I want to codesign
one of my applications by using my own certificate (not created with Keychain Access).
First, I create a v3.ext
file:
keyUsage = digitalSignature
Then, I created my certificate with openssl
:
$ openssl genrsa -des3 -out passkey.key 2048
$ openssl rsa -in passkey.key -out mykey.key
$ openssl req -new -key mykey.key -out cert.csr
$ openssl x509 -req -sha256 -extfile v3.ext -days 3650 -in cert.csr -signkey mykey.key -out mycertificate.crt
$ openssl pkcs12 -export -in mycertificate.crt -inkey mykey.key -out certificate.p12 -name "My Company Name"
I imported certificate.p12
into Keychain Access by dragging it on the docker. Now, when I try to sign my application, I have this error:
$ security find-identity
Policy: X.509 Basic
Matching identities
11) 5DC3086CAD3848A22FB6E614FB8836BDDBD18938 "My Company Name" (CSSMERR_TP_NOT_TRUSTED)
$ codesign --deep -fs 5DC3086CAD3848A22FB6E614FB8836BDDBD18938 repro.app
: this identity cannot be used for signing code
However, we can see this certificate can be used to verify (CSSM_KEYUSE_VERIFY
):
$ certtool y
Serial Number : 00 F6 E2 FC FC D1 67 A6 7A
Issuer Name :
Country : FR
State : Some-State
Org : My Company Name
Subject Name :
Country : FR
State : Some-State
Org : My Company Name
Cert Sig Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 0B >
alg params : 05 00
Not Before : 15:09:59 May 13, 2019
Not After : 15:09:59 May 10, 2029
Pub Key Algorithm : OID : < 06 09 2A 86 48 86 F7 0D 01 01 01 >
alg params : 05 00
Pub key Bytes : Length 270 bytes : 30 82 01 0A 02 82 01 01 ...
CSSM Key :
Algorithm : RSA
Key Size : 2048 bits
Key Use : CSSM_KEYUSE_VERIFY
Signature : 256 bytes : 4E F5 B9 35 9D 6A D5 2E ...
Extension struct : OID : < 06 03 55 1D 0F >
Critical : FALSE
usage : DigitalSignature
What should I do to allow this identity to sign code?
Best Answer
Your certificate is missing specific
codesign
requirements. These go beyondkeyUsage = digitalSignature
.Conforming Certificate
You need to create a certificate that conforms to macOS's codesigning requirements. You can find the requirements in Certification Authority Certification Practice Statement Developer ID:
For more details, see the Security StackExchange question How to create an Apple Installer Package Signing Certificate.
Trusted Certificate Authority
With a conforming certificate, you will be able to
codesign
your binary. For the code signature to recognised, you will need to install and trust the Certificate Authority (CA) certificate on your Mac. This needs to be done in a way that Gatekeeper trusts.You can learn more about this step by searching for
install root certificate mac
.