This error indicates that the certificate used to verify a binary with the imgverify command is not a signing certificate. A certificate used for code-signing must include the digitalSignature key usage.

Things to try:

• Check that your certificate includes the digitalSignature key usage. For example, to check the certificate codesign.crt:

    $ openssl x509 -in codesign.crt -noout -text
    ...
       X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
    ...

• Generate a new code-signing certificate including the digitalSignature key usage. If you are using OpenSSL to generate the certificate, then you need to include the following extensions:

    keyUsage=digitalSignature
    extendedKeyUsage=codeSigning

A certificate used for code-signing must also include the codeSigning extended key usage.