found this bug implying that, once upon a time, macOS' MDM enrollment didn't attach a complete signature chain within its CMS certificate set: http://www.openradar.me/31423312

good news, it's now 2024! the future is on macOS 15.1, in which we now get duplicates of CAs in the certificate set (a possible spec violation, it breaks the Rust `der` parser):