Signing Apple Applications with Codesign Secure and our Apple CSP

Introduction 

The applications you find yourself using on your Macintosh (Mac) are .app applications. Applications used in the MacOS app store, or just on a Mac in general, must be signed to be usable with the operating system. These .app files can take a while to be signed by the IOS App Store or with your own tools or code signing platform. In fact, many code signing platforms do not have the ability to sign .app files on a Mac machine. We at Encryption Consulting, however, have made it possible for you to sign these .app files with ease on your Mac. Using CodeSign Secure and our Apple Signing CSP, you have the ability to quickly and efficiently set up your environment to sign .app files with ease.  

Apple Signing

Apple applications are a necessary part of any MacOS, and if you are developing these applications to put them on the iOS App Store, then you will need to ensure these files are signed properly. Setting up Apple Signing yourself can be a complicated process, but with CodeSign Secure’s Apple Signing CSP, it is simple to set up the prerequisites on your Mac machine and begin Apple Signing. 

Configuration for Apple Signing

Configuration of your Mac to run our Apple CSP is a very quick and easy process. One of the main prerequisites is that you should be able to access the CodeSign Secure webpage. From there, it is just a few steps to actually prepare your machine for signing. Let’s start with the downloads from CodeSign Secure.

Prerequisites: Ensure you have a username and access to the CodeSign Secure webpage.

From the CodeSign Secure webpage, go to the Signing Tools section and download the EC Provider for Mac.  

Unzip the file and transfer the unzipped file to the Applications folder. From here, run the ECCssProvider application.  

Ensure you have your CodeSign Secure URL, Username, and code entered into the application and then select refresh.

The Page should now show different certificates you have access to for signing. Now, we must set up the P12 certificate for access to signing on the server. First, go to the CodeSign Secure Webpage and select the settings section. From here, select “User”. Finally, on the drop-down menu on the right, select “Generate Authentication Certificate”.  

Enter the Certificate Name, UserName, and Expiration Date of the P12 certificate, then select the “Generate” option. A p12 certificate should be generated and downloaded to your machine. Save the password of the certificate as well as the certificate itself.  

Double-click your newly downloaded P12 certificate and open it with the application “Key Chain Access.” It should prompt you for the administrator password and the certificate password, which will put the certificate in your System key chain. 

After putting the authentication certificate into your key access chain, open the key itself. Go to Certificates under System, and it should be in the drop-down of the authentication certificate. Right-click it and select get info. From there, select access control and allow access to the certificate using the ECCssProvider.app application. You will likely need to restart your machine to see that permission actually changes.

Next, ensure you have the full certification path of the certificate you will be signing within your Keychain Access. Mac devices tend not to start with the known Certification chains like Windows machines do, so if you are using an OV/EV certificate for signing, you must upload that entire certification chain.  

Now, we need to run the following command: /Applications/ECCssProvider.app/Contents/MacOS/ECCssProvider -–batch -–tlsclient <Auth Cert Name>. This command will set the authentication certificate we uploaded as the TLS authentication certificate when connecting to the CodeSign Secure server.  

Our next command is security export-smartcard -i com.encryptionconsulting.ECCssProvider.CssToken:ECCSS. This command pulls up all of the certificates listed in the ECCssProvider GUI and details about those certificates. The important detail we need is the SHA1 hash of that certificate. We will use that hash to determine which certificate we are signing with. The certificates are in the same number order as they appear in the GUI.  

Finally, we run our codesign command: codesign -f -s <Hash of the Certificate for signing> <Application or file to be signed>. The -f flag is for overwriting old signatures on files, and the -s flag is to specify what we are signing. Then, we provide the hash of the certificate we are using and the path to the file to be signed. As you can see below, this is our expected output on the signing command.  

Conclusion 

As you can see, setup for this Apple Signing is very simple, especially if you have setup different types of signing with CodeSign Secure in the past. Our Apple CSP can sign any type of Apple file including .app, .dmg, .pkg, .ipa, and .mpkg files. More detailed documentation can be found in the documentation section of the CodeSign Secure webpage. If you have any questions, wish to see a Demo, or start a POC, please reach out to [email protected] or www.encryptionconsulting.com.