General Information ID : INFO1143
Apple® Code Signing is a new technology launched in MacOS 9, which allows applications, plug-ins and content to be signed by developers. Apple® Code Signing Certificates assure your customers of your identity and the integrity of your products. For more information, please see the Apple-Developer site, which can be found at: http://apple.com/developer/
To sign applications, plug-ins and content using Apple® Code Signing technology you need to have obtained a Developer Certificate that identifies you as a developer. Thawte provides such certificates worldwide through our standard Organizational Certification Program.
You also need to have the Apple Data Security Services SDK. You will be using two tools from that SDK: Keychain Access and the Apple Signer Tool.
Your customers will use the Apple Verifier application (which will ship as part of MacOS 9) to verify your Apple® Code Signing Certificate in each of your signed products.
The Apple Developer Site should always be your first point of contact for information about Apple technology. However, there is so much information there that it can be hard to know where to start, so we have included a brief introduction to the use of Keychain Access and the Apple Signer as code signing tools.
Getting Ready for Apple® Code Signing
You need to be running MacOS 9, and have the Apple Data Security Services SDK installed. Also make sure you know the password to unlock your keychain. If you want to use your Developer Certificate for more than one platform or application please have a look at: http://www.thawte.com/ssl-digital-certificates/technical-support/code/multi.html
Enrolling for a Developer Certificate
Launch Netscape Navigator 9 or Mozilla Firefox (Microsoft Internet Explorer is not supported for this enrollment process). Start the enrollment process by clicking here. Print out this page and use it as a companion guide to the enrollment procedure.
Note: During the enrollment process your private key will be generated. Ensure that you are using Netscape Navigator 9 or Mozilla Firefox on Windows XP. With Windows Vista the private key will not be generated.
Receiving Your Apple® Code Signing Certificate
When you receive email notifying you that your certificate has been issued, launch Netscape Navigator 9 or Mozilla Firefox (which ever one was used for the enrollment) using the same user profile and machine that you used to make the request. Go to your status page and press ‘Fetch Certificate’ button. This will install the certificate automatically.
Backing Up Your Apple® Code Signing Certificate
As soon as you have installed your certificate, check the personal certificate list in your browser. You should see the certificate there, described with the Company name used during enrollment. Highlight the certificate and click the backup button in order to export it to a PKCS12 file. Make sure that you have several copies of that backup, and that you know the password to unlock your backup file. If you lose the file or password you will not be able to recover your certificates, and will not be able to sign code, in which case, you will have to complete the process again, in the form of a reissue.
Note: There is a tradeoff between the safety of keeping a backup of your private signing key and the risk of someone getting unauthorized access to it. Be sure all backups are kept in physically secure locations.
Adding Your Apple® Code Signing Certificate to Your Key chain
In the Finder, open the certificate backup file you created in the above step or you can drag the backup file out of the Finder and drop it onto an open, unlocked keychain window. You will be prompted for the password for the backup file. Once you enter that password, the keychain will ask whether you want to protect your signing certificate with a password. With this added protection, you will be prompted for your password with every use of your Apple® Code Signing Certificate.
Note: It is strongly advised that you protect your Apple® Code Signing Certificate in your keychain with this additional password.
Signing With the Apple Signer Application
Open the Apple Signer application. Choose the file you want to sign. If your keychain isn't unlocked you will be prompted to unlock it first. If you used a password when you added your signing certificate into the keychain, enter it again now.
Testing Your Signature with the Apple Signer or Verifier Applications
Apple Signer application or you can open the Apple Verifier application. Choose the file you signed in the above step. The results of the signature verification will appear. If the signature is verified successfully, you can open the file or view the signing certificate directly from the results dialog.