WWDR stands for Apple Worldwide Developer Relations. It is the intermediate certificate authority Apple operates to sign every developer certificate it issues: Apple Development, Apple Distribution, Developer ID, Pass Type ID, APNs, and the rest. When you check `codesign --verify`, the chain runs from your developer certificate, up through the WWDR intermediate, and finally to the Apple Root CA.
Why developers run into it
Most teams never think about WWDR until something breaks. The two common failure modes:
- A clean CI runner or fresh macOS install signs successfully but the build fails to validate, because the WWDR intermediate is not in the keychain.
- An older certificate was issued under a previous WWDR generation (G3) but the build host only has the current one (G6), or vice-versa.
Generations you might see
- WWDR G3
- The previous intermediate. Still required to validate certificates issued before the rollover. Distributed by Apple as `AppleWWDRCAG3.cer`.
- WWDR G6
- The current intermediate Apple issues new developer certificates from. Distributed as `AppleWWDRCAG6.cer`. macOS ships this in the system trust store on recent versions.
Fixing a missing intermediate
Download the current and previous WWDR intermediates from apple.com/certificateauthority and install them into the login or system keychain on the build host. On CI, fetch them at the start of the signing step rather than baking them into the image, so a rollover does not break a stale runner.