Code signing question

  • I want to code sign a test app CodeSignTest.app and I'm not sure what
    I'm doing wrong.

    I was successfully able to import my company's Authenticode
    certificate (issued by VeriSign) into the System keychain.  I set it
    to "Always Trust" for code signing.

    When using the codesign command-line in Terminal, I'm not sure what to
    enter as the identity for the -s flag.  Is it supposed to be the
    certificate common name?  The common name of this certificate is
    actually the name of my company.  I've tried several combinations of:

    codesign -s "MyCompany, Inc." CodeSignTest.app
    MyCompany, Inc.:  no such identity

    I've tried it without the quotes and even with a backslash before the
    space, but none worked.  Anyone have any idea what I'm doing wrong?
  • On 18 Dec 2007, at 10:56, Edward J. Stembler wrote:

    > I want to code sign a test app CodeSignTest.app and I'm not sure
    > what I'm doing wrong.
    >
    > I was successfully able to import my company's Authenticode
    > certificate (issued by VeriSign) into the System keychain.  I set
    > it to "Always Trust" for code signing.
    >
    > When using the codesign command-line in Terminal, I'm not sure what
    > to enter as the identity for the -s flag.  Is it supposed to be the
    > certificate common name?  The common name of this certificate is
    > actually the name of my company.  I've tried several combinations of:
    >
    > codesign -s "MyCompany, Inc." CodeSignTest.app
    > MyCompany, Inc.:  no such identity

    I use

    codesign --sign "GameHouse, Inc." "${BUILT_PRODUCTS_DIR}"/"$
    {FULL_PRODUCT_NAME}"

    where "GamHouse, Inc." is the name of the VeriSign-issued certificate
    in my keychain. So maybe you need to import it into your keychain,
    not the system? (I imported a .pfx file if I recall correctly.)

    David Dunham  Macintosh Game Developer
    GameHouse Studios    +1 206 926 5722    www.gamehouse.com
        "They said it couldn't be done but sometimes it doesn't
          work out that way." -- Casey Stengel
  • I imported my certificate from a .p7b file.

    When I created a sample self-signed root certificate -- which worked
    -- I noticed the private key is part of the certificate in the
    keychain.  My imported Authenticode certificate doesn't show a private
    key in the keychain.  I know on the Windows side, the private key was
    stored in a separate (binary) file; something like:  myprivatekey.pvk.

    In any case, I have en e-mail out to VeriSign to see if they have any
    guidance or instructions...

    On Dec 18, 2007, at 11:21 AM, David Dunham wrote:

    > I use
    >
    > codesign --sign "GameHouse, Inc." "${BUILT_PRODUCTS_DIR}"/"$
    > {FULL_PRODUCT_NAME}"
    >
    > where "GamHouse, Inc." is the name of the VeriSign-issued certificate
    > in my keychain. So maybe you need to import it into your keychain,
    > not the system? (I imported a .pfx file if I recall correctly.)
    >
    > David Dunham  Macintosh Game Developer
    > GameHouse Studios    +1 206 926 5722    www.gamehouse.com
    > "They said it couldn't be done but sometimes it doesn't
    > work out that way." -- Casey Stengel
  • On 18 Dec 2007, at 14:27, Edward J. Stembler wrote:

    > I imported my certificate from a .p7b file.
    >
    > When I created a sample self-signed root certificate -- which
    > worked -- I noticed the private key is part of the certificate in
    > the keychain.  My imported Authenticode certificate doesn't show a
    > private key in the keychain.  I know on the Windows side, the
    > private key was stored in a separate (binary) file; something
    > like:  myprivatekey.pvk.

    I have a self-signing root certificate as well; I ended up with
    certificate, public key, and private key in my keychain.

    I just noticed a "PvkTmp..." private key. It's possible this is from
    myprivatekey.pvk. I don't know where those files came from in the
    first place.

    David Dunham  Macintosh Game Developer
    GameHouse Studios    +1 206 926 5722    www.gamehouse.com
        "They said it couldn't be done but sometimes it doesn't
          work out that way." -- Casey Stengel
  • At 5:27 PM -0500 12/18/07, Edward J. Stembler wrote:
    > I imported my certificate from a .p7b file.
    >
    > When I created a sample self-signed root certificate -- which worked
    > -- I noticed the private key is part of the certificate in the
    > keychain.  My imported Authenticode certificate doesn't show a
    > private key in the keychain.  I know on the Windows side, the
    > private key was stored in a separate (binary) file; something like:
    > myprivatekey.pvk.
    >
    > In any case, I have en e-mail out to VeriSign to see if they have
    > any guidance or instructions...
    >

    Indeed, you must have private key and public key, and they should
    look similar to what you get by creating self signed root cert. It is
    very important - that the certificate is intended for use for
    codesigning i.e. it must contain Extensions like:

    Extension  Key Usage
        Usage  Digital Signature
    Extension  Extended Key Usage
      Purpose #1 Code Signing

    when viewed in Keychain Access

    If these extensions are not present then codesign does not recognize
    the identity, you have to request a new certificate from your CA or
    switch to another CA if they are not able to generate a proper one.

    //
    Mihkel Tammepuu
    Skype
    --
previous month december 2007 next month
MTWTFSS
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            
Go to today