Title: Signing OsX App Subject: Howto sign stuff in OsX By: John Stile # Get a key from Thawte # I don't cover that #---------------------------- # Set Variables #---------------------------- UserName="build" KeyPass="mypassword" CrtFile="HomerSimpsonDeveloperID.p12" CrtPass="Doh!" #============================ # Import certficiate #============================ # importing though the command line didn't work for me. # I had to use the gui # I cover both methods below #---------------------------- # Command-line import #---------------------------- # # List keys before we start # security list-keychains # # "/Users/build/Library/Keychains/login.keychain" # "/Library/Keychains/System.keychain" # # List all identities in keychain # security find-identity # # Unlock the keychain # security unlock-keychain -p $KeyPass "/Users/build/Library/Keychains/login.keychain" # # Import the keychain # security import $CrtFile -P $CrtPass # # 2 certificates imported. # # Verify identity # security find-identity -s 'Developer ID Application: Homer Simpson' # # Secure the keychain # security lock-keychain #---------------------------- # GUI import #---------------------------- Applicaitons->Utilties->Keychain Click 'login' Click 'keys' Click Unlock symbol in upper left File->import-> password: $KeyPass # # You will now see your certificate imported # It must have an arrow next to it # security find-identity # # You must see a "Valid identities only" # # # Allow /usr/bin/codesign access to the certificate # Right click the Certificate Get Info Click "Access Control" Tab Under "Always allow acess by these applicatons", click "+" CMD + SHIFT + G Enter: /usr/bin/codesign # # Allow PackageMaker access to the certificate # Right click the Certificate Get Info Click "Access Control" Tab Under "Always allow acess by these applicatons", click "+" CMD + SHIFT + G Enter: e.g. /Developer/Applications/Utilities/PackageMaker.app # # Lock the key # close keychain utility # #============================ # Signing #============================ # First try to sign something manually # eventually you will probably want to automate #---------------------------- # Manual siging #---------------------------- # # Sign .app, .pkg, .dmg # security unlock-keychain -p $KeyPass "/Users/build/Library/Keychains/login.keychain" codesign -f -v -s 'Developer ID Application: Homer Simpson' "my.app" codesign --verify --verbose "my.app" #---------------------------- # Autobuild siging #---------------------------- # For this step, a scripted appraoch is covered # # Unlock keychain # security unlock-keychain -p $KeyPass "/Users/build/Library/Keychains/login.keychain" if [[ $? != 0 ]]; then echo "[\!\!] Failed $TASK! Exiting." exit 1 else echo "[OK] Successful $TASK." fi # # Find all .app, .dmg, .pkg files and sign them. # This method should handle spaces in the path and name. # Must sign inner .app before outer .app # find . \( -name "*.app" -o -name "*.dmg" -o -name "*.pkg" \) | sort -r |(while read FOO; do TASK="Sign application" echo "[>>] $TASK: $FOO" codesign -f -v -s 'Developer ID Application: Homer Simpson' "$FOO" if [[ $? != 0 ]]; then echo "[\!\!] Failed! Exiting." exit 1 else echo "[OK] Successful $TASK: $FOO" fi TASK="Verify Signed Code" echo "[>>] $TASK: $FOO" codesign --verify --verbose "$FOO" if [[ $? != 0 ]]; then echo "[\!\!] Failed! Exiting." exit 1 else echo "[OK] Successful: $FOO" fi done)