20210831 - Apple is about to remove some Symantec roots from its root store
Since a few years already a process has been ongoing regarding the removal of old Symantec roots from major browsers.
Apple is no exception and has recently announced the revocation of several of those roots in the next few days.
When?
On September 2, 2021, Apple will distrust several Symantec root certificates, previously scheduled to be distrusted in April 2021.
Which roots?
The following soon-to-be distrusted roots were used to issue Thawte and Symantec Code Signing certificates :
- Thawte Primary Root CA
- Thawte Primary Root CA - G3
- VeriSign Class 3 Public Primary Certification Authority - G5
What consequences?
Root distrust means all objects signed from certificates (whether they are currently valid or expired) issued on these roots will no longer be trusted on macOS and iOS, even if the object has been time stamped during the process.
How to keep Apple trust?
The first thing to do is request a reissuance of your certificate is it is still valid. It will be reissued on a new trusted hierarchy.
Once your certificate is delivered you'll have to re-sign and time stamp (if required) all your objects (app, executable...).
If some of your applications have been signed and time stamped with a certificate that is now expired, you'll need to order a new Code Signing certificate the re-sign them.
Are you impacted?
If one of your currently valid, or recently expired, certificate is impacted you should have received (or soon will) a notification e-mail indicating the procedure.
What about server certificates?
There is no impact on server certificates as they have all been reissued on a trusted hierarchy in 2017.