Sign Apple binaries with productsign and codesign using CryptoTokenKit

DigiCert® Software Trust Manager CryptoTokenKit (CTK) stores your keys remotely in DigiCert® Software Trust Manager when you sign. The CTK integrates with codesign and productsign (signing tools provided as part of the MacOS) while maintaining key protection, permission-based access and reporting all signing activities.

Follow these instructions to sign Apple binaries directly with productsign and codesign while your keys are stored in Software Trust Manager. Alternatively, follow the simplified signing workflow in Sign with SMCTL and CryptoTokenKit.

How does SMCTL simplify signing?

Below are the differences in sign commands:

SMCTL	codesign and productsign
Provide the Software Trust Managerkeypair alias associated with your Apple certificate. Keypair alias example: `Applesign`	Provide the ID associated with your Apple certificate. Apple ID example: `DHPK4B64QS`
Your keys are automatically added to the token when you sign.	You manually have to add a new token and add the keys you want to sign with.

SMCTL

codesign and productsign

Provide the Software Trust Managerkeypair alias associated with your Apple certificate.

Keypair alias example: Applesign

Provide the ID associated with your Apple certificate.

Apple ID example: DHPK4B64QS

Your keys are automatically added to the token when you sign.

You manually have to add a new token and add the keys you want to sign with.

Prerequisites

macOS
DigiCert® Software Trust Manager CryptoTokenKit
Apple Developer ID Application certificate (for codesign)
Apple Developer ID Installer certificate (for productsign)

Compatibility

Apple signing is compatible with:

CPU	Operating system
M1	Monterey
Intel	Big Sur
	Catalina
	Mojave
	Monterey

Apple certificates

The following Apple certificates are required to sign these files with codesign and productsign.

Apple certificate	Signing tool	Files
Developer ID Application	codesign	.app
Developer ID Application	codesign	.dmg
Developer ID Installer	productsign	.pkg

Identify your Apple ID

The Apple ID associated with your Apple certificate is required in sign commands.

To identify your Apple ID, run the following command in the CryptoTokenKit CLI:

security export-smartcard

Tip

In the output locate the following information:

The Developer ID Application required for codesign commands can be found in:

labl : "Developer ID Application: Example, Inc (DHPK3B67QS)"

The Developer ID Installer required for codesign commands can be found in:

labl : "Developer ID Installer: Example, Inc (ZDPK4W45RP)"

Sign with codesign and productsign

Use these two commands to sign all types of supported or recognized Apple binaries.

codesign

To sign using codesign:

codesign --sign "<Developer ID Application>" "<Path to .app or .dmg file>"

Note

Useful parameters for codesign:

Shortcut	Parameter	Description
	--entitlements	Take the file at the given path and embed its contents in the signature as entitlement data.
	--deep	Sign nested code content such as helpers, frameworks, and plug-ins.
-f	--force	Replace any existing signature if the file is already signed. Without this parameter, signing will fail if the file is already signed.
-v	--verify	Verify signature. This parameter acts as --verbose.
-v	--verbose	Sets (with a numeric value) or increments the verbosity level of output. Without the verbose parameter, no output is produced upon success. If no other options request a different action, the first -v encountered will be interpreted as --verify instead (and does not increase verbosity).
-o	--options	Specify a set of option flags to be embedded in the code signature. Example: `--options runtime`

productsign

To sign using productsign:

productsign -–sign “<Developer ID Installer>” <Path to .pkg file> <Path to store signed file>

TokenExtension not connected

The pluginkit command should show the Secure Software Manager TokenExtension driver after starting the Digicert SSM Signing Clients.app. If it does not:

Delete the Digicert SSM Signing Clients.app.
1. Reinstall Digicert SSM Signing Clients.app.
2. Restart your MacOS and retry the pluginkit command .

Remove the TokenExtension driver manually using:

pluginkit -r “/Applications/Digicert SSM Signing Clients.app/Contents/PlugIns/TokenExtension.appx”

Logs are written with Apple logging framework.
1. To check the logs for DigiCert SSM Signing Clients:
```
log stream | grep Digicert SSM Signing Clients
```
2. To check the logs of the token:
```
log stream | grep TokenExtension
```
Run man commands for more details about codesign and productsign.
1. To see more details about codesign, run:
```
man codesign
```
2. To see more details about productsign, run:
```
man productsign
```
Make sure the Host, API key, client certificate password, and proxy settings are correct. Look for logs to check for error messages received from server.