Apple証明書手順
Apple must issue the end-entity certificate so that the Apple ecosystem trusts your signed binary. You must store this certificate in DigiCert® Software Trust Manager along with your keypair, both for safekeeping and to allow for Apple signing using Software Trust Manager . Software Trust Manager allows you to sync the Apple certificate to your Apple OS for signing with our Apple signing workflows while storing your private key safely.
鍵ペアと証明書はDigiCert® Software Trust Managerにのみ保存してください。DigiCert® Software Trust Manager以外にある秘密鍵のローカルコピーは削除してください。
ヒント
The Apple certificate procedure expects the keypair to meet the following requirements:
Algorithm: RSA
Key size: 2048
Keypair category: Production
Keypair type: Static
However, we have provided a workaround for using test certificates, but test certificates only allow you to sign with codesign.
開始する前に
DigiCert ONEプラットフォームから DigiCert® Software Trust Manager Appleクライアント をセットアップします。
Create a keypair in Software Trust Manager or import a keypair into Software Trust Manager
Generate a CSR for the keypair stored in Software Trust Manager
Apple developer username and password
始める
Appleの署名クライアントは、DigiCert® Software Trust Managerに保存された鍵ペアを使用して署名を行います。DigiCert® Software Trust Managerに鍵ペアを保存する方法には、次の 2 つの方法があります。
Below are two options to store your keypair in Software Trust Manager:
Software Trust Managerで新しい鍵ペアを作成する
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > Create keypair.
Complete the following fields:
Field
Description
Keypair type
Select Static (keypair will remain the same) or Dynamic (keypair will change every time you complete a signature).
Keypair alias
Name to uniquely identify this keypair.
Team
Select a team that should have access to this keypair. You will only see this field if you enable Teams under Account settings.
Keypair profile
Select a keypair profile. If you have selected a team. you will only see keypair profiles allocated to that team.
Algorithm
Select RSA.
Key size
Select 2048.
Keypair category
Select Production.
Keypair storage
Select one of the following key storage methods:
SoftHSM
HSM
Disk
Keypair storage provide the following security levels:
Level 3
Key is stored in an HSM that is CA/B compliant. This storage method is FIPS 140-2 Level 2, Common Criteria EAL4+, an equivalent or higher, and therefore is compatible with publicly or privately trusted certificates.
Level 2
Key is stored in an HSM with a certification is lower than level 3. This storage is only compatible for privately trusted certificates.
Level 1
Key is stored in an uncertified but secure softHSM. This storage is only compatible for privately trusted certificates.
注記
To use use DPoD HSM storage, DPoD must be set up in CA Manager and enabled for your account.
Keypair status
Select Online to generate a keypair that can be used to sign at any time.
Select Offline to generate a keypair that can only be used to sign during a release window.
Access
Select Open to allow any user within your account access to the keypair.
Select Restricted to limit access to the keypair to specified users, user group, or team.
Allowed users
For Restricted keypairs, you can specify which users can use the keypair.
Allowed user groups
For Restricted keypairs, you can specify one or more groups that are authorized to use the keypair.
Generate certificate
Select this box to generate a keypair with a corresponding default certificate.
ヒント
The certificate is required for CSR generation with keytool.
Click Create keypair.
Import keypair
You require the Import keypair permission to import a certificate.
To import a keypair:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > Import keypair.
Select Upload PEM.
Apple証明書を申請する
Apple がサポートする証明書タイプを確認し、必要な証明書を特定する必要があります。証明書タイプの表を参照してください。
お使いの Apple developer アカウントにサインインします。
証明書、ID、プロファイルを選択します。
Apple がサポートしている証明書タイプを確認し、必要な証明書を特定します。
上記で作成した CSRを使用して、Appleに証明書をオーダーします。
Apple証明書をダウンロードします。
Apple証明書をインポートする
DigiCert® Software Trust Manager > 鍵ペアに移動します。
名前の横にある鍵ペアalies(別名)アイコンを選択します。証明書のインポートを選択します。
このAppleの証明書をデフォルトの証明書にするチェックボックスを選択します。
Apple証明書をアップロードします。
Apple証明書をMac OSに同期させる
今後の署名に必要な鍵ペアをすべて選択してから、[選択した鍵をトークンに設定] をクリックします。この操作により、トークンがリセットされます。既存の鍵は上書きされ、利用できなくなります。
Open DigiCert® Software Trust Manager Appleクライアント。
Open DigiCert® Software Trust Manager Appleクライアントを使用して、証明書をMac OSに同期させます。
DigiCert® Software Trust Managerから有効な証明書を持つすべての鍵ペアを取得するには、鍵ペアを取得するを選択します。
新しいトークンの追加を選択して、「DigiCert.TokenExtension:SSM0123456789」という名前の仮想トークンをMacOSに追加します。
表から1つ、または複数の鍵ペアを選択します。
選択された鍵の設定を選択して、トークンを介してMacOSで鍵を利用できるようにします。これにより、DigiCert® Software Trust Manager Appleクライアント対応のAppleアプリが鍵を消費できるようになります。
以下のいずれかのコマンドで、鍵ペアがトークンに追加されたことを確認します。
コマンド一覧
security list-smartcardサンプル応答一覧
DigiCert.TokenExtension:SSM0123456789コマンドエクスポート
security export-smartcardサンプル応答をエクスポートする
==== private key #1 crtr : 0 esiz : 0 decr : 0 persistref : <> atag : "" kcls : 1 agrp : "com.apple.token" pdmn : "dk" bsiz : 2,048 type : 42 klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> edat : 2001-01-01 00:00:00 +0000 sign : 1 mdat : 2022-01-20 05:43:35 +0000 drve : 0 labl : "Developer ID Installer: DigiCert Inc (DHPK4B64QS)" sync : 0 musr : <> sha1 : <3b 46 36 61 77 72 20 82 64 93 ca 27 3d d8 3d 28 bd f8 ef 84> cdat : 2022-01-20 05:43:35 +0000 tkid : "DigiCert.TokenExtension:SSM0123456789" sdat : 2001-01-01 00:00:00 +0000 tomb : 0 priv : 1 accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } unwp : 0 ==== ==== private key #2 crtr : 0 esiz : 0 decr : 0 persistref : <> atag : "" kcls : 1 agrp : "com.apple.token" pdmn : "dk" bsiz : 2,048 type : 42 klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> edat : 2001-01-01 00:00:00 +0000 sign : 1 mdat : 2022-01-20 05:43:35 +0000 drve : 0 labl : "Apple Development: sagar.choudhari@digicert.com (NH6X97J5CU)" sync : 0 musr : <> sha1 : <b3 5b c2 8d c1 0c 7e c4 aa aa f8 e1 ce 2d 7e 25 94 2d 88 79> cdat : 2022-01-20 05:43:35 +0000 tkid : "DigiCert.TokenExtension:SSM0123456789" sdat : 2001-01-01 00:00:00 +0000 tomb : 0 priv : 1 accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } unwp : 0 ==== ==== identity #1 class : "idnt" slnr : <54 79 df 37 c1 24 fb 57> certdata : <CFData 0x7f8202808c00 [0x7fff803712d0]>{length = 1453, capacity = 1453, bytes = 0x308205a930820491a003020102020854 ... 3f14cddd089f2e42} certtkid : "DigiCert.TokenExtension:SSM0123456789" priv : 1 ctyp : 3 mdat : 2022-01-20 05:43:35 +0000 sdat : 2001-01-01 00:00:00 +0000 bsiz : 2,048 type : 42 sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb> pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> cdat : 2022-01-20 05:43:35 +0000 skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> tomb : 0 UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709" persistref : <> accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } sync : 0 tkid : "DigiCert.TokenExtension:SSM0123456789" pdmn : "dk" musr : <> subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53> sign : 1 esiz : 0 decr : 0 atag : "" edat : 2001-01-01 00:00:00 +0000 klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> crtr : 0 unwp : 0 issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 kcls : 1 agrp : "com.apple.token" labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC" drve : 0 ==== ==== identity #2 class : "idnt" slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05> certdata : <CFData 0x7f81ff81c800 [0x7fff803712d0]>{length = 1501, capacity = 1501, bytes = 0x308205d9308204c1a003020102021064 ... 5583bcec59e83eaf} certtkid : "DigiCert.TokenExtension:SSM0123456789" priv : 1 ctyp : 3 mdat : 2022-01-20 05:43:35 +0000 sdat : 2001-01-01 00:00:00 +0000 bsiz : 2,048 type : 42 sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab> pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> cdat : 2022-01-20 05:43:35 +0000 skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> tomb : 0 UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD" persistref : <> accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } sync : 0 tkid : "DigiCert.TokenExtension:SSM0123456789" pdmn : "dk" musr : <> subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53> sign : 1 esiz : 0 decr : 0 atag : "" edat : 2001-01-01 00:00:00 +0000 klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> crtr : 0 unwp : 0 issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 kcls : 1 agrp : "com.apple.token" labl : "apple_key" drve : 0 ==== ==== certificate #1 class : "cert" subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 ctyp : 3 pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> persistref : <> agrp : "com.apple.token" pdmn : "dk" labl : "apple_key" UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD" mdat : 2022-01-20 05:43:35 +0000 slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05> sync : 0 sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab> tkid : "DigiCert.TokenExtension:SSM0123456789" musr : <> cdat : 2022-01-20 05:43:35 +0000 tomb : 0 skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> accc : constraints: { ord : true } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } ==== ==== certificate #2 class : "cert" subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 ctyp : 3 pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> persistref : <> agrp : "com.apple.token" pdmn : "dk" labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC" UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709" mdat : 2022-01-20 05:43:35 +0000 slnr : <54 79 df 37 c1 24 fb 57> sync : 0 sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb> tkid : "DigiCert.TokenExtension:SSM0123456789" musr : <> cdat : 2022-01-20 05:43:35 +0000 tomb : 0 skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> accc : constraints: { ord : true } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" }
Workaround for test keypairs and certificates
注記
Software Trust Manager does not allow the import of test certificates. The following workaround allows you to use test keypairs and certificates issued in Software Trust Manager.
Seeing as these certificates are not issued by Apple, signing will work with codesign but not productsign.
To create a test certificate and add the hierarchy of the certificate to the Apple Keychain:
Create a Test keypair and default certificate in Software Trust Manager.
Download the ICA and CA of the certificate from CA Manager.
Double click on the Root certificate to add it to the Apple keychain.
Double click on the ICA certificate to add it to the Apple keychain.
Open Keychain Access.
Double click on the certificate and select Trust so the certificate is Trusted.
When using non-Apple issued certificates, follow the steps below before signing. The following procedure guides you through how use the OpenSSL -legacy flag available on OpenSSL version 3.x to convert your DigiCert ONE client authentication certificate to cert.pem and then convert it into a PKCS#12 certificate which is readable with LibreSSL and therefore compatible with Apple Keychain.
Confirm which OpenSSL version you're using:
OpenSSL version
注記
If the output is LibreSSL, continue with the steps below on the machine with OpenSSL 3.x installed.
Convert the certificate from .p12 to .pem:
openssl pkcs12 -in cert.p12 -out cert.pem
Create a new .cert file:
Copy the contents of the .pem file from
-----BEGIN CERTIFICATE-----to-----END CERTIFICATE-----.Paste the contents into a plain text editor or IDE.
Save the file as certname.crt.
Create a new .key:
Copy the contents of the .pem file from
-----BEGIN ENCRYPTED PRIVATE KEY-----to-----END ENCRYPTED PRIVATE KEY-----.Paste the contents into a plain text editor or IDE.
Save the file as encrypted.key.
Decrypt the encrypted .key file:
openssl rsa -in encrypted.key -out decryptedKey.key
Run the following command to create a certificate file compatible with Ventura and Sonoma OS:
Link the decrypted private key (decryptedKey.key) and its associated X.509 certificate (certname.crt), and export them as a PKCS#12 file (newcert.pfx):
openssl pkcs12 -inkey decryptedKey.key -in certname.crt -export -legacy -out newcert.pfx
Save newcert.pfx in the environment variables of the CTK.
Save newcert.pfx password in the environment variables of the CTK.
ヒント
You can now use the same codesign commands as an Apple issued certificate.