Does Mac OS support any HSM integration for code signing?

Hi,

I want to know where mac os support any HSM integration like azure keyvalut,nCipher,utimaco etc. I am working with codesign command line tool to do the signing process.I am using the digital identity(certificate+private keys) stored in mac os keychain to do signing. So is it possible to use digital identity(certificate+private keys) stored in HSM to do signing process? If yes ,please describe the process as well.

Up vote post of prabal_black_perl Down vote post of prabal_black_perl
2k views
Posted by
prabal_black_perl
Reply
Add a Comment

Replies

The 

codesign
utility uses standard keychain APIs to access the digital identity it uses for signing, so it should be compatible with hardware tokens that integrate with the keychain (this presumes you have some way to load the Apple-issued certificate on to the hardware token).

If yes, please describe the process as well.

I don’t have any direct experience with this, alas. However, the usual setup for hardware tokens is that they appear as a keychain, so if your token is configured correctly, you shouldn’t need to do anything special on the 

codesign
side of things. That is, you’d just pass a string that identifies the digital identity to 
codesign
in the same way you currently do (see the Signing Identities section of 
codesign
man page).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi,

Thanks for your reply.


Respond to " (this presumes you have some way to load the Apple-issued certificate on to the hardware token)"

I do not know to do that. All i know is after successfull verification of so(security officer)credential, it creates one hardware token.I used softhsm for developement purpose.But I do not know or get any documenation how to add apple certificate(self signed developer certificate) in the hardware token. If you know how to add apple certificate to hsm token,please share.


And if i am somehow managed to add apple certificate to token and add that in keychain,then how using that token,i will get acces to private key and certificate in hsm?Please provide answer to this.


If i add one apple certificate, I will be able to sign using that hardware token only for that identity. I think i can not use that hardware token to sign code for other users apple certificate.Am i correct?


One more question does Apple provide any cloud based hsm service where i can do integration for developement purpose?

Posted by
prabal_black_perl
Up vote reply of prabal_black_perl Down vote reply of prabal_black_perl
Add a Comment

I do not know to do that.

I can’t help you with this. The mechanisms used to configure a token are going to be specific to each type of token. If you have questions about that, you’ll need to escalate those to the token’s vendor.

From Apple’s perspective, you need:

  1. A mechanism to generate a key pair on the token.

  2. A mechanism to export the public key as a certificate signing request (CSR).

  3. You can then upload that CSR to the developer web site and get back a certificate.

  4. You’ll then need a mechanism to import that certificate into your token in order to form a digital identity that you can use for code signing.

One more question does Apple provide any cloud based hsm service where i can do integration for developement purpose?

No.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment