Using Signum with Apple code signing

A Guide to using the Signum MacOS agent to sign Apple binaries.

Prerequisites

Many scenarios will require a certificate from Apple which requires an Apple Developer account. Certificate types have specific uses for more information see Apple’s documentation.
A Signum policy with permission to use the certificate from Mac for a specific user
The Signum MacOS Agent utility installed and configured

Key Setup

Below are the steps for using Apple’s CA. Similar steps can be applied if using Private PKI.

Generate and Download an RSA 2048 SHA256 CSR in Signum.
Login to your Apple development account and upload the CSR generated by Signum.
Download and import the certificate into the Signum Admin Web.

Configure & Connect to the Signum Server

CODE

 signum-util setup -h [HOSTNAME] -u [USERNAME]

CODE

Instance [URL] successfuly reached .
User [mac@keyfactor] successfuly logged in URL.
New configuration saved successfully, some changes to system settings might require restarting SignumService.

Listing Certificates

CODE

signum-util lc

CODE

Subject CN     : Signum-RSA-4096
    Issuer CN      : BenDemoRoot-G2
    Valid Until    : 2029-04-22
    Valid From     : 2024-04-23
    Thumbprint     : 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD

Adding to Keychain

For the keys to be usable with MacOS signing tools they need to be added to the keychain.

CODE

signum-util keychain --add

CODE

Certificate with alias [Signum-RSA-4096] and ID [21] was added successfully to the KeyChain

To view what has been added can run.

CODE

sc_auth identities

Which return something like. Note that the value returned is not the thumbprint of the certificate.

CODE

SmartCard: com.keyfactor.signum.token:21
Unpaired identities:
C08811A3E3E1CA52F4629433E700FA44B42EA701	Signum-RSA-4096

Signing & Verifying

App / Codesign Signing

Using a generic file in the example below. To view all of the options for codesign check the man pages. Codesign can be used for signing different types of files like .app, dmgs,

Signing

Can use the CN of the certificate or the thumbprint returned by signum-util lc.

CODE

codesign --sign "Signum-RSA-4096" --timestamp test.sh

Verifying

CODE

codesign -dv --verbose test.sh

CODE

Executable=/Users/bdewberry/signum-mac-demo/test.sh
Identifier=test
Format=generic
CodeDirectory v=20100 size=149 flags=0x0(none) hashes=1+2 location=embedded
Signature size=8480
Authority=Signum-RSA-4096
Authority=BenDemoRoot-G2
Timestamp=Aug 1, 2025 at 12:06:25 PM
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=80

Package Signing

Note, for this to work based a certificate from Apple with type “Developer ID Installer” is required from your developer account. There are three utilities that could be used productsign, pkgbuild, and productbuild. Refer to Apple’s documentation for specifics on usage.

Signing

CODE

productsign --sign "John Doe (XXXXXXXX)" example.pkg example-signed.pkg

CODE

productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: John Doe (XXXXXXX)" 
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to example-signed.pkg

CODE

pkgbuild --root pkgroot --identifier com.some.id --version 123 --install-location /usr/local/bin --sign "Developer ID Installer: ABC Corp, INC (XXXXXXX)" example.pkg

CODE

productbuild --package example.pkg --sign "Developer ID Installer: ABC Corp, INC (XXXXXXX)" example-signed.pkg

Verifying

CODE

pkgutil --check-signature example-signed.pkg

CODE

Package "example-signed.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2025-03-18 19:24:43 +0000
   Certificate Chain:
    1. Developer ID Installer: John Doe (XXXXX)
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           5B 56 25 9D F4 D5 5C D5 5C C6 2E 72 0E 19 DF AA 1C D5 32 BF 0E 02
           D3 92 F7 95 B0 5B 2B CC 2B 33
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
           F2 9C 88 CF B0 B1 BA 63 58 7F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
           68 C5 BE 91 B5 A1 10 01 F0 24

Xcode

With the signum-util setup and configured with keys added to the keychain, users can select certificates from Signum when building projects with Xcode.

In the Apple Developer portal generate a profile using the certificate that was imported into Signum and download the profile.
Run the signum-util and authenticate the user with access to the certificate you want to use.
In Xcode go to the Signing and Capabilities section of the main app view screen and uncheck the box to manage signing automatically.
Use the provisioning profile that was downloaded with the certificate matching what is in Signum
The signing certificate from Signum should be selected. This certificate will be used when you build or archive the project.