How to Use YubiKey for Mac Code Signing?

YubiKey for Mac Code Signing

Welcome readers! It would be best if you secure your Mac applications. Code signing certificates act as digital signatures, providing authenticity and ensuring your software’s integrity.

If you want to facilitate your code signing process, you’ve come to the right place. Whether you’re a seasoned developer or just starting your journey, this tutorial is your ultimate solution.

In this comprehensive guide, we’ll walk you through the step-by-step process of generating a key on a YubiKey.

We will mention instructions for creating a certificate request, submitting it to Apple, loading it onto your YubiKey, and harnessing its power for code signing.

Let us equip you with the knowledge and tools to enhance your Mac development experience.

Requirements of Mac Code Signing Certificates

We have a few prerequisites that you need to fulfill. These conditions will ensure you have all the tools and access to request, load, and utilize your certificates successfully.

  • It would help if you had a YubiKey, a versatile hardware device that is a secure element for cryptographic operations. Confirm your YubiKey has the PIV (Personal Identity Verification) application loaded onto it. This application enables YubiKey to generate and store cryptographic keys securely.
  • To interact with the PIV application on your YubiKey, you need the Yubico PIV-Tool software. This is powerful enough to provide a user-friendly interface. It manages and uses the features of the PIV application.
  • Now, you will also need the OpenSC Software. OpenSC provides a standardized interface for accessing smart cards and cryptographic tokens, including the YubiKey. It allows you to interact with the YubiKey and perform key generation, certificate requests, and certificate loading operations.
  • To request and use Mac code signing certificates, you must be a member of the Apple Developer Program. This program provides the necessary resources, tools, and documentation for macOS and iOS development. It ensures that your certificates are issued by Apple and are recognized as valid by their platforms.

You are ready to elevate your code signing game and confidently deliver Mac applications!

How to Generate a Key on a YubiKey using Mac?

STEP 1: First, we will generate/ import a key in slot 9a, so follow these steps:

For Importing a Key:

yubico-piv-tool -s 9a -a import-key -i key.pem

For Generating a Key:

yubico-piv-tool -s 9a -a generate -o public.pem

STEP 2: Next, create a certificate request for app distribution:

yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \

      -S "/CN=Application/" -i public.pem -o application.csr

STEP 3: Similarly, for a key in slot 9c, follow these steps:

Code for Importing a Key:

yubico-piv-tool -s 9c -a import-key -i key.pem

Code for Generating a Key:

yubico-piv-tool -s 9c -a generate -o public.pem

STEP 4: This step needs you to create a certificate request. The below code will be used for installer distribution:

yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate \

      -S "/CN=Installer/" -i public.pem -o installer.csr

STEP 5: After completing these steps, submit the certificate requests to the Apple developer program page.

STEP 6: After the certificates are ready and approved, proceed to download them.

STEP 7: Load the Certificates onto your YubiKey:

yubico-piv-tool -a import-certificate -s 9a -K DER -i mac_app.cer

yubico-piv-tool -a import-certificate -s 9c -K DER -i mac_installer.cer

QUICK NOTE: If you have a version earlier than 0.1.3, convert the certificates to PEM format and import them.

To ensure that nothing is cached for the key, set a new CHUID in the application:

yubico-piv-tool -a set-chuid

STEP 8: At last, re-plug the YubiKey. Movre on to verify that the certificates appear under the keychain named “PIV_II” in Keychain Access.

STEP 9: Finally, you can employ the certificates with codesign, pkgbuild, productbuild, or productsign to sign your applications and installers.

Now, you can ensure your Apple Developer Program membership is active on your YubiKey device. Get ready to elevate your code signing game and confidently deliver exceptional Mac applications!

Apple Mac Code Signing Cert

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.