Skip to main content

Publish iOS ipa error: unable to build chain to self-signed root for signer ...

·3 mins

While trying to publish a .NET MAUI iOS app I got this error:

Warning: unable to build chain to self-signed root for signer “Apple Distribution: Gerald Versluis (xxxxxx)”

To make sure that you know what to do when I get bitten by this next time, let me write a blog about what fixed it. Maybe it can help you too!

Dissecting the Error #

While the error message doesn’t clear things up for me right away, it does tell me something about certificates. “Self-signed root” has certificates written all over it.

I decided to try my luck with my favorite search engine and quickly got a good number of results with people hitting this exact same error.

The most elaborate one was this one on the Apple Developer Forums.

Checking my Certificates #

Anything certificates on a Mac starts with the Keychain. So opening my Keychain app and searching for my distribution certificate indeed showed me that something was wrong as you can see below.

A screenshot of the macOS Keychain app showing my Apple Developer Distribution certificate showing an error that the certificate is not trusted.
The Keychain app showing my Apple Developer Distribution certificate as not trusted.

Some posts indicated that if you go into this certificate and you look under Trust there are some comboboxes with values to play with, this didn’t do anything for me, so leave it as it is.

The Fix #

What fixed it for me was installing a root certificate from the Apple Developer Portal. I don’t know how it happened, but somehow on my Mac I didn’t have the Worldwide Developer Relations - G3 certificate anymore, which is a root authority certificate that makes my certificates trusted as well.

There is a whole world on these certificates and how they work, so look it up for yourself. What is important here is that you need to have this certificate locally for your own certificates that you get from the Apple Developer Portal to be trusted.

Go to the Apple PKI website and find the Worldwide Developer Relations - G3 (Expiring 02/20/2030 00:00:00 UTC) link. I imagine that the expiring part might change at some point, but the G3 seems to be key here.

Download that to your Mac, double-click and your Keychain app should open again. Nothing seemingly has changed, but this certificate is now installed.

If you go check on your own Distribution certificate again, you can see all is now green and trusted and signing your ipa file for publishing should now work again.

A screenshot of the macOS Keychain app showing my Apple Developer Distribution certificate showing a green text indicating that it's now valid.
The Keychain app showing my Apple Developer Distribution certificate is now valid.

Final thoughts #

This might be the fix for you or maybe it’s still something different. I just thought I’d write this up for myself in case I run into it again.

I’m still not sure what happened. Maybe I deleted this certificate myself somehow or maybe it was something that was supposed to be installed by Apple tooling but didn’t but in either case I’m glad I was able to fix it rather quickly.