Apple commands, certificate types, and troubleshooting
There are two commands to sign all types of recognized Apple binaries. You will need to identify the Apple certificate's Distinguished Name (DN) or the SHA-1 fingerprint to execute these commands.
When “Apple certificate identifier” is used as a placeholder in a command, you can use either the subject DN or SHA-1 fingerprint of the Apple certificate.
Note
If you have more than one certificate with the same DN, use the SHA-1 fingerprint instead of the DN to run the following commands.
How do I locate the subject DN? The certificate’s DN is listed in the "labl" field under the "Private key" section, after running the export command.
The certificate’s DN is referred to as “Apple Identity” for codesign and “Apple Developer ID” for productsign commands below.
How do I locate the certificate’s SHA-1 fingerprint? The SHA-1 fingerprint is listed in the "Sha1" field under "certificate" section, after running the export command.
codesign
The codesign
command is used to sign .app and .dmg extensions.
Codesign command
Codesign command codesign [--entitlements entitlements.xml] [--deep] [--force] [--verify] [--verbose] --sign "<Apple certificate identifier>" --options runtime "<Path to .app or .dmg file>"
Codesign using Distinguished Name (DN)
To sign using the Apple certificate's DN:
codesign -v -s "<Apple certificate DN>" --force "<Path to .app or .dmg file>"
Command sample:
codesign -v -s "Apple Development: DigiCert Inc (85W9468PYV)" --force example.app
Sample response using DN:
example.app: signed app bundle with Mach-O universal (x86_64 arm64) [DigiCert]
Codesign using SHA-1 fingerprint
To sign using SHA-1 fingerprint of the Apple certificate:
codesign -v -s "<SHA-1 fingerprint of Apple certificate>" --force "<Path to .app or .dmg file>"
Command sample:
codesign -v -s "88da70819d87865ae21996cb889d9e60abff7c9d" --force example.app
Command output:
example.app: replacing existing signature example.app: signed app bundle with Mach-O universal (x86_64 arm64) [DigiCert]
productsign
Use the productsign
command to sign .pkg and .dmg file extensions, which indicate Apple application installers and release binary distributables via Apple Mac app store, respectively.
Note
Use your system login password if you receive a private key permission pop-up when attempting to sign for the first time.
productsign command
productsign –sign “<Apple certificate identifier>” <Path to .pkg file> <Path to store signed file>
Productsign using Distinguished Name (DN)
To sign using the Apple certificate's DN:
productsign --sign "<Apple certificate DN>" <Path to .pkg file> <Path to store signed file>
Command sample:
productsign --sign "Developer ID Installer: DigiCert Inc (DHPK4B64QS)" UNSIGNED_PKG.pkg SIGNED_PKG.pkg
Sample response using DN:
productsign: using timestamp authority for signature productsign: signing product with identity "Developer ID Installer: DigiCert Inc (DHPK4B64QS)" from keychain (null) productsign: adding certificate "Developer ID Certification Authority" productsign: adding certificate "Apple Root CA" productsign: Wrote signed product archive to SIGNED_PKG.pkg
Productsign using SHA-1 fingerprint
To sign using SHA-1 fingerprint of the Apple certificate:
digicert@DC-C02TK34HGTDY Downloads % productsign --sign "<SHA-1 fingerprint of Apple certificate>" <Path to .pkg file> <Path to store signed file>
Command sample:
digicert@DC-C02TK34HGTDY Downloads % productsign --sign "1e50029693922d2f7efcf75488189c49ed3bf0bb" UNSIGNED_PKG.pkg SIGNED_PKG.pkg
Command output:
productsign: using timestamp authority for signature productsign: signing product with identity "Developer ID Installer: DigiCert Inc (DHPK4B64QS)" from keychain (null) productsign: adding certificate "Developer ID Certification Authority" productsign: adding certificate "Apple Root CA" productsign: Wrote signed product archive to SIGNED_PKG.pkg
Apple certificate types and associated commands
Select the Apple certificate type based on the type of files you wish to sign with. The certificate type helps to identify a certificate in your developer account and account preferences.
The signing will fail if you order the incorrect certificate type from Apple and use a signing command that is unassociated with the certificate type.
Type | Purpose | Associated command |
---|---|---|
Mac Installer Distribution | Sign and submit a Mac Installer Package, containing your signed app, to the Mac App Store. | Compatible with |
Developer ID Application | Sign a macOS app before distributing it outside the Mac App Store. | Compatible with |
Developer ID Installer | Sign and distribute a Mac Installer Package, containing your signed app, outside the Mac App Store. | Compatible with |
APNs Auth Key | Generate server-side tokens as an alternative to certificates for your notification requests. | Not applicable |
Apple Push Services | Establish connectivity between your notification service and APNs to deliver remote notifications to your app. | Not applicable |
Apple Development | For iOS, tvOS, or watchOS apps, run the app on devices and use app services during development. For macOS apps, use app services during development and testing. Note: Available in Xcode 11.0 and later. For earlier Xcode versions, use an iOS Development or Mac Development certificate. | Not applicable |
Apple Distribution | For iOS, tvOS, or watchOS apps, run the app on designated devices for testing or submit it to the App Store. For macOS apps, sign an app before distributing it through the Mac App Store. Note: Available in Xcode 11.0 and later. For earlier Xcode versions, use an iOS Distribution or Mac App Distribution certificate. | Not applicable |
Apple Pay | Decrypt app transaction data sent by Apple to a merchant/developer. | Not applicable |
Merchant Identity | Authenticate you to Apple Pay Servers. | Not applicable |
Pass Type ID | Sign and send updates to passes in Wallet. | Not applicable |
VoIP Services | Establish connectivity between your notification server and APNs to alert background VoIP apps of incoming activity. | Not applicable |
WatchKit Services | Establish connectivity between your notification server and APNs to update ClockKit complication data. | Not applicable |
Website Push ID | Sign and send updates for Websites. Note: In your keychain, the certificate name contains a hint to the type, and includes the team name and Team ID. The development certificate name includes your name and Member ID. | Not applicable |
Apple signing errors and solutions
The following errors may occur during Apple signing.
No identity found
Error message:
88 da 70 81 9d 87 86 5a e2 19 96 cb 88 9d 9e 60 ab ff 7c 9d: no identity found
Description:
This error is caused if the spaces were not removed when using the SHA-1 fingerprint in the signing command.
Solution:
Remove the spaces in the SHA-1 fingerprint in the signing command.
Could not find appropriate signing identity
Error message:
Could not find appropriate signing identity for "Developer ID Installer: Example Inc (DHPK4B64QS)
Description:
This error occurs when you use the productsign command and reference an incompatible certificate.
Solution:
Use a compatible certificate (Mac Installer Distribution or Developer ID Installer) in the productsign command.
This identity cannot be used for signing code
Error message:
Developer ID Installer: Example Inc (DHPK4B64QS): this identity cannot be used for signing code
Description:
This error occurs when you use the codesign command and reference an incompatible certificate.
Solution:
Use a compatible certificate (Developer ID Application) in the codesign command.
TokenExtension not connected
The pluginkit
command should show the Secure Software Manager TokenExtension driver after starting the Digicert SSM Signing Clients.app. If it does not:
Delete the Digicert SSM Signing Clients.app.
Reinstall Digicert SSM Signing Clients.app.
Restart your MacOS and retry the
pluginkit
command .
Remove the TokenExtension driver manually using:
pluginkit -r “/Applications/Digicert SSM Signing Clients.app/Contents/PlugIns/TokenExtension.appx”
Logs are written with Apple logging framework.
To check the logs for DigiCert SSM Signing Clients:
log stream | grep Digicert SSM Signing Clients
To check the logs of the token:
log stream | grep TokenExtension
Run man commands for more details about
codesign
andproductsign
.To see more details about codesign, run:
man codesign
To see more details about productsign, run:
man productsign
Make sure the Host, API key, client certificate password, and proxy settings are correct. Look for logs to check for error messages received from server.
Failed to sign hash
Error message:
Logs:
2023-11-16 08:39:08.441813+0000 0x1149 Default 0x4d03 557 0 TokenExtension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -25264 MAC verification failed during PKCS12 import (wrong password?) 2023-11-16 08:39:08.441908+0000 0x1149 Default 0x4d03 557 0 TokenExtension: (SSMAPIClient) Info: SecPKCS12Import status -25264
SMCTL:
User is not multi-factor authenticated. Missing Client Authentication Certificate. As per compliance rules, user needs to be authenticated using multi-factor for performing sign operation.
Description:
OpenSSL 3.x changed their default algorithm. This new algorithm is not compatible with macOS SSL libraries starting from Ventura OS. This issue affects Apple Keychain's ability to read DigiCert ONE client authentication certificates (cert.12) because it relies on LibreSSL.
Solution:
Use the OpenSSL -legacy
flag available on OpenSSL version 3.x to convert your DigiCert ONE client authentication certificate to cert.pem and then convert it into a PKCS#12 certificate which is readable with LibreSSL and therefore compatible with Apple Keychain.
Confirm which OpenSSL version you're using:
OpenSSL version
Note
If the output is LibreSSL, continue with the steps below on the machine with OpenSSL 3.x installed.
Convert the certificate from .p12 to .pem:
openssl pkcs12 -in cert.p12 -out cert.pem
Create a new .cert file:
Copy the contents of the .pem file from
-----BEGIN CERTIFICATE-----
to-----END CERTIFICATE-----
.Paste the contents into a plain text editor or IDE.
Save the file as certname.crt.
Create a new .key:
Copy the contents of the .pem file from
-----BEGIN ENCRYPTED PRIVATE KEY-----
to-----END ENCRYPTED PRIVATE KEY-----
.Paste the contents into a plain text editor or IDE.
Save the file as encrypted.key.
Decrypt the encrypted .key file:
openssl rsa -in encrypted.key -out decryptedKey.key
Run the following command to create a certificate file compatible with Ventura and Sonoma OS:
Link the decrypted private key (decryptedKey.key) and its associated X.509 certificate (certname.crt), and export them as a PKCS#12 file (newcert.pfx):
openssl pkcs12 -inkey decryptedKey.key -in certname.crt -export -legacy -out newcert.pfx
Save newcert.pfx in the environment variables of the CTK.
Save newcert.pfx password in the environment variables of the CTK.
For these changes to apply and start signing, you must:
Remove the existing token:
/Applications/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert\ SSM\ Signing\ Clients smctl token remove-token
Add a new token:
/Applications/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert\ SSM\ Signing\ Clients smctl token add-token
Move the required keys to the new token:
/Applications/DigiCert SSM Signing Clients.app/Contents/MacOS/DigiCert\ SSM\ Signing\ Clients smctl keypair add-keys <keypair ID>
Note
For more information about how to complete these steps, refer to CryptoTokenKit (CTK).
Failed to save configuration to keychain: -25308\
Error message:
Failed to save configuration into Keychain. configurationError(message: "Failed to save configuration to keychain: -25308") Failed to set environment Veraibles. configurationError(message: "Failed to save configuration into Keychain. configurationError(message: \"Failed to save configuration to keychain: -25308\")")
Description:
This error is occurs when your environment variables cannot be saved to Keychain because one or more variables are incorrect.
Solution:
Use the following macOS "security" command to unlock Keychain and provide the correct variables:
% security unlock-keychain -p <password> ~/Library/Keychains/login.keychain
Attention
This macOS command stores your password in plaintext in your history file (.zsh_history), it is therefore important that you manually erase this line from your history file so that your plaintext password cannot be accessed by others.
Unlocking the Keychain increases your system's vulnerability until it is locked again. Any command typed in the terminal window will be saved in a history file.