Skip to main content

Apple証明書手順

Apple must issue the end-entity certificate so that the Apple ecosystem trusts your signed binary. You must store this certificate in DigiCert​​®​​ Software Trust Manager along with your keypair, both for safekeeping and to allow for Apple signing using Software Trust Manager . Software Trust Manager allows you to sync the Apple certificate to your Apple OS for signing with our Apple signing workflows while storing your private key safely.

鍵ペアと証明書はDigiCert​​®​​ Software Trust Managerにのみ保存してください。DigiCert​​®​​ Software Trust Manager以外にある秘密鍵のローカルコピーは削除してください。

ヒント

The Apple certificate procedure expects the keypair to meet the following requirements:

  • Algorithm: RSA

  • Key size: 2048

  • Keypair category: Production

  • Keypair type: Static

However, we have provided a workaround for using test certificates, but test certificates only allow you to sign with codesign.

開始する前に

  • DigiCert ONEプラットフォームから DigiCert​​®​​ Software Trust Manager Appleクライアント をセットアップします。Appleの設定

  • Create a keypair in Software Trust Manager or import a keypair into Software Trust Manager

  • Generate a CSR for the keypair stored in Software Trust Manager

  • Apple developer username and password

始める

Appleの署名クライアントは、DigiCert​​®​​ Software Trust Managerに保存された鍵ペアを使用して署名を行います。DigiCert​​®​​ Software Trust Managerに鍵ペアを保存する方法には、次の 2 つの方法があります。

Below are two options to store your keypair in Software Trust Manager:

Software Trust Managerで新しい鍵ペアを作成する

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > Create keypair.

  4. Complete the following fields:

    Field

    Description

    Keypair type

    Select Static (keypair will remain the same) or Dynamic (keypair will change every time you complete a signature).

    Keypair alias

    Name to uniquely identify this keypair.

    Team

    Select a team that should have access to this keypair. You will only see this field if you enable Teams under Account settings.

    Keypair profile

    Select a keypair profile. If you have selected a team. you will only see keypair profiles allocated to that team.

    Algorithm

    Select RSA.

    Key size

    Select 2048.

    Keypair category

    Select Production.

    Keypair storage

    Select one of the following key storage methods:

    • SoftHSM

    • HSM

    • Disk

    Keypair storage provide the following security levels:

    • Level 3

      Key is stored in an HSM that is CA/B compliant. This storage method is FIPS 140-2 Level 2, Common Criteria EAL4+, an equivalent or higher, and therefore is compatible with publicly or privately trusted certificates.

    • Level 2

      Key is stored in an HSM with a certification is lower than level 3. This storage is only compatible for privately trusted certificates.

    • Level 1

      Key is stored in an uncertified but secure softHSM. This storage is only compatible for privately trusted certificates.

    注記

    To use use DPoD HSM storage, DPoD must be set up in CA Manager and enabled for your account.

    Keypair status

    Select Online to generate a keypair that can be used to sign at any time.

    Select Offline to generate a keypair that can only be used to sign during a release window.

    Access

    Select Open to allow any user within your account access to the keypair.

    Select Restricted to limit access to the keypair to specified users, user group, or team.

    Allowed users

    For Restricted keypairs, you can specify which users can use the keypair.

    Allowed user groups

    For Restricted keypairs, you can specify one or more groups that are authorized to use the keypair.

    Generate certificate

    Select this box to generate a keypair with a corresponding default certificate.

    ヒント

    The certificate is required for CSR generation with keytool.

  5. Click Create keypair.

Import keypair

You require the Import keypair permission to import a certificate.

To import a keypair:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > Import keypair.

  4. Select Upload PEM.

Apple証明書を申請する

Apple がサポートする証明書タイプを確認し、必要な証明書を特定する必要があります。証明書タイプの表を参照してください。

  1. お使いの Apple developer アカウントにサインインします。

  2. 証明書、ID、プロファイルを選択します。

  3. Apple がサポートしている証明書タイプを確認し、必要な証明書を特定します。

  4. 上記で作成した CSRを使用して、Appleに証明書をオーダーします。

  5. Apple証明書をダウンロードします。

Apple証明書をインポートする

  1. DigiCert​​®​​ Software Trust Manager > 鍵ペアに移動します。

  2. 名前の横にある鍵ペアalies(別名)アイコンを選択します。証明書のインポートを選択します。

  3. このAppleの証明書をデフォルトの証明書にするチェックボックスを選択します。

  4. Apple証明書をアップロードします。

Apple証明書をMac OSに同期させる

今後の署名に必要な鍵ペアをすべて選択してから、[選択した鍵をトークンに設定] をクリックします。この操作により、トークンがリセットされます。既存の鍵は上書きされ、利用できなくなります。

  1. Open DigiCert​​®​​ Software Trust Manager Appleクライアント。

  2. Open DigiCert​​®​​ Software Trust Manager Appleクライアントを使用して、証明書をMac OSに同期させます。

    1. DigiCert​​®​​ Software Trust Managerから有効な証明書を持つすべての鍵ペアを取得するには、鍵ペアを取得するを選択します。

    2. 新しいトークンの追加を選択して、「DigiCert.TokenExtension:SSM0123456789」という名前の仮想トークンをMacOSに追加します。

    3. 表から1つ、または複数の鍵ペアを選択します。

    4. 選択された鍵の設定を選択して、トークンを介してMacOSで鍵を利用できるようにします。これにより、DigiCert​​®​​ Software Trust Manager Appleクライアント対応のAppleアプリが鍵を消費できるようになります。

    5. 以下のいずれかのコマンドで、鍵ペアがトークンに追加されたことを確認します。

      • コマンド一覧 security list-smartcard

      • サンプル応答一覧 DigiCert.TokenExtension:SSM0123456789

      • コマンドエクスポート security export-smartcard

      • サンプル応答をエクスポートする

        ==== private key #1
             crtr : 0
             esiz : 0
             decr : 0
             persistref : <>
             atag : ""
             kcls : 1
             agrp : "com.apple.token"
             pdmn : "dk"
             bsiz : 2,048
             type : 42
             klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             edat : 2001-01-01 00:00:00 +0000
             sign : 1
             mdat : 2022-01-20 05:43:35 +0000
             drve : 0
             labl : "Developer ID Installer: DigiCert Inc (DHPK4B64QS)"
             sync : 0
             musr : <>
             sha1 : <3b 46 36 61 77 72 20 82 64 93 ca 27 3d d8 3d 28 bd f8 ef 84>
             cdat : 2022-01-20 05:43:35 +0000
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             sdat : 2001-01-01 00:00:00 +0000
             tomb : 0
             priv : 1
             accc : constraints: {
                      ock : "NONE",
                      osgn : "NONE",
                      ord : "NONE",
                      od : "NONE"
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }
             unwp : 0
        ====
        
        ==== private key #2
             crtr : 0
             esiz : 0
             decr : 0
             persistref : <>
             atag : ""
             kcls : 1
             agrp : "com.apple.token"
             pdmn : "dk"
             bsiz : 2,048
             type : 42
             klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             edat : 2001-01-01 00:00:00 +0000
             sign : 1
             mdat : 2022-01-20 05:43:35 +0000
             drve : 0
             labl : "Apple Development: sagar.choudhari@digicert.com (NH6X97J5CU)"
             sync : 0
             musr : <>
             sha1 : <b3 5b c2 8d c1 0c 7e c4 aa aa f8 e1 ce 2d 7e 25 94 2d 88 79>
             cdat : 2022-01-20 05:43:35 +0000
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             sdat : 2001-01-01 00:00:00 +0000
             tomb : 0
             priv : 1
             accc : constraints: {
                      ock : "NONE",
                      osgn : "NONE",
                      ord : "NONE",
                      od : "NONE"
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }
             unwp : 0
        ====
        
        ==== identity #1
             class : "idnt"
             slnr : <54 79 df 37 c1 24 fb 57>
             certdata : <CFData 0x7f8202808c00 [0x7fff803712d0]>{length = 1453, capacity = 1453, bytes = 0x308205a930820491a003020102020854 ... 3f14cddd089f2e42}
             certtkid : "DigiCert.TokenExtension:SSM0123456789"
             priv : 1
             ctyp : 3
             mdat : 2022-01-20 05:43:35 +0000
             sdat : 2001-01-01 00:00:00 +0000
             bsiz : 2,048
             type : 42
             sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb>
             pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             cdat : 2022-01-20 05:43:35 +0000
             skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             tomb : 0
             UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709"
             persistref : <>
             accc : constraints: {
                      ock : "NONE",
                      osgn : "NONE",
                      ord : "NONE",
                      od : "NONE"
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }
             sync : 0
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             pdmn : "dk"
             musr : <>
             subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             sign : 1
             esiz : 0
             decr : 0
             atag : ""
             edat : 2001-01-01 00:00:00 +0000
             klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             crtr : 0
             unwp : 0
             issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             cenc : 3
             kcls : 1
             agrp : "com.apple.token"
             labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC"
             drve : 0
        ====
        
        ==== identity #2
             class : "idnt"
             slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05>
             certdata : <CFData 0x7f81ff81c800 [0x7fff803712d0]>{length = 1501, capacity = 1501, bytes = 0x308205d9308204c1a003020102021064 ... 5583bcec59e83eaf}
             certtkid : "DigiCert.TokenExtension:SSM0123456789"
             priv : 1
             ctyp : 3
             mdat : 2022-01-20 05:43:35 +0000
             sdat : 2001-01-01 00:00:00 +0000
             bsiz : 2,048
             type : 42
             sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab>
             pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             cdat : 2022-01-20 05:43:35 +0000
             skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             tomb : 0
             UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD"
             persistref : <>
             accc : constraints: {
                      ock : "NONE",
                      osgn : "NONE",
                      ord : "NONE",
                      od : "NONE"
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }
             sync : 0
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             pdmn : "dk"
             musr : <>
             subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             sign : 1
             esiz : 0
             decr : 0
             atag : ""
             edat : 2001-01-01 00:00:00 +0000
             klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             crtr : 0
             unwp : 0
             issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             cenc : 3
             kcls : 1
             agrp : "com.apple.token"
             labl : "apple_key"
             drve : 0
        ====
        
        ==== certificate #1
             class : "cert"
             subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             cenc : 3
             ctyp : 3
             pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             persistref : <>
             agrp : "com.apple.token"
             pdmn : "dk"
             labl : "apple_key"
             UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD"
             mdat : 2022-01-20 05:43:35 +0000
             slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05>
             sync : 0
             sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab>
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             musr : <>
             cdat : 2022-01-20 05:43:35 +0000
             tomb : 0
             skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             accc : constraints: {
                      ord : true
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }
        ====
        
        ==== certificate #2
             class : "cert"
             subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             cenc : 3
             ctyp : 3
             pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             persistref : <>
             agrp : "com.apple.token"
             pdmn : "dk"
             labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC"
             UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709"
             mdat : 2022-01-20 05:43:35 +0000
             slnr : <54 79 df 37 c1 24 fb 57>
             sync : 0
             sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb>
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             musr : <>
             cdat : 2022-01-20 05:43:35 +0000
             tomb : 0
             skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             accc : constraints: {
                      ord : true
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }

Workaround for test keypairs and certificates

注記

Software Trust Manager does not allow the import of test certificates. The following workaround allows you to use test keypairs and certificates issued in Software Trust Manager.

Seeing as these certificates are not issued by Apple, signing will work with codesign but not productsign.

To create a test certificate and add the hierarchy of the certificate to the Apple Keychain:

  1. Create a Test keypair and default certificate in Software Trust Manager.

  2. Download the ICA and CA of the certificate from CA Manager.

  3. Double click on the Root certificate to add it to the Apple keychain.

  4. Double click on the ICA certificate to add it to the Apple keychain.

  5. Open Keychain Access.

  6. Double click on the certificate and select Trust so the certificate is Trusted.

When using non-Apple issued certificates, follow the steps below before signing. The following procedure guides you through how use the OpenSSL -legacy flag available on OpenSSL version 3.x to convert your DigiCert ONE client authentication certificate to cert.pem and then convert it into a PKCS#12 certificate which is readable with LibreSSL and therefore compatible with Apple Keychain.

  1. Confirm which OpenSSL version you're using:

    OpenSSL version

    注記

    If the output is LibreSSL, continue with the steps below on the machine with OpenSSL 3.x installed.

  2. Convert the certificate from .p12 to .pem:

    openssl pkcs12 -in cert.p12 -out cert.pem
  3. Create a new .cert file:

    1. Copy the contents of the .pem file from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----.

    2. Paste the contents into a plain text editor or IDE.

    3. Save the file as certname.crt.

  4. Create a new .key:

    1. Copy the contents of the .pem file from -----BEGIN ENCRYPTED PRIVATE KEY----- to -----END ENCRYPTED PRIVATE KEY-----.

    2. Paste the contents into a plain text editor or IDE.

    3. Save the file as encrypted.key.

  5. Decrypt the encrypted .key file:

    openssl rsa -in encrypted.key -out decryptedKey.key
  6. Run the following command to create a certificate file compatible with Ventura and Sonoma OS:

    1. Link the decrypted private key (decryptedKey.key) and its associated X.509 certificate (certname.crt), and export them as a PKCS#12 file (newcert.pfx):

      openssl pkcs12 -inkey decryptedKey.key -in certname.crt -export -legacy -out  newcert.pfx
    2. Save newcert.pfx in the environment variables of the CTK.

    3. Save newcert.pfx password in the environment variables of the CTK.

ヒント

You can now use the same codesign commands as an Apple issued certificate.