Using Signum with Apple Code Signing

A guide to using the Signum macOS agent to sign Apple binaries.

Prerequisites

Many scenarios require a certificate from Apple which requires an Apple Developer account. Certificate types have specific uses for more information see Apple Documentation.
A Signum policy with permission to use the certificate from Mac for a specific user.
The Signum macOS Agent utility installed and configured.

Key Setup

The following setup uses the Apple CA. If you are using a Private PKI, similar steps can be applied.

Generate and download an RSA 2048 SHA256 CSR in Signum.
Log in to your Apple development account.
Upload the CSR generated by Signum.
Download and import the certificate into the Signum Admin Web.

Configure & Connect to Signum Server

CODE

 signum-util setup -h [HOSTNAME] -u [USERNAME]

CODE

Instance [URL] successfuly reached .
User [mac@keyfactor] successfuly logged in URL.
New configuration saved successfully, some changes to system settings might require restarting SignumService.

Listing Certificates

To list certificates, run the following command:

CODE

signum-util lc

CODE

Subject CN     : Signum-RSA-4096
    Issuer CN      : BenDemoRoot-G2
    Valid Until    : 2029-04-22
    Valid From     : 2024-04-23
    Thumbprint     : 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD

Adding to Keychain

For the keys to be usable with macOS signing tools, the keys need to be added to the keychain.

Run the following command to add a certificate to the keychain:

CODE

signum-util keychain --add

CODE

Certificate with alias [Signum-RSA-4096] and ID [21] was added successfully to the KeyChain

To view which certificates are added, run the following command:

CODE

sc_auth identities

The command returns something similar to:

CODE

SmartCard: com.keyfactor.signum.token:21
Unpaired identities:
C08811A3E3E1CA52F4629433E700FA44B42EA701	Signum-RSA-4096

The value returned is not the thumbprint of the certificate.

Signing & Verifying

App and Codesign Signing

The following provides an example for app or codesign signing with a generic file. To view all of the options for codesign, check the main pages. Codesign can be used for signing different types of files like .app, dmgs, and so on.

Signing

You can use the CN of the certificate or the thumbprint returned by signum-util lc.

CODE

codesign --sign "Signum-RSA-4096" --timestamp test.sh

Verifying

CODE

codesign -dv --verbose test.sh

CODE

Executable=/Users/bdewberry/signum-mac-demo/test.sh
Identifier=test
Format=generic
CodeDirectory v=20100 size=149 flags=0x0(none) hashes=1+2 location=embedded
Signature size=8480
Authority=Signum-RSA-4096
Authority=BenDemoRoot-G2
Timestamp=Aug 1, 2025 at 12:06:25 PM
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=80

Package Signing

To perform package signing, you need a certificate from Apple with type “Developer ID Installer” from your developer account. The three utilities you can use are productsign, pkgbuild, and productbuild. Refer to Apple documentation for usage specifics.

Signing

To sign the example.pkg file, run the following command:

CODE

productsign --sign "John Doe (XXXXXXXX)" example.pkg example-signed.pkg

CODE

productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: John Doe (XXXXXXX)" 
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to example-signed.pkg

CODE

pkgbuild --root pkgroot --identifier com.some.id --version 123 --install-location /usr/local/bin --sign "Developer ID Installer: ABC Corp, INC (XXXXXXX)" example.pkg

CODE

productbuild --package example.pkg --sign "Developer ID Installer: ABC Corp, INC (XXXXXXX)" example-signed.pkg

Verifying

CODE

pkgutil --check-signature example-signed.pkg

CODE

Package "example-signed.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2025-03-18 19:24:43 +0000
   Certificate Chain:
    1. Developer ID Installer: John Doe (XXXXX)
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           5B 56 25 9D F4 D5 5C D5 5C C6 2E 72 0E 19 DF AA 1C D5 32 BF 0E 02
           D3 92 F7 95 B0 5B 2B CC 2B 33
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
           F2 9C 88 CF B0 B1 BA 63 58 7F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
           68 C5 BE 91 B5 A1 10 01 F0 24

Xcode

With the signum-util setup and configured with keys added to the keychain, users can select certificates from Signum when building projects with Xcode.

In the Apple Developer portal, generate a profile using the certificate that was imported into Signum.
Download the profile.
Run the signum-util.
Authenticate the user with access to the certificate you want to use.
In Xcode, go to the Signing and Capabilities section of the main app view screen.
Uncheck the box to manage signing automatically.
Use the provisioning profile that was downloaded with the certificate matching what is in Signum.
The signing certificate from Signum should be selected. This certificate will be used when you build or archive the project.