "Allow all applications to access this item"

Alternatively:

run codesign command on mac terminal and "Always allow" /usr/bin/codesign access to key

2. If trying to sign from ssh/CI you also need to run

   security unlock-keychain login.keychain
   

   before trying to sign app bundle

Answer 25

In case it helps someone else, I encountered an errSecInternalComponent error with codesign because I was running it over an ssh session to my macOS machine. Running the same command from a terminal window on the macOS machine itself worked.

Presumably this is because codesign needs access to the private key from the login keychain.

Running security unlock-keychain login.keychain (as explained by cbracken's answer) from the same session also should work.

Answer 26

I have met the same problem, I restart my macOS,and it works.

In China,we have a saying between developers:

Little problems,just restart.Big problems,should reinstall.

Sometimes,the above saying will greatly help you!

Answer 27

It seems like a bug in the code signing mechanism, restarting your mac should solve the problem