Unable to build chain to self-signed root for signer

I have just created a new Signing Certificate because the old is about to expire. With my Certificate the provisioning profile and .p12 works fine on Volt. But the new one I create I get the “unable to build chain to self-signed root for signer” warning in the build log, and the build fails.

The only difference between two is an Issuer Certificate.
The one that does not work has OU=G3 in subject with signature algorithm – SHA-256
The one that works (old one) has OU=Apple Worldwide Developer Relations and with signature algorithm – SHA-1

There are two intermediate certification authority certs in Apple, and I guess they are both signed with different CA.
The problem is that when we create new cert in apple developer portal it is singed by newest CA that has OU=G3 in subject. Is there a possibility that volt builder does not have that new cert in their keychain?

From the build log:

Signing Identity:     "iPhone Distribution: Acme"
Provisioning Profile: "AcmeAcme"
                      (xxxxxxxxxx)

   /usr/bin/codesign --force --sign AcmeAcme --entitlements /Users/voltbuilder/Library/Developer/Xcode/DerivedData/Test_Acme_SSO-gvjlzkwyjmwespcevmovipltxkde/Build/Intermediates.noindex/ArchiveIntermediates/Test\ Acme\ HR\ SSO/IntermediateBuildFilesPath/Test\ Acmex\ HR\ SSO.build/Debug-iphoneos/Test\ Acme\ HR\ SSO.build/Test\ Acme\ HR\ SSO.app.xcent /Users/voltbuilder/Library/Developer/Xcode/DerivedData/Test_Acme_HR_SSO-gvjlzkwyjmwespcevmovipltxkde/Build/Intermediates.noindex/ArchiveIntermediates/Test\ Acme\ Acme\ SSO/InstallationBuildProductsLocation/Applications/Test\ Acme\ HR\ SSO.app
Warning: unable to build chain to self-signed root for signer "iPhone Distribution: Acme  "
/Users/voltbuilder/Library/Developer/Xcode/DerivedData/Test_Acme_HR_SSO-gvjlzkwyjmwespcevmovipltxkde/Build/Intermediates.noindex/ArchiveIntermediates/Test Acme HR SSO/InstallationBuildProductsLocation/Applications/Test Acme HR SSO.app: errSecInternalComponent
Command CodeSign failed with a nonzero exit code

** ARCHIVE FAILED **


The following build commands failed:
	CodeSign /Users/voltbuilder/Library/Developer/Xcode/DerivedData/Test_Acme_HR_SSO-gvjlzkwyjmwespcevmovipltxkde/Build/Intermediates.noindex/ArchiveIntermediates/Test\ Acme\ HR\ SSO/InstallationBuildProductsLocation/Applications/Test\ Acme\ HR\ SSO.app
(1 failure)
Command finished with error code 65: xcodebuild -workspace,Test Acme HR SSO.xcworkspace,-scheme,Test Acme HR SSO,-configuration,Debug,-destination,generic/platform=iOS,-archivePath,Test Acme HR SSO.xcarchive,archive,CONFIGURATION_BUILD_DIR=/platforms/ios/build/device,SHARED_PRECOMPS_DIR=/platforms/ios/build/sharedpch,EMBEDDED_CONTENT_CONTAINS_SWIFT = YES,ALWAYS_EMBED_SWIFT_STANDARD_LIBRARIES=NO,LD_RUNPATH_SEARCH_PATHS = "@executable_path/Frameworks"
xcodebuild: Command failed with exit code 65
Error: xcodebuild: Command failed with exit code 65
    at ChildProcess.whenDone (/node_modules/cordova-common/src/superspawn.js:136:25)
    at ChildProcess.emit (events.js:315:20)
    at maybeClose (internal/child_process.js:1048:16)
    at Process.ChildProcess._handle.onexit (internal/child_process.js:288:5)

The following build commands failed:
	CodeSign /Users/voltbuilder/Library/Developer/Xcode/DerivedData/Test_Acme_HR_SSO-gvjlzkwyjmwespcevmovipltxkde/Build/Intermediates.noindex/ArchiveIntermediates/Test\ Acme\ HR\ SSO/InstallationBuildProductsLocation/Applications/Test\ Acme\ HR\ SSO.app
(1 failure)
reset_keychain
Output: 
Build 9df85d25-632d-4bd8-bd38-e7e828693287 failed

We’re looking into this.

Something doesn’t seem right here. OU=G3 means it is signed by Google, which doesn’t sound like something Apple would do.

I just generated a new certificate of my own and got

Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority

Are you sure you are creating an iOS Development/Distribution certificate?

(Also, try out our Certificate Wizard - it’s much easier)

Hello,
According to apple statement https://developer.apple.com/support/expiration/ from September 2 they started to issue certificates which are singed with their new intermediate certificate which has OU=G3, it is still issued by Apple of course. We are using Apple Enterprise account and we’re generating certificate for In-House and Ad Hoc distribution. There are no other choices and as result we get the certificate signed by this new intermediate certificate with OU=G3 in subject.

We can successfully build locally with Xcode using this new certificate, but it fails in volt.builder. So the logical question would be - Is this new intermediate certificate is known by volt and trusted?

Thank you!

Ah - I didn’t try those certificate types. I’ll give it a try.

Would you submit your job once more? I’d like to watch what happens.

Sure, just submitted. Same error:

/usr/bin/codesign --force --sign 9E7069348786965552965D15A2A030AC1B0D348E --entitlements /Users/enterpriseneptune/Library/Developer/Xcode/DerivedData/Test_Zalaris_HR_App_SSO-aivhgqefglywfjfnnjcrjspckqfb/Build/Intermediates.noindex/ArchiveIntermediates/Test\ Zalaris\ HR\ App\ SSO/IntermediateBuildFilesPath/Test\ Zalaris\ HR\ App\ SSO.build/Release-iphoneos/Test\ Zalaris\ HR\ App\ SSO.build/Test\ Zalaris\ HR\ App\ SSO.app.xcent /Users/enterpriseneptune/Library/Developer/Xcode/DerivedData/Test_Zalaris_HR_App_SSO-aivhgqefglywfjfnnjcrjspckqfb/Build/Intermediates.noindex/ArchiveIntermediates/Test\ Zalaris\ HR\ App\ SSO/InstallationBuildProductsLocation/Applications/Test\ Zalaris\ HR\ App\ SSO.app
Warning: unable to build chain to self-signed root for signer “iPhone Distribution: Zalaris HR Services AS”
/Users/enterpriseneptune/Library/Developer/Xcode/DerivedData/Test_Zalaris_HR_App_SSO-aivhgqefglywfjfnnjcrjspckqfb/Build/Intermediates.noindex/ArchiveIntermediates/Test Zalaris HR App SSO/InstallationBuildProductsLocation/Applications/Test Zalaris HR App SSO.app: errSecInternalComponent
Command CodeSign failed with a nonzero exit code

** ARCHIVE FAILED **

App Bundle: com.zalaris.hrapp2.test.sso

Thanks - give it another try now.

Just tried, same error.

Looks like one of the servers isn’t caught up yet. Can you submit again? Most of them have been updated - the last one should be soon.

Now it’s building without errors. Super!
Thanks a lot for assistance!

Thanks for identifying this! All servers should now be updated.

I have just experienced the same error. I was trying to build a test version of my app, rather than a release version. I’ve generated a new development certificate and built a new provisioning file using this certificate. My VoltBuilder.json file contains both the distribution certificates and the development ones. To generate a development executable, I assume I just change “release” to "release: “debug” - is this correct? I assume then that I can load the development executable into my device by scanning the QR code once I have successfully generated a development executable. I can attach the log if that would help.
Many thanks, really happy with Voltbuilder Support!
Regards
Brian Preece

Could you run your job once more? I’d like to trace it.

Sorry, been busy with other projects. Will rerun now

OK, done. Can run again if necessary

Tell me about your certificates. When and how were they created?

They were created with Voltsigner a few days ago. Would you like me to attach them?

No need. I’ll be looking at this today.

Thanks. Out for about 45 mins shortly, then back for the rest of the day.

Much appreciated