Sign Apple binaries with productsign and codesign using CryptoTokenKit
DigiCert® Software Trust Manager CryptoTokenKit (CTK) stores your keys remotely in DigiCert® Software Trust Manager when you sign. The CTK integrates with codesign and productsign (signing tools provided as part of the MacOS) while maintaining key protection, permission-based access and reporting all signing activities.
Follow these instructions to sign Apple binaries directly with productsign and codesign while your keys are stored in Software Trust Manager. Alternatively, follow the simplified signing workflow in Sign with SMCTL and CryptoTokenKit.
How does SMCTL simplify signing?
Below are the differences in sign commands:
SMCTL | codesign and productsign |
---|---|
Provide the Software Trust Managerkeypair alias associated with your Apple certificate. Keypair alias example: | Provide the ID associated with your Apple certificate. Apple ID example: |
Your keys are automatically added to the token when you sign. | You manually have to add a new token and add the keys you want to sign with. |
Prerequisites
macOS
Apple Developer ID Application certificate (for codesign)
Apple Developer ID Installer certificate (for productsign)
Compatibility
Apple signing is compatible with:
CPU | Operating system |
---|---|
M1 | Monterey |
Intel | Big Sur |
Catalina | |
Mojave | |
Monterey |
Apple certificates
The following Apple certificates are required to sign these files with codesign and productsign.
Apple certificate | Signing tool | Files |
---|---|---|
codesign | .app | |
.dmg | ||
productsign | .pkg |
Identify your Apple ID
The Apple ID associated with your Apple certificate is required in sign commands.
To identify your Apple ID, run the following command in the CryptoTokenKit CLI:
security export-smartcard
Tip
In the output locate the following information:
The Developer ID Application required for codesign commands can be found in:
labl : "Developer ID Application: Example, Inc (DHPK3B67QS)"
The Developer ID Installer required for codesign commands can be found in:
labl : "Developer ID Installer: Example, Inc (ZDPK4W45RP)"
Sign with codesign and productsign
Use these two commands to sign all types of supported or recognized Apple binaries.
codesign
To sign using codesign:
codesign --sign "<Developer ID Application>" "<Path to .app or .dmg file>"
Note
Useful parameters for codesign:
Shortcut | Parameter | Description |
---|---|---|
--entitlements | Take the file at the given path and embed its contents in the signature as entitlement data. | |
--deep | Sign nested code content such as helpers, frameworks, and plug-ins. | |
-f | --force | Replace any existing signature if the file is already signed. Without this parameter, signing will fail if the file is already signed. |
-v | --verify | Verify signature. This parameter acts as --verbose. |
-v | --verbose | Sets (with a numeric value) or increments the verbosity level of output. Without the verbose parameter, no output is produced upon success. If no other options request a different action, the first -v encountered will be interpreted as --verify instead (and does not increase verbosity). |
-o | --options | Specify a set of option flags to be embedded in the code signature. Example: |
productsign
To sign using productsign:
productsign -–sign “<Developer ID Installer>” <Path to .pkg file> <Path to store signed file>
TokenExtension not connected
The pluginkit
command should show the Secure Software Manager TokenExtension driver after starting the Digicert SSM Signing Clients.app. If it does not:
Delete the Digicert SSM Signing Clients.app.
Reinstall Digicert SSM Signing Clients.app.
Restart your MacOS and retry the
pluginkit
command .
Remove the TokenExtension driver manually using:
pluginkit -r “/Applications/Digicert SSM Signing Clients.app/Contents/PlugIns/TokenExtension.appx”
Logs are written with Apple logging framework.
To check the logs for DigiCert SSM Signing Clients:
log stream | grep Digicert SSM Signing Clients
To check the logs of the token:
log stream | grep TokenExtension
Run man commands for more details about
codesign
andproductsign
.To see more details about codesign, run:
man codesign
To see more details about productsign, run:
man productsign
Make sure the Host, API key, client certificate password, and proxy settings are correct. Look for logs to check for error messages received from server.