ZXPSignCmd not validating cert chain?

[davidirvine]

I am signing my InDesign CEP extension with a code signing cert obtained from a CA. The certificate chain consists of 3 certs: my cert, intermediate cert, and root cert.

Both ZXPSignCmd (4.1.2) and InDesign (17.x-18.0) consider my signed extension valid regardless of absence of the intermediate and root cert in the signature.xml. The root cert is present in my OS (mac) trust store but the intermediate cert isn't.

Makes me think that the cert chain isn't being validated.

I've mistakenly been omitting the intermediate cert for a very long time (since InDesign 16) and have never had an issue installing my extension. I've even had the cert expire and my extension stop loading, so certain things have been functioning correctly.