Here are a few steps which may be helpful . Not tested on 10.8 but post 10.5 Mac OS X adds the ability to digitally sign executable code. I wanted to do that with one of our Mac OS X applications,Jenkins plugin for example The Apple developer tool used to sign an application is the codesign command line utility. In order to sign an application with it, you need a code signing certificate<http://en.wikipedia.org/wiki/Public_key_certificate>from a certificate authority <http://en.wikipedia.org/wiki/Certificate_authority> trusted by the system. For example you could use this case is the Thawte Code Signing CA <https://www.thawte.com/ssl-digital-certificates/code-signing/>and they are in Mac OS X’s list of trusted CAs.
codesign expects the certificate and associated private key in your keychain. The way to get them in there is by packaging them up in a PKCS#12<http://en.wikipedia.org/wiki/PKCS12>container file which Keychain can import. I’ll use the Swiss Army Knife of cryptography, the openssl <http://www.openssl.org/> command line tool, to do the conversion. openssl rsa -text < jenkinsci-codesign.privkey.rsa.pem Enter pass phrase: Private-Key: (2048 bit) ... fancy prime number ... I didn’t have to convert the certificate for Java the last time because the Java tools can import Microsoft .spc (Software Publisher Certificate) files directly. .spc files are PKCS#7 containers, so I can take a look at it with openssl’s pkcs7 command: openssl pkcs7 -inform der -text -print_certs < jenkinsci-codesign.spc You could check if the certificate is still within its validity period and if the X.509 extensions for code signing are present: Subject: C=CH, ST=ZH, L=XXXXXX, O=jenkinsciLAB AG, OU=ENGINEERING, CN=jwnkinsci AG Issuer: C=ZA, O=Thawte Consulting (Pty) Ltd., CN=Thawte Code Signing CA Validity Not Before: Nov 14 00:00:00 2012 GMT Not After : Nov 25 23:59:59 2013 GMT ... X509v3 extensions: X509v3 Extended Key Usage: Code Signing, Microsoft Commercial Code Signing Netscape Cert Type: Object Signing In our case there are several certificates in the .spc file because it’s a “certificate chain” which includes the certificates of the intermediate subjects in the trust hierarchy. The one whose Subject: refers to our orgainzation is the actual code signing certificate we are going to use. Now that I know that the certificate is valid, I can convert the entire certificate chain to a text file with a series of X.509 PEM format certificates: openssl pkcs7 -inform der -print_certs jenkinsci-codesigning.spc -codesigning.cert.pem With the private key and certificate data converted I can merge them into the PKCS#12 container: openssl pkcs12 -export -inkey jenkinsci-codesign.privkey.rsa.pem \ -in jenkinsci-codesign.cert.pem \ -out jenkinsci-codesign.p12 Enter pass phrase for jenkinsci-codesign.privkey.rsa.pem: Enter Export Password: Verifying - Enter Export Password: The “pass phrase” is what protects the contents of the RSA key input file, enter what you used when you created that file. The “Export Password” is something which you can choose freely here, it protects the private key in the PKCS#12 container. Double-clicking the resulting .p12 file opens it in Keychain which will prompt for the export password used in the previous step. And again, it should have the code sign extension flags set Signing the application with codesign is straightforward codesign -s 'jenkinsciLAB AG' jenkins-plugin.app Verifying the signature: $ codesign --verbose -v jenkins-plugin.app Uploader.app: valid on disk I had written a applescript to automate but cannot find it now .Would be more than happy to help if required Pratik On Fri, Jul 20, 2012 at 12:12 AM, Kohsuke Kawaguchi <[email protected]> wrote: > > I wonder if there's anyone in the community who knows how to do code > signing on Mac OS? > > stisti told me that we need to start signing binaries or else the > installation experience with OS X 10.8 Mountain Lion would suffer badly, > and so we'd like to start signing it, but none of us quite know how to do > it. > > -- > Kohsuke Kawaguchi http://kohsuke.org/ > >
