What are the technologies available to sign executable like .app file or .ipa file?

I want to use self signed certificate to do signing of mac os executable like .app file or .ipa file for development purpose. I am not intended to publish the signed app in ios or mac app store.I wanted to develop this as a tool.So can you please suggest what are the options available for the same? I do not want to use "Xcode’s automatic code signing" as it is out of my development scope.So can anyone suggest what are the available options for this?

Accepted Reply

So are you suggesting that

codesign
command line tools is the only way to do signing for mac application as of now?

Well, it’s that or Xcode. Personally I recommend that you use Xcode for this, but you’ve already ruled that out.

What other code signing mechanisms are you expecting?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

Xcode supports the concept of ‘sign to run locally’. The exact mechanism used to do this is not specified, and I wouldn’t be surprised if it changed in the future. If you’re using Xcode, you should use that facility. If not, my recommendation is that you create a dummy app in Xcode, set it up to sign that way, build it, and then look at the build transcript to see what it’s doing.

I did this here (using Xcode 11.1 on macOS 10.14.6) and it seems that it signs using an ad-hoc identity, that is, it passes

-
to the identity argument of
codesign
(see the
codesign
man page for more on this). But, as I said above, I wouldn’t be surprised if this changed at some point, so it’s probably best for you to walk through this process yourself so that you can keep up with any such changes.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,

Thanks for the reply. So are you suggesting that "codesign" command line tools is the only way to do signing for mac application as of now?

So are you suggesting that

codesign
command line tools is the only way to do signing for mac application as of now?

Well, it’s that or Xcode. Personally I recommend that you use Xcode for this, but you’ve already ruled that out.

What other code signing mechanisms are you expecting?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,


Response to your "What other code signing mechanisms are you expecting?", I do not have any knowledge on other methods. But there is lot of news going around new cryptoframework "Apple Cryptokit."Does this framework do the same task as codesign command do?

Hi,


I have created an app for mac os.My Xcode version is 11.0 and mac os version is 10.15(beta version).As you recommended to do " If not, my recommendation is that you create a dummy app in Xcode, set it up to sign that way, build it, and then look at the build transcript to see what it’s doing." i tried.The app is built successfully.But I am not able to find the build transcript.Can you please tell me where to find the build transcript?

Hi,


Thanks eskimo for your reply.


"Personally I recommend that you use Xcode for this, but you’ve already ruled that out." Actually i do not have that option in my developement requirement.Otherwise i would be happy to use that as you said using xcode is the best option. 🙂

But there is lot of news going around new cryptoframework "Apple CryptoKit."Does this framework do the same task as codesign command do?

No. CryptoKit is a high-level API for cryptographic operations, encryption and decryption, signing and verification, key agreement, and so on. It’s unrelated to code signing (except insofar as the code signing machinery utilises various cryptographic as part of its implementation [1]).

Can you please tell me where to find the build transcript?

You can view the build transcript in the Report navigation. See View and filter logs and reports.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] To be clear, the

codesign
tool is implemented in terms of Security framework APIs, not CryptoKit.

Thanks eskimo for helping.