Saturday, December 21, 2013

How to sign your MacOSX application code with codesign?

A Brief Preface: I recently realized that the documentation for signing your Mac OSX applications with codesign is distributed across many documents which is extremely hard to find (You can find those documents in the "more to read" section of this post). Also, in the documentation it has been assumed that you will sign your code with XCode which is not always the case. As you may know, XCode is mainly used for development with Objective C for MacOSX and iPhone but a lot of Mac OSX applications are written in C/C++ and Java which XCode does not support any feature for those project types and makes the signing process extremely hard.

Now, let us start:

1. Go to Apple's Developer Program's Member Center. Go to member center. Write your credentials and enter.

NOTE: If you have not registered in Apple's Developer Program, you need to do so before you can sign your code.

2. Under Developer Program Resources, click on Certificates, Identifiers and Profiles. Under Mac Apps Click on Certificates. Then go to your certificate and then Click on Download. Now you have downloaded the Certificate.

3. Find the certificate file that you downloaded, and run it.
Keychain Access program will be opened by default and will put your Certificate under login keychains and certificates category:

4. Download your private key from the Apple's website: In the downloaded folder you will find a key file with .p12 extension which is Mac’s public key (PKCS12) format. Again, open the file and automatically it will be attached to the certificate you just downloaded.

Check whether it is already there as you expect it.

5. Next Step is to get Developer’s ID. Right click on the certificate of Mac developer profile which you want the code to be signed with and click on “Get info”. On the new windows, scroll down and get the SHA1 fingerprint of the certificate:

Remove the white-spaces and put it under $DEVELOPER_ID in your sign command or if you have one, in your build script. Also, you need to add the requirement for signing. Read about it on Mac Developer Documentation: Apple's Codesign Requirement Specification

Remark: One example of requirements can be of following (This example uses Mozilla's XULWrapper platform):

CODESIGN_REQUIREMENTS="=designated => anchor apple generic  and identifier \"org.webapp.xulwrapper\" and ((cert leaf[field.1.2.840.113635.] exists) or ( certificate 1[field.1.2.840.113635.] exists and certificate leaf[field.1.2.840.113635.] exists  and certificate leaf[subject.OU] = \"FOO123BAR1\" ))"

/usr/bin/codesign -s "$DEVELOPER_ID" -v \
   --requirements "$CODESIGN_REQUIREMENTS" \

6. You can sign the code now. Run the above command and you should be good to go.

Further References:

1 comment: