Search code examples
macoscertificatecode-signingkeychain

macOS installer certificate evaluation error in Keychain: Invalid Extended Key Usage

I generated a mac installer certificate for use with code signing and am getting an error that is preventing me from using certificate to sign installer

When evaluating certificate in keychain access, I got an error: Invalid Extended Key Usage.

Here is the sequence of errors when trying to evaluate an installer certificate for code signing.

Step Step 2 Step 3 Final Error

Solution

  • I find this process works better when generating code signing keys with Xcode rather than through the Keychain access app directly. This will help you create your code signing certificate with the correct provisioning and signing parameters for the type of app you are developing. If you don't yet have a paid developer account with Apple, you can still create a self signed certificate for code signing to generate signed apps without uploading them to app store.

    First you have to add your Apple ID to Accounts preferences in Xcode.

    • Start Xcode
    • Select Xcode > Preferences from the navigation bar.
    • At the top of the window select Accounts.
    • Click on the + on the lower left corner and select Add Apple ID...

    Adding your Apple ID

    A dialog will appear. Add your Apple ID and your password, then select Sign in. If you don't have an account you can create your Apple ID by selecting Create Apple ID.

    Signing in to your Apple ID

    Select your Apple ID and your team from the right side bar, then click on View Details....

    A dialog will appear where you will see your code signing identities and the provisioning profiles.

    Choosing correct signing identity

    For iOS development, under the signing identities locate the iOS Development and iOS Distribution profiles.

    • If you have not created them you will see a Create button next to them.
    • Simply select it and Xcode will issue and download your code signing identities for you with the correct developer certificate params for iOS app development.
    • Note: If you already have Code Signing Identities issued to your developer account: you will see a Reset button next to them. You can issue new certificates with it, that Xcode will generate and download, however note that this will invalidate your previous certificate, so only do this if you've lost those files or if you know what you are doing!

    In future, once you have it all working I also suggest clicking the option in Xcode to allow it to automatically manage code signing. This will automatically renew your certification whenever it expires, so there won't be extra steps to renew. This option should be available in the general project settings of your app, it can also be reached by selecting project > Targets > General > Signing

    Hope that helps you, best of luck!