The following error occurs when a chain of trust ends in a self-signed certificate that is not trusted by the system.
pkg install: Chain was rooted in an untrusted self-signed certificate. The package involved is:pkg://test/example_pkg@1.0,5.11-0:20110919T185335Z
When you create a chain of certificates using OpenSSL for testing, the root certificate is usually self-signed, since there is little reason to have an outside company verify a certificate that is only used for testing.
In a test situation, there are two solutions:
The first solution is to add the self-signed certificate that is the root of the chain of trust into /etc/certs/CA and refresh the system/ca-certificates service. This mirrors the likely situation customers will encounter where a production package is signed with a certificate that is ultimately rooted in a certificate that is delivered with the operating system as a trust anchor.
The second solution is to approve the self-signed certificate for the publisher that offers the package for testing by using the --approve-ca-cert option with the pkg set-publisher command.