Reputation: 18318
macOS installer certificate evaluation error in Keychain: Invalid Extended Key Usage
I generated a mac installer certificate for use with code signing and am getting an error that is preventing me from using certificate to sign installer
When evaluating certificate in keychain access, I got an error: Invalid Extended Key Usage.
Here is the sequence of errors when trying to evaluate an installer certificate for code signing.
Upvotes: 4
Views: 4757
Answers (2)
Reputation: 5072
I find this process works better when generating code signing keys with Xcode rather than through the Keychain access app directly. This will help you create your code signing certificate with the correct provisioning and signing parameters for the type of app you are developing. If you don't yet have a paid developer account with Apple, you can still create a self signed certificate for code signing to generate signed apps without uploading them to app store.
First you have to add your Apple ID to Accounts preferences in Xcode.
- Start Xcode
- Select Xcode > Preferences from the navigation bar.
- At the top of the window select Accounts.
- Click on the + on the lower left corner and select Add Apple ID...
A dialog will appear. Add your Apple ID and your password, then select Sign in. If you don't have an account you can create your Apple ID by selecting Create Apple ID.
Select your Apple ID and your team from the right side bar, then click on View Details....
A dialog will appear where you will see your code signing identities and the provisioning profiles.
For iOS development, under the signing identities locate the iOS Development and iOS Distribution profiles.
- If you have not created them you will see a
Createbutton next to them. - Simply select it and Xcode will issue and download your code signing identities for you with the correct developer certificate params for iOS app development.
- Note: If you already have
Code Signing Identitiesissued to your developer account: you will see aResetbutton next to them. You can issue new certificates with it, that Xcode will generate and download, however note that this will invalidate your previous certificate, so only do this if you've lost those files or if you know what you are doing!
In future, once you have it all working I also suggest clicking the option in Xcode to allow it to automatically manage code signing. This will automatically renew your certification whenever it expires, so there won't be extra steps to renew. This option should be available in the general project settings of your app, it can also be reached by selecting project > Targets > General > Signing
Hope that helps you, best of luck!
Upvotes: 3
Reputation: 3611
There are some possible reasons for certificate evaluation failure:
- The certificate may be not for code signing (similar to this). In this case, you should obtain a new certificate that supports code signing.
- The certificate may be for code signing but damaged (similar to this). In this case, you should delete this certificate and install it again.
Note that you can create a self-signed code signing certificate in keychain app for test purpose, following this and this tutorials. Make sure to enable it in "Get Info" > "Trust" set as "Always Trust".
Upvotes: 0
Related Questions
- Code Signing on Mac "error: The specified item could not be found in the keychain"
- This certificate was signed by unknown authority keychain
- "Invalid development certificate found" on Mac
- The certificate has an invalid issuer : keychain
- This certificate has an invalid issuer keychain
- Mac Codesign wants wrong key
- "This certificate is not yet valid" error on Mac
- Unable to 'codesign' installer package with valid installer certificate
- Apple keychain private/public key issue
- CodeSigning pkg file with Installer Certificate in Mac