Mach-O signing problem with pkcs12

The signing configuration I used is this:
```yml
keys:
  devid:
    token: file
    keyfile: <path to p12 file>
    timestamp: true
    ispkcs12: true

tokens:
  file:
    type: file
timestamp:
  urls:
    - http://timestamp.apple.com/ts01
```
And this is the command:
```bash
relic sign -k devid -f <Mach-O binary> --hardened-runtime --config ./relic.yml
```
Signing succeeds, but when I verify with relic I get this:
```bash
> relic verify ./<Mach-O binary>
./<Mach-O binary> ERROR: validating timestamp: x509: “Timestamp Signer NWK1” certificate is not permitted for this usage
ERROR: 1 or more files did not validate
```
Verifying with `codesign` also fails:
```bash
> codesign -vvv ./macnotary
./<Mach-O binary>: CSSMERR_TP_NOT_TRUSTED
In architecture: x86_64
```

The relic version I have used:
```bash
relic version v7.6.2 (h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4=)
```
The host I ran this is: `14.2.1 (23C71)` - MacOS Sonoma

Is this a bug, or there is a problem in the process I followed?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Mach-O signing problem with pkcs12 #40

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Mach-O signing problem with pkcs12 #40

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions