Learn how to Code Sign files in Snow Leopard & Mac OS X

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Note: Apple has tweaked the settings in GateKeeper, which changes the way OSX handles certificates from non-Apple vendors and tells the system to disallow ALL certificates that are not issued by Apple. After many years, Apple operating systems have started recognizing branded CA’s such as DigiCert or Comodo, though there’s no change in the default setting to allow certificates of other CA’s to work at their full potential. Due to this, we don’t guarantee that other CA’s certificates will be supported by OSX natively. However, it works with Java on the OSX platform.
mac-osx

Code Signing in Snow Leopard & Mac OS X:

If you’ve used Mac to collect your certificate, locate it in keychain access. If it’s on another computer & you have .P12 or .PFX file, follow these instructions:

  1. Save the P12 or PFX file on Mac’s hard disk
  2. Go to Applications/Utilities and start Keychain Access
  3. Select File -> Import Items and select the PFX/P12 file
  4. For the destination of the certificate choose “login” or “system”
  5. Click Open and provide the password used during the creation of the certificate

Open the Terminal window for signing a Mac .app file and type this command:

codesign -s "Company Name" " /Applications/Utilities/My App.app"

(For the file name use full path)

Press Enter and confirm if prompted

How to Do Signature Verification?

Assuming you cannot access the Mac App Store for some reason and downloaded an application from a third-party source. In this type of situation, it’s important to know and verify that the downloaded application file is not altered and coming from a legit Apple provider.

The basic command is as below:

codesign -v "/Applications/Utilities/My App.app"

(For the file name use full path)

If you do not get any response, then the app is signed.

Another way is using the “codesign” command with the -dv and -verbose=4 flags for showing identified information about any application, including information like hash type, hash checksum and its signing authority.

code sign -dv --verbose=4 /Applications/Utilities/My App.app

(For the file name use full path)

Let’s look with another example. To check the signature on Terminal.app (located in /Applications/Utilities/)

codesign -dv --verbose=4 /Applications/Utilities/Terminal.app

Executable=/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal

Identifier=com.apple.Terminal

Format=bundle with Mach-O thin (x86_64)

CodeDirectory v=20100 size=5227 flags=0x0(none) hashes=255+3 location=embedded

Platform identifier=1

Hash type=sha1 size=20

CDHash=0941049019f9fa3499333fb5b52b53735b498aed6cde6a23

Signature size=4105

Authority=Software Signing

Authority=Apple Code Signing Certification Authority

Authority=Apple Root CA

Info.plist entries=34

TeamIdentifier=not set

Sealed Resources version=2 rules=13 files=996

Internal requirements count=1 size=68

What we would be looking for is hash type, hash and authority entries. In the above-mentioned example, hash is sha1 & it’s signed by Apple.