With the release of macOS Sequoia (15.1 and later), Apple introduced stricter security policies for code signing, impacting 4D developers using self-signed certificates to build engined applications. If you’re encountering signing failures , e.g., "Code signature invalid" or "Certificate not trusted".

The issue is that macOS Sequoia enforces stricter validation of code signing certificates:

• Self-signed root CAs may be rejected for direct code signing if they lack proper Key Usage or Extended Key Usage (EKU) settings.

• A leaf certificate (specifically for code signing) signed by your root CA is required.

• Trust settings for self-signed certificates must be explicitly configured at the system level.

This can cause 4D to fail when signing applications, even if the certificate was previously working on earlier macOS versions. To resolve the issue, you must follow these steps:

• In Keychain Access, double-click your root CA.
  

• Under the Trust tab, set Code Signing to Always Trust.
  

• Move the root CA to the System keychain (drag it from Login to System, authenticating if prompted).
  

• Set Code Signing to Always Trust then restart your Mac to apply the trust settings.

Self-signed certificates, even if not expired, may no longer be recognized as valid by default in macOS Sequoia if their settings do not meet the new security requirements (for example, outdated hashing algorithms like SHA-1 or improperly configured trust chains).

To verify a self-signed certificate, follow these steps: First, validate the certificate in Keychain Access by opening Keychain Access, then locate your self-signed certificate under "My Certificates" or "Certificates," and double-click it to check its status. if a red X appears, the certificate is invalid or untrusted, but if a blue + appears, the trust settings are customized and may need adjustment, so click "Trust" and select "Use System Defaults" to restore standard values. Next, verify the hashing algorithm by ensuring your certificate uses SHA-256 (not SHA-1, which is outdated and can cause errors), which you can check in the certificate details under the SHA-256 fingerprint. if it uses SHA-1, you’ll need to generate a new certificate.