Following a previous update, on September 10, 2021, Apple released an update to macOS, iOS, and iPadOS systems to fully distrust and remove some of the Symantec and Verisign roots listed under Affected Certificates from the Apple ecosystem.
On January 31, 2022, Apple plans to release another update to macOS, iOS, and iPadOS systems to fully distrust and remove five more Symantec and Verisign roots listed under Affected Certificates from the Apple ecosystem.
If your application uses certificates signed with a distrusted chain and utilizes an application or certificate injection process outside the Apple Developer Certificate process, you will need to update to a trusted certificate chain, including systems that support application updating across shared device platforms.
In these situations, the result of the Apple Services API call (SecTrustEvaluate) results in an error related to "kSecTrustResultFatalTrustFailure." This error message indicates that the certificate and chain have been blocked or misinterpreted by the system.
In 2018, Apple announced that it would move forward with a partial distrust of Symantec and Symantec brand root certificates. The complete distrust of some of the roots was planned for February 25, 2020. At the same time, other roots were planned to be distrusted in 2023.
However, some parts of this process have been delayed, and other parts are being accelerated. Apple completed the full root certificate distrust. However, root removal and subsequent certificate distrust have just begun.
When will distrust start?
January 31, 2022, Root Distrust
September 10, 2021, Root Distrust
What is happening now?
Each phase begins by removing the root certificates from certificate stores in iOS, iPadOS, and macOS and then blocks these root certificates from being manually installed on Apple devices or the Apple PKI library.
What has changed?
We previously communicated the distrust timeline for root certificates and posted it in our Symantec Root Removal KB. However, we have additional information regarding the changes as further updates have been provided by Apple. Apple is accelerating their project to remove five more Symantec roots (including VeriSign) on January 31, 2022, instead of 2023.
Is this different than the previous distrust activities?
Each root store is implementing the removal of the Symantec roots in a different manner:
Apple is removing and blocking the issuing CAs chaining to these roots in their root stores. Removing the roots means all certificates issued from those roots and all objects signed from certificates issued off those roots will no longer be trusted on macOS and iOS. Blocking means the root certificates cannot be reinstalled on Apple devices or the Apple PKI library.
So, if your implementation requires Apple trust, you must reissue certificates using the DigiCert hierarchy and resign objects (code, document, email, etc.).
Why do I need to worry about my expired certificate? They most likely aren't needed and can't be used?
When you use a certificate to sign objects, the signature can remain valid after the certificate used to sign the object expires.
For example, if you include a valid timestamp with your signature, the signature remains valid as long it can connect to the root certificate it was issued under. The timestamp relies on the root certificate to validate the signed object, not the expired certificate used to sign it.
Because Apple is removing the roots, the signatures can no longer connect to the root certificate from Apple devices. When the signature can't reach the root, it fails the validation of the certificate chain. Once Apple removes the roots, the signed objects may stop functioning as expected.
For expired certificates, will I need a new certificate to resign objects?
Yes, you will need a new, trusted certificate. With timestamped signatures no longer recognized, you will need to resign the code with a certificate issued from a trusted root to re-establish trust for your applications.