Skip to main content

Sign Apple binaries with productsign and codesign using CryptoTokenKit

DigiCert​​®​​ Software Trust Manager CryptoTokenKit (CTK) stores your keys remotely in DigiCert​​®​​ Software Trust Manager when you sign. The CTK integrates with codesign and productsign (signing tools provided as part of the MacOS) while maintaining key protection, permission-based access and reporting all signing activities.

Follow these instructions to sign Apple binaries directly with productsign and codesign while your keys are stored in Software Trust Manager. Alternatively, follow the simplified signing workflow in Sign with SMCTL and CryptoTokenKit.

How does SMCTL simplify signing?

Below are the differences in sign commands:

SMCTL

codesign and productsign

Provide the Software Trust Managerkeypair alias associated with your Apple certificate.

Keypair alias example: Applesign

Provide the ID associated with your Apple certificate.

Apple ID example: DHPK4B64QS

Your keys are automatically added to the token when you sign.

You manually have to add a new token and add the keys you want to sign with.

Prerequisites

Compatibility

Apple signing is compatible with:

CPU

Operating system

M1

Monterey

Intel

Big Sur

Catalina

Mojave

Monterey

Apple certificates

The following Apple certificates are required to sign these files with codesign and productsign.

Apple certificate

Signing tool

Files

Developer ID Application

codesign

.app

.dmg

Developer ID Installer

productsign

.pkg

Identify your Apple ID

The Apple ID associated with your Apple certificate is required in sign commands.

To identify your Apple ID, run the following command in the CryptoTokenKit CLI:

security export-smartcard

Tip

In the output locate the following information:

The Developer ID Application required for codesign commands can be found in:

labl : "Developer ID Application: Example, Inc (DHPK3B67QS)"

The Developer ID Installer required for codesign commands can be found in:

labl : "Developer ID Installer: Example, Inc (ZDPK4W45RP)"

Sign with codesign and productsign

Use these two commands to sign all types of supported or recognized Apple binaries.

codesign

To sign using codesign:

codesign --sign "<Developer ID Application>" "<Path to .app or .dmg file>"

Note

Useful parameters for codesign:

Shortcut

Parameter

Description

--entitlements

Take the file at the given path and embed its contents in the signature as entitlement data.

--deep

Sign nested code content such as helpers, frameworks, and plug-ins.

-f

--force

Replace any existing signature if the file is already signed. Without this parameter, signing will fail if the file is already signed.

-v

--verify

Verify signature. This parameter acts as --verbose.

-v

--verbose

Sets (with a numeric value) or increments the verbosity level of output. Without the verbose parameter, no output is produced upon success. If no other options request a different action, the first -v encountered will be interpreted as --verify instead (and does not increase verbosity).

-o

--options

Specify a set of option flags to be embedded in the code signature.

Example: --options runtime

productsign

To sign using productsign:

productsign -–sign “<Developer ID Installer>” <Path to .pkg file> <Path to store signed file>

TokenExtension not connected

The pluginkit command should show the Secure Software Manager TokenExtension driver after starting the Digicert SSM Signing Clients.app. If it does not:

  1. Delete the Digicert SSM Signing Clients.app.

    1. Reinstall Digicert SSM Signing Clients.app.

    2. Restart your MacOS and retry the pluginkit command .

  2. Remove the TokenExtension driver manually using:

    pluginkit -r “/Applications/Digicert SSM Signing Clients.app/Contents/PlugIns/TokenExtension.appx”
  3. Logs are written with Apple logging framework.

    1. To check the logs for DigiCert SSM Signing Clients:

      log stream | grep Digicert SSM Signing Clients
    2. To check the logs of the token:

      log stream | grep TokenExtension
  4. Run man commands for more details about codesign and productsign.

    1. To see more details about codesign, run:

      man codesign
    2. To see more details about productsign, run:

      man productsign
  5. Make sure the Host, API key, client certificate password, and proxy settings are correct. Look for logs to check for error messages received from server.