Error -25294

Code Signing Certificates, Identifiers & Profiles
NDADP OEM OP
Created Mar ’21
Replies 12
Boosts 3
Views 46k
Participants 15
I'm trying to add signing certificate from developer.apple.com to my keychain but I'm getting to have error says "An error occurred. Unable to import <certificate name>. Error -25294". Certificate is valid and I can not do anything with this error. Any idea what can be the reason for this error?
Answered by DTS Engineer in 868803022

Sorry I didn’t reply sooner; older versions of DevForums had a bug that meant that I didn’t see updates on this thread (that’s fixed now, so yay!).

edit the trust settings to be able to use it normally.

Monkeying with trust settings on a code-signing certificate is a bad idea. It can trigger the dreaded errSecInternalComponent. I talk more about this in Fixing an untrusted code signing certificate.

Is there any information why this does not work with iCloud Keychain?

Not really.

Keychain Access is very much on the way out as a user-level feature. Witness, for example, its recent move from Applications > Utilities to /System/Library/CoreServices/Applications. Given that, it’s easy to see why big picture issues like this aren’t being addressed.

Having said that, the file-based keychain is also on its way out, as explained in TN3137 On Mac keychain APIs and implementations. One significant remaining client of the file-based keychain is code signing. For example, developers use:

  • Keychain Access > Certificate Assistant to create code-signing identities outside of Xcode
  • The security tool to manage signing assets on CI/CD systems
  • Keychain Access for investigating problems

If the file-based keychain went away, or we stopped using it for code signing, we’d need replacements for all this stuff. It’s not clear what that’d look like, and that’s most definitely in The Future™ and thus not something I’m going to speculate about.

Any news about the bug report you've filed … ?

It remains unfixed.

I had to unlock my "System" keychain

Just to be clear, I recommend that you not store code-signing digital identities in the System keychain. In general, I recommend that you use the login keychain. It’s also reasonable to use a custom file-based keychain.

Then I double clicked the certificate in Finder

It’s better to run Keychain Access, choose File > Import Items, and click the Options box so that you can select the target keychain. This avoids any possibility of Keychain Access defaulting to the wrong keychain.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Replies  12
Boosts  3
Views  46k
Participants  15
DTS Engineer OP
Apple
Mar ’21
Hmmm. Error -25294 is errSecNoSuchKeychain, suggesting that there’s something borked about your keychain. Just as a test, try this:

  1. Create a new user account on your Mac (using System Preferences > Users & Groups).

  2. Log in is that account.

  3. Try to import the certificate there.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
1
NDADP OEM OP
Mar ’21
Thank you for your answer. But I don't think it'll work cause it's working account and I need to upload certificate exactly for this user.
1
DTS Engineer OP
Apple
Mar ’21

But I don't think it'll work cause it's working account and I need to

My suggestion wasn’t a workaround but rather a diagnostic test. You should see one of two results:

  • The import succeeds — In this case it seems likely that there’s something broken about the keychain on the original account.

  • The import fails in the same way — That suggests that there’s something broken about the certificate (which would be weird).

Once you know the results of this test, you have an avenue for further investigation.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
2
Matt_SoundFingers OP
Jul ’21

In case of someone stumble upon this error : I'm running Catalina 10.15.7 here. I downloaded the certificate file, following these instructions :

Create a certificate signing request

When launching the certificate installer, a popup box shows up and asks in which keychain you want to install it. I first selected iCloud keychain, then I got this error.

I launched it again and I selected the 'System' keychain location and then it worked. (not sure why and if this will work for others but it worked for me).

29
dceddia OP
Jan ’22

I ran into this error. For me, the problem ended up being that in the import dialog, the keychain selected was "Local Items". Picking "login" from the dropdown fixed the error.

13
DTS Engineer OP
Apple
Jan ’22

the keychain selected was "Local Items".

Ah, that’s interesting. Local Items is Keychain Access speak for the data protection keychain [1]. That keychain can hold certificates but it would need very different import code and so it’s not a huge surprise that you run into the problem. Still, that’s definitely a bug and I’ve filed it as such (r. 87671054).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] If you’re not familiar with the subtleties of keychains on the Mac, see my On Mac Keychains post.

2
oligofren OP
Jan ’22

The tip about the target keychain really saved my bacon. I was trying to get the Root Certificates for Charles Proxy installed and only received error code -25294 when using its default "Help -> SSL -> Install Charles Root Certificate" option. I then exported the root certificate as a PEM file and tried importing it manually and got the same error. Upon reading this post, I realised there was a almost hidden option I had not taken into account:

(This is using Norwegian language settings, so "Valg" means "Options").

Pressing that gave me the options of

  • Local objects (preselected)
  • logon
  • System

Choosing system seems to have worked.

Charles Proxy is only listed as supported macOS 10.15, so no wonder.

0
JetForMe OP
Jun ’22

@eskimo I was unable to import into "login", "System", or "iCloud" keychains, but was able to import into "accountsKeychainExport". What is that? It seems very sus.

In any case, I have TWO of these "accountsKeychainExport" keychains in my system, and both are empty, even after import.

I had the inspiration to try dragging the .cer file from the Finder into my login keychain, and that seemed to work, but it says the certificate is not trusted:

(I’ve redacted identifying info; note that the selected cert replaces the last cert in that list, set to expire in a month.)

Ah, I had to DL a newer Apple intermediate certificate from here (specifically, the G4 cert). That seems clunky.

macOS 21F79 on M1 Max MBP.

0
Najjii OP
Apr ’24

I understand that I may be three years late in responding. But I encountered the same problem. And I found it to be a trust issue. You just need to go to your certificates collection page and double-click on the untrusted certificate to edit the trust settings to be able to use it normally.

0
olvrwn OP
Jul ’24

Unfortunately it looks like this issue still exists. iCloud is selected as default keychain when opening the certificate. I tried @Najjii solutions and clicked on "always trust" but it didn't work. However, choosing "System" or "login" instead of "iCloud" worked for me. Thank you @Matt_SoundFingers & @dceddia.

Is there any information why this does not work with iCloud Keychain? Any news about the bug report you've filed @DTS Engineer?

1
bamclark OP
6d

I had to unlock my "System" keychain (right click the keychain in the left bar and select "unlock Keychain 'System'"). Then I double clicked the certificate in Finder. It installed with no problems at that point.

0
DTS Engineer OP
Apple
5d
Recommended

Sorry I didn’t reply sooner; older versions of DevForums had a bug that meant that I didn’t see updates on this thread (that’s fixed now, so yay!).

edit the trust settings to be able to use it normally.

Monkeying with trust settings on a code-signing certificate is a bad idea. It can trigger the dreaded errSecInternalComponent. I talk more about this in Fixing an untrusted code signing certificate.

Is there any information why this does not work with iCloud Keychain?

Not really.

Keychain Access is very much on the way out as a user-level feature. Witness, for example, its recent move from Applications > Utilities to /System/Library/CoreServices/Applications. Given that, it’s easy to see why big picture issues like this aren’t being addressed.

Having said that, the file-based keychain is also on its way out, as explained in TN3137 On Mac keychain APIs and implementations. One significant remaining client of the file-based keychain is code signing. For example, developers use:

  • Keychain Access > Certificate Assistant to create code-signing identities outside of Xcode
  • The security tool to manage signing assets on CI/CD systems
  • Keychain Access for investigating problems

If the file-based keychain went away, or we stopped using it for code signing, we’d need replacements for all this stuff. It’s not clear what that’d look like, and that’s most definitely in The Future™ and thus not something I’m going to speculate about.

Any news about the bug report you've filed … ?

It remains unfixed.

I had to unlock my "System" keychain

Just to be clear, I recommend that you not store code-signing digital identities in the System keychain. In general, I recommend that you use the login keychain. It’s also reasonable to use a custom file-based keychain.

Then I double clicked the certificate in Finder

It’s better to run Keychain Access, choose File > Import Items, and click the Options box so that you can select the target keychain. This avoids any possibility of Keychain Access defaulting to the wrong keychain.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Error -25294
First post date Last post date
 
 
Q