.png){kind=logo}
Using Signum with Apple code signing
Prerequisites
Many scenarios will require a certificate from Apple which requires an Apple Developer account. Certificate types have specific uses.
A Signum policy with permission to use the certificate from Mac for a specific user.
The mac agent installed and logged in with the above user
The public certificate installed in the keychain
Key Setup
Below are the steps for using Apple’s CA. Similar steps can be applied if using Private PKI.
Generate and Download an RSA 2048 SHA256 CSR in Signum
Login to your Apple development account and upload the CSR generated by Signum
Download and import the certificate into the Signum Admin Web and the client machine by double clicking the certificate to install in the Apple keychain.
Listing Keys
Will show available token identities
sc_auth identities SmartCard: com.keyfactor.signum.token:21
Unpaired identities:
C08811A3E3E1CA52F4629433E700FA44B42EA701 Signum-RSA-4096Signing & Verifying
App / Codesign Signing
Using a generic file in the example below. To view all of the options for codesign check the man pages. Codesign can be used for signing different types of files like .app, dmgs,
Signing
codesign --sign "Signum-RSA-4096" --timestamp test.shVerifying
codesign -dv --verbose test.shExecutable=/Users/bdewberry/signum-mac-demo/test.sh
Identifier=test
Format=generic
CodeDirectory v=20100 size=149 flags=0x0(none) hashes=1+2 location=embedded
Signature size=8480
Authority=Signum-RSA-4096
Authority=BenDemoRoot-G2
Timestamp=Aug 1, 2025 at 12:06:25 PM
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=80Package Signing
Note, for this to work based a certificate from Apple with type “Developer ID Installer” is required from your developer account. There are three utilities that could be used productsign, pkgbuild, and productbuild. Refer to Apple’s documentation for specifics on usage.
Signing
productsign --sign "James Benjamin Dewberry (XXXXXXXX)" example.pkg example-signed.pkgproductsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: James Benjamin Dewberry (XXXXXXX)"
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to example-signed.pkgpkgbuild --root pkgroot --identifier com.some.id --version 123 --install-location /usr/local/bin --sign "Developer ID Installer: ABC Corp, INC (XXXXXXX)" example.pkgproductbuild --package example.pkg --sign "Developer ID Installer: ABC Corp, INC (XXXXXXX)" example-signed.pkgVerifying
pkgutil --check-signature example-signed.pkgPackage "example-signed.pkg":
Status: signed by a developer certificate issued by Apple for distribution
Signed with a trusted timestamp on: 2025-03-18 19:24:43 +0000
Certificate Chain:
1. Developer ID Installer: James Benjamin Dewberry (RFAFA3TAXJ)
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
5B 56 25 9D F4 D5 5C D5 5C C6 2E 72 0E 19 DF AA 1C D5 32 BF 0E 02
D3 92 F7 95 B0 5B 2B CC 2B 33
------------------------------------------------------------------------
2. Developer ID Certification Authority
Expires: 2027-02-01 22:12:15 +0000
SHA256 Fingerprint:
7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
F2 9C 88 CF B0 B1 BA 63 58 7F
------------------------------------------------------------------------
3. Apple Root CA
Expires: 2035-02-09 21:40:36 +0000
SHA256 Fingerprint:
B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
68 C5 BE 91 B5 A1 10 01 F0 24Xcode
With the Signum Mac Agent running users can select certificates from Signum when building projects with Xcode.