No, there is signing from a third party server in the chain too. If iPhone A visits website B, then A must provide to B a token signed by Apple in order for it to be trusted.
It also depends on hardware tamper-protected keys that the user can't get to without destroying the device (or at least the keys) in the process.