(4 votes, average: 5.00 out of 5)
Welcome readers! It would be best if you secure your Mac applications. Code signing certificates act as digital signatures, providing authenticity and ensuring your software’s integrity.
If you want to facilitate your code signing process, you’ve come to the right place. Whether you’re a seasoned developer or just starting your journey, this tutorial is your ultimate solution.
In this comprehensive guide, we’ll walk you through the step-by-step process of generating a key on a YubiKey.
We will mention instructions for creating a certificate request, submitting it to Apple, loading it onto your YubiKey, and harnessing its power for code signing.
Let us equip you with the knowledge and tools to enhance your Mac development experience.
We have a few prerequisites that you need to fulfill. These conditions will ensure you have all the tools and access to request, load, and utilize your certificates successfully.
You are ready to elevate your code signing game and confidently deliver Mac applications!
STEP 1: First, we will generate/ import a key in slot 9a, so follow these steps:
For Importing a Key:
yubico-piv-tool -s 9a -a import-key -i key.pem
For Generating a Key:
yubico-piv-tool -s 9a -a generate -o public.pem
STEP 2: Next, create a certificate request for app distribution:
yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \ -S "/CN=Application/" -i public.pem -o application.csr
STEP 3: Similarly, for a key in slot 9c, follow these steps:
Code for Importing a Key:
yubico-piv-tool -s 9c -a import-key -i key.pem
Code for Generating a Key:
yubico-piv-tool -s 9c -a generate -o public.pem
STEP 4: This step needs you to create a certificate request. The below code will be used for installer distribution:
yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate \ -S "/CN=Installer/" -i public.pem -o installer.csr
STEP 5: After completing these steps, submit the certificate requests to the Apple developer program page.
STEP 6: After the certificates are ready and approved, proceed to download them.
STEP 7: Load the Certificates onto your YubiKey:
yubico-piv-tool -a import-certificate -s 9a -K DER -i mac_app.cer yubico-piv-tool -a import-certificate -s 9c -K DER -i mac_installer.cer
QUICK NOTE: If you have a version earlier than 0.1.3, convert the certificates to PEM format and import them.
To ensure that nothing is cached for the key, set a new CHUID in the application:
yubico-piv-tool -a set-chuid
STEP 8: At last, re-plug the YubiKey. Movre on to verify that the certificates appear under the keychain named “PIV_II” in Keychain Access.
STEP 9: Finally, you can employ the certificates with codesign, pkgbuild, productbuild, or productsign to sign your applications and installers.
Now, you can ensure your Apple Developer Program membership is active on your YubiKey device. Get ready to elevate your code signing game and confidently deliver exceptional Mac applications!