Code Signing in Snow Leopard & Mac OS X:
If you've used Mac to collect your certificate, locate it in keychain access. If it's on another computer & you have .P12 or .PFX file, follow these instructions:
- Save the P12 or PFX file on Mac's hard disk
- Go to Applications/Utilities and start Keychain Access
- Select File -> Import Items and select the PFX/P12 file
- For the destination of the certificate choose "login" or "system"
- Click Open and provide the password used during the creation of the certificate
Open the Terminal window for signing a Mac .app file and type this command:
codesign -s "Company Name" " /Applications/Utilities/My App.app"(For the file name use full path)
Press Enter and confirm if prompted
How to Do Signature Verification?
Assuming you cannot access the Mac App Store for some reason and downloaded an application from a third-party source. In this type of situation, it’s important to know and verify that the downloaded application file is not altered and coming from a legit Apple provider.
The basic command is as below:
codesign -v "/Applications/Utilities/My App.app"(For the file name use full path)
If you do not get any response, then the app is signed.
Another way is using the “codesign” command with the -dv and -verbose=4 flags for showing identified information about any application, including information like hash type, hash checksum and its signing authority.
code sign -dv --verbose=4 /Applications/Utilities/My App.app(For the file name use full path)
Let’s look with another example. To check the signature on Terminal.app (located in /Applications/Utilities/)
codesign -dv --verbose=4 /Applications/Utilities/Terminal.app Executable=/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal Identifier=com.apple.Terminal Format=bundle with Mach-O thin (x86_64) CodeDirectory v=20100 size=5227 flags=0x0(none) hashes=255+3 location=embedded Platform identifier=1 Hash type=sha1 size=20 CDHash=0941049019f9fa3499333fb5b52b53735b498aed6cde6a23 Signature size=4105 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Info.plist entries=34 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=996 Internal requirements count=1 size=68
What we would be looking for is hash type, hash and authority entries. In the above-mentioned example, hash is sha1 & it’s signed by Apple.