For every iOS or Mac developer curating avant-garde applications for Mac, it's crucial to protect them from malicious tampering or unauthorized alteration by digitally signing them with an Apple code signing certificate obtained from trusted Certificate Authorities (CAs) like Sectigo, etc. that is suitable for every Apple software or application's security.
Now, as per the current scenario with HSMs and tokens mandatory for the code signing process, YubiKey is gaining popularity and can be appropriately used for code signing your Mac applications.
Let us discover an easy step-by-step process to smartly setup your YubiKey for Mac code signing to smoothly sign your iOS and Mac OS applications:
Step 1: The primary step requires you to comply with prerequisites mandatory for apple code signing process such as;
Membership of the Apple Developer Program enabling you to gain acces to required tools, documents and resources necessary for code signing and also iOS, Mac OS development process.
Obtain the required code signing certificate from a reputed authority, like Sectigo Code Signing Certificate for Apple Mac and iOS signing platforms.
YubiKey must have PIV (Personal Identity Verification) loaded into it for storing cryptographic keys and to interact with PIV application, you need to download the Yubico PIV-Tool software on your system.
Lastly, you will also need the OpenSC Software an interface useful for key generation and certificate process.
Step 2: Once you are done with Step 1, the 2nd Step involves generating and importing key in the slot 9a of the YubiKey as per below commands;
Key Generation
yubico-piv-tool -s 9a -a generate -o public.pem
Key Importing
yubico-piv-tool -s 9a -a import-key -i key.pem
Step 3: In this step you are required to create certificate request for app distribution through below code;
yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \
-S "/CN=Application/" -i public.pem -o application.csr
Step 4: This step will include similar process as of Step 2 for generating and importing key in slot 9c of YubiKey;
Key Generation Code
yubico-piv-tool -s 9c -a generate -o public.pem
Key Importing Code
yubico-piv-tool -s 9c -a import-key -i key.pem
Step 5: The 5th Step requires you to create a Code Signing Certificate Request for signing whereby below code will be used for Installer Distribution
yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate \
-S "/CN=Installer/" -i public.pem -o installer.csr
Step 6: After successfully completing the above 5 Steps, you are required to submit the certificate request to the Apple developer Program page
Step 7: Once your code signing certificates are approved download them and use below code for Loading Certificates on YubiKey;
yubico-piv-tool -a import-certificate -s 9a -K DER -i mac_app.cer
yubico-piv-tool -a import-certificate -s 9c -K DER -i mac_installer.cer
NOTE: For Importing certificates on versions below 0.1.3, convert them to PEM format and set a new CHUID in the application to ensure nothing is catched for the key as per below code;
yubico-piv-tool -a set-chuid
Step 8: here in this step, please re-plug the YubiKey and verify the certificates appearing under the keychain named PIV_II in Keychain Access.
Step 9: Finally, ensure your Apple Developer Program membership is active on your YubiKey device and hence you are ready to employ the code signing certificates with pkgbuild, productbuild, or productsign to code sign your Mac applications and installers.
Conclusion
To sum-up, following these 9 easy Steps appropriately will enable you to smartly setup YubiKey for Mac code signing enabling you to digitally sign your Apple iOS and Mac OS applications easily.
Top comments (0)