Codesign command has no way to ignore expired identities

Originator:m4ttcheetham
Number:rdar://22091226 Date Originated:31-Jul-2015 03:07 PM
Status:Closed Resolved:22-Sep-2016 08:23 AM
Product:OS X Product Version:10.10.4
Classification:Feature (New) Reproducible:Not Applicable
 
Summary:
When providing the name of a code signing identity to use to codesign with there is no option or flag to ignore expired certificates. For example, I had an expired certificate with the same name as the renewed certificate and code signing throws an error because it finds two certificates with the same name. If the ignore expired option existed this command would complete as it would just use the new identity.

Steps to Reproduce:
Have two identities in the keychain with the same name but have one expired. Attempt to coding with a command such as 

codesign  -f -s "iPhone Distribution: 3 Sided Cube Design Ltd (25H7BM6YWK)" --entitlements /Users/matthewcheetham/Desktop/Payload/ARC\ Flood.app/archived-expanded-entitlements.xcent /Users/matthewcheetham/Desktop/Payload/ARC\ Flood.app/ARC\ Flood 

See the error; 

 Distribution: 3 Sided Cube Design Ltd: ambiguous (matches "iPhone Distribution: 3 Sided Cube Design Ltd" and "iPhone Distribution: 3 Sided Cube Design Ltd" in /Users/matthewcheetham/Library/Keychains/login.keychain)

Expected Results:
Codesign should have a flag to ignore expired and succeed with signing. 

Actual Results:
Codesigning fails.

Comments

m4ttcheetham

I am unable to test this behaviour at the minute to due to not having any expired certificates. I'm happy to mark as resolved for now and will reopen in the future if I experience the issue again although the new SecItem stuff sounds like it should do the trick.

By m4ttcheetham at Sept. 22, 2016, 7:23 a.m. (reply...)

Apple Developer Relations

We switched to the new SecItem-based identity search in macOS 10.12. This should take care of screening out expired identities.

Please update to 10.12 and test again.

Please let us know whether the issue is resolved for you by updating your bug report.

By m4ttcheetham at Sept. 15, 2016, 7:24 a.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!