MacOS – How does codesign and signing of profiles on os x work

At the moment I am messing around with OS X profile manager and configuration profiles in general.
I like the idea of being able to push settings to clients and I'd like to use it for my customers. The problem is, that we can't use profile manager, because it doesn't fit in our business model.

(Short excourse: We manage around 50 customers in my hometown, mostly with 5-50 workers each. Those customers are all individual and do not have any relations to each other. Therefore we can't use one server for all, and setting up one server per customer is also not a thing we'd like to do (or the customer would like to pay;))

I found out so far, that you can import a "trust-profile" and after that one is installed, the user can install all profiles coming from this trusted server without having to supply administration-credentials (this is key, because we don't give them the administrator login in general).

However, on OS X you can use "codesign" (on the terminal) to sign profiles with your private key and then it's signed and computers with the trust-profile installed trust this signed profile.

I'd like to know, what exactly codesign does (does it simply encrypt the profile with your private key?) so I could find another way of signing those profiles on a non-osx machine.

The long term objective would be to have one (web)server sitting "somewhere in the internet" and serving all our customers with profiles. For this I'd write a library and webApp (if this doesn't exist yet) to configure and deploy profiles.
I could also imagine publishing it to github.

Regards
Christian

Best Answer

I suspect writing an equivalent to codesign on a non-Apple platform will be tricky; but you might be lucky as parts may be open source.

Consider having a Mac provide a code signing service solely for your web server. Then you can use Apple's codesign but avoid using the Mac as the public server.

Apple provide two useful documents about code signing:

The technical note is a great source of information for how codesign works and has changed across different editions of OS X:

The purpose of this technote is to provide a more in depth view of code signing. It is intended to expand upon the information given in the Code Signing Guide by supplying a more detailed analysis of the technology. The target audience for this document is OS X developers who have read and presumably understand the information given in the Code Signing Guide but want to learn a bit more.

Best Answer

Related Solutions

Lion Server: Is Mobility in Workgroup Manager related to Profile Manager in the Server.app

How to generate a batch of profiles and certificates for OS X Server Profile Manager

Related Question