I have the following designated requirement in my app:
(
anchor apple generic
and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */
or
anchor apple generic
and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */
and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = <redacted_team_id>
)
and identifier "com.company.app"
Now I’m trying to validate a development build of my app against this DR. The “apple generic” root certificate check works fine, the bundle identifier check works fine. The certificate check in the first branch (6.1.9) looks for a “Apple Mac App Signing (Release)” certificate, so it fails. That’s expected with a development build.
As I understand the DR, the second branch (checking for certificate fields 6.2.6 and 6.1.13) should apply to development builds, but both certificate field checks fail:
$ codesign --verify -R="certificate 1[field.1.2.840.113635.100.6.2.6]" MyApp.app
test-requirement: code failed to satisfy specified code requirement(s)
$ codesign --verify -R="certificate leaf[field.1.2.840.113635.100.6.1.13]" MyApp.app
test-requirement: code failed to satisfy specified code requirement(s)
My question is: what exactly are the 6.2.6 and 6.1.13 certificate fields and why doesn’t my (properly signed) development build match them?
The 6.2.6 and 6.1.13 certificate fields are related to apps signed with the Developer ID certificate. The development build doesn’t match them because it was signed with the plain Mac development certificate.