WWDR Root certificate issue



I think at this point we’re all aware of the painfull https://developer.apple.com/support/certificates/expiration/ :stuck_out_tongue:

Not sure if Circle-ci has tried to address this issue but I am currently having issues for the last 24 hours, narrowed it down to the old WWDRA cert still being on the server.

When I tried deleting and manually downloading the latest WWDR using a suggestion online:
security delete-certificate -c "Apple Worldwide Developer Relations Certification Authority" /Library/Keychains/System.keychain

I got security: "Apple Worldwide Developer Relations Certification Authority" is ambiguous, matches more than one certificate

Which shows its still there somehow…

----- EDIT -----

This fixes it: sudo security delete-certificate -Z 0950B6CD3D2F37EA246A1AAA20DFAADBD6FE1F75 /Library/Keychains/System.keychain
(credits o @adrienbrault https://github.com/travis-ci/travis-ci/issues/5633)


I brought this up with the team managing the OS X fleet and the certificate should have been removed in the OS X image that we deployed yesterday.

Please double check and let us know if this is not the case. Thanks for bringing it to our attention!


FYI - we also just noticed this:


Thanks no problem!

It seems it is still happening currently though… I’ll try removing the deletion line again in a few days and see if it works


odd, please do let me know if you still see it!


Ok well maybe it’s something different… but I just tried removing the line that deletes the old cert sudo security delete-certificate -Z 0950B6CD3D2F37EA246A1AAA20DFAADBD6FE1F75 /Library/Keychains/System.keychain

and I got this error:

Looks like there are no local code signing identities found, you can run `security find-identity -v -p codesigning` to get this output. Check out this reply for more: https://stackoverflow.com/questions/35390072/this-certificate-has-an-invalid-issuer-apple-push-services


I’m still seeing that /Users/distiller/Library/Keychains/default and /Library/Keychains/System.keychain are containing expired WWDR.

And removing 0950B6CD3D2F37EA246A1AAA20DFAADBD6FE1F75 worked for me.


Indeed, they should be completely flushed from the system by circle-ci though, we shouldn’t have to delete it everytime we push a build… (:


I’m still seeing this, has it been resolved?


I don’t believe it has. It was still an issue for me recently as well


I switched to use Xcode 7 and this went away. I believe its actually caused by Xcode 8’s automatic code signing functionality. If you disable that in your project you may have some luck