Note: Apple has tweaked the settings in GateKeeper, which changes the way OSX handles certificates from non-Apple vendors and tells the system to disallow ALL certificates that are not issued by Apple. After many years, Apple operating systems have started recognizing branded CA’s such as DigiCert or Comodo, though there’s no change in the default setting to allow certificates of other CA’s to work at their full potential. Due to this, we don't guarantee that other CA's certificates will be supported by OSX natively. However, it works with Java on the OSX platform.

Code Signing in Snow Leopard & Mac OS X:

If you've used Mac to collect your certificate, locate it in keychain access. If it's on another computer & you have .P12 or .PFX file, follow these instructions:

  1. Save the P12 or PFX file on Mac's hard disk
  2. Go to Applications/Utilities and start Keychain Access
  3. Select File -> Import Items and select the PFX/P12 file
  4. For the destination of the certificate choose "login" or "system"
  5. Click Open and provide the password used during the creation of the certificate

Open the Terminal window for signing a Mac .app file and type this command:

codesign -s "Company Name" " /Applications/Utilities/My" (For the file name use full path)

Press Enter and confirm if prompted

How to Do Signature Verification?

Assuming you cannot access the Mac App Store for some reason and downloaded an application from a third-party source. In this type of situation, it’s important to know and verify that the downloaded application file is not altered and coming from a legit Apple provider.

The basic command is as below:

codesign -v "/Applications/Utilities/My" (For the file name use full path)

If you do not get any response, then the app is signed.

Another way is using the “codesign” command with the -dv and -verbose=4 flags for showing identified information about any application, including information like hash type, hash checksum and its signing authority.

code sign -dv --verbose=4 /Applications/Utilities/My (For the file name use full path)

Let’s look with another example. To check the signature on (located in /Applications/Utilities/)

codesign -dv --verbose=4 /Applications/Utilities/
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=5227 flags=0x0(none) hashes=255+3 location=embedded
Platform identifier=1
Hash type=sha1 size=20
Signature size=4105
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=34
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=996
Internal requirements count=1 size=68

What we would be looking for is hash type, hash and authority entries. In the above-mentioned example, hash is sha1 & it’s signed by Apple.