Skip to main content
Skip table of contents

Sign Apple Binaries with Signum macOS Agent

A guide to using the Signum macOS agent to sign Apple binaries.

Prerequisites

  • Signum macOS Agent installed.

  • A Signum policy with permission to use the certificate from Mac for a specific user.

  • (Some cases) Apple Developer account. Many scenarios require a certificate from Apple which requires an Apple Developer account. Certificate types have specific uses. For more information, see Apple Documentation.

Key Setup

The following setup uses the Apple CA. If you are using a Private PKI, similar steps can be applied.

  1. Generate and download an RSA 2048 SHA256 CSR in Signum.

  2. Log in to your Apple development account.

  3. Upload the CSR generated by Signum.

  4. Download and import the certificate into the Signum Admin Web.

Connect to Signum Server

Run the following command to configure and connect to the Signum Server:

CODE 
 signum-util setup -h [HOSTNAME] -u [USERNAME]
CODE 
Instance [URL] successfuly reached .
User [mac@keyfactor] successfuly logged in URL.
New configuration saved successfully, some changes to system settings might require restarting SignumService.

For an example of connecting the macOS Agent to SignServer, see SignServer macOS Agent documentation.

List Certificates

To list certificates, run the following command:

CODE 
signum-util lc
CODE 
Subject CN     : Signum-RSA-4096
    Issuer CN      : BenDemoRoot-G2
    Valid Until    : 2029-04-22
    Valid From     : 2024-04-23
    Thumbprint     : 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD

Add to Keychain

For the keys to be usable with macOS signing tools, the keys need to be added to the keychain.

Run the following command to add a certificate to the keychain:

CODE 
signum-util keychain --add
CODE 
Certificate with alias [Signum-RSA-4096] and ID [21] was added successfully to the KeyChain

To view which certificates are added, run the following command:

CODE 
sc_auth identities

The command returns something similar to:

CODE 
SmartCard: com.keyfactor.signum.token:21
Unpaired identities:
C08811A3E3E1CA52F4629433E700FA44B42EA701	Signum-RSA-4096

The value returned is not the thumbprint of the certificate.

Sign File

You can now perform Codesign signing and package signing.

Codesign Signing

Codesign can be used for signing different types of files like .app, dmgs, and so on.

  1. Create a sample file to sign:

    CODE 
    echo "something to sign" >> test.sh

  1. To use a certificate with Codesign, the certificate must have code signing capability. Verify the certificate capabilities by running the following command:

    CODE 
    signum-util lc -v Detailed

In this example, only the second certificate is valid for use with codesign:

CODE 
➜  installer git:(poc/InitializeServiceForUserOnSign) ✗ signum-util lc -v Detailed
Subject CN     : MyCertificate1
    Issuer CN      : ManagementCA
    Valid Until    : 2026-02-06
    Valid From     : 2025-02-06
    Thumbprint     : ADB6818E772A8A747C4C1B592216DC3255533D05
    Serial Number  : 5409C71053E4C637E193CD569150D4D53C9967C8
    Key Algorithm  : RSA
    Key Size       : 2048 bits
    Signature Algo : sha256RSA
    Capability     : Client Authentication (1.3.6.1.5.5.7.3.2)
    Capability     : Email Protection (1.3.6.1.5.5.7.3.4)
Subject CN     : MyCertificate2
    Issuer CN      : ManagementCA
    Valid Until    : 2027-02-17
    Valid From     : 2025-02-17
    Thumbprint     : 5EDC77B129DEC8617DB950590D739C6BBF0BA95E
    Serial Number  : 4292EC377E6A0FD414C354FD8952B9687ABE0E08
    Key Algorithm  : RSA
    Key Size       : 2048 bits
    Signature Algo : sha256RSA
    Capability     : Code Signing (1.3.6.1.5.5.7.3.3)

  1. Use the certificate CN value or Thumbprint to identify the key.

CODE 
codesign -s "Signum-RSA-4096" test.sh
CODE 
codesign -s 3AB5BFB91DFBB46CF765D5BEE51429618C4857DD test.sh

Verify

After signing the file, use the following command to check the signed file:

CODE 
codesign -dv --verbose test.sh

The command returns the following:

CODE 
Executable=/Users/bdewberry/signum-mac-demo/test.sh
Identifier=test
Format=generic
CodeDirectory v=20100 size=149 flags=0x0(none) hashes=1+2 location=embedded
Signature size=8480
Authority=Signum-RSA-4096
Authority=BenDemoRoot-G2
Timestamp=Aug 1, 2025 at 12:06:25 PM
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=1 size=80

Log out by running the signum-util logout command.

Package Signing

To perform package signing, you need a certificate from Apple with type “Developer ID Installer” from your developer account. The three utilities you can use are productsign, pkgbuild, and productbuild. Refer to Apple documentation for usage specifics.

To sign the example.pkg file with productsign, run the following command:

CODE 
productsign --sign "John Doe (XXXXXXXX)" example.pkg example-signed.pkg
CODE 
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: John Doe (XXXXXXX)" 
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to example-signed.pkg

To sign the example.pkg file with pkgbuild, run the following command:

CODE 
pkgbuild --root pkgroot --identifier com.some.id --version 123 --install-location /usr/local/bin --sign "Developer ID Installer: ABC Corp, INC (XXXXXXX)" example.pkg

To sign the example.pkg file with productbuild, run the following command:

CODE 
productbuild --package example.pkg --sign "Developer ID Installer: ABC Corp, INC (XXXXXXX)" example-signed.pkg

Verify

After signing the file, use the following command to check the signed file:

CODE 
pkgutil --check-signature example-signed.pkg
CODE 
Package "example-signed.pkg":
   Status: signed by a developer certificate issued by Apple for distribution
   Signed with a trusted timestamp on: 2025-03-18 19:24:43 +0000
   Certificate Chain:
    1. Developer ID Installer: John Doe (XXXXX)
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           5B 56 25 9D F4 D5 5C D5 5C C6 2E 72 0E 19 DF AA 1C D5 32 BF 0E 02
           D3 92 F7 95 B0 5B 2B CC 2B 33
       ------------------------------------------------------------------------
    2. Developer ID Certification Authority
       Expires: 2027-02-01 22:12:15 +0000
       SHA256 Fingerprint:
           7A FC 9D 01 A6 2F 03 A2 DE 96 37 93 6D 4A FE 68 09 0D 2D E1 8D 03
           F2 9C 88 CF B0 B1 BA 63 58 7F
       ------------------------------------------------------------------------
    3. Apple Root CA
       Expires: 2035-02-09 21:40:36 +0000
       SHA256 Fingerprint:
           B0 B1 73 0E CB C7 FF 45 05 14 2C 49 F1 29 5E 6E DA 6B CA ED 7E 2C
           68 C5 BE 91 B5 A1 10 01 F0 24

Xcode

With the signum-util setup and configured with keys added to the keychain, users can select certificates from Signum when building projects with Xcode.

  1. In the Apple Developer portal, generate a profile using the certificate that was imported into Signum.

  2. Download the profile.

  3. Run the signum-util.

  4. Authenticate the user with access to the certificate you want to use.

  5. In Xcode, go to the Signing and Capabilities section of the main app view screen.

  6. Uncheck the box to manage signing automatically.

  7. Use the provisioning profile that was downloaded with the certificate matching what is in Signum.

  8. The signing certificate from Signum should be selected. This certificate will be used when you build or archive the project.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close