Wilson Mar bio photo

Wilson Mar

Hello. Hire me!

Email me Calendar Skype call 310 320-7878

LinkedIn Twitter Gitter Google+ Youtube

Github Stackoverflow Pinterest

Keep safe, my friend


Overview

This article describes the use of code-signing certificates on Macs.

For production use by the public, generate a code signing key on the website of a CA (trusted CA (Certificate Authority)) recognized in the operating system and application that uses your script/build.

You ship your script/program with the code-signing certificate generated for it.

The certificate is then imported onto the computer of those who which to use your script/program.

If your users need to reference a CA not already known to their internet browser, they also need to install a certificate to trust the CA in addition to the certificate the CA generated for you. This is the case for “self-signed” certificates and in organizations which have employees using a corporatew-owned CA.

Certificates generated for use on Macs may have a different format than those on Windows. But converters can be used.

Certificates are issued for a period of time, after which need to be renewed.


Generate a signing key on CA website

  1. Select a CA and its reseller.

    Public Trusted CAs

    This reseller offers $69.17/year for a certificate from Comodo, which sells certs direct via InstantSSL at $179/year.

    Alternately, Tucows offers certs at $75/year. VeriSign and GoDaddy (StarField) are two of the largest commercial root CAs. They charge $250 per year or more for certificates because they are the organizations behind Trusted root certificates in Apple’s OS X Trust Store and Microsoft.

    A code-signing certificate is different than “SSL/TLS” certificates used by web browsers.

    PROTIP: Even though a CA is not recognized by browsers, it doesn’t matter for code signing certificates created for PowerShell scripts, ActiveX controls, Java applets, dynamic link libraries, .cab files and .jar files.

    CAcert.org offers certificates, but are not recognized. So they are equivalent to self-signed certs.

    However, using them is less work than creating self-signed CAs and certs, described below.

    A CA in Poland, certum.pl, used to offer free certificates.

    CA StartSSL.com operates in Israel.

    Certificates cost money because issuers confirm the validity of organizations they sign. This includes verifying physical existence and business presence.

  2. Get a physical address for use on your domain, phone, utility, tax bill, bank, and drivers license.

  3. Get a telephone bill under that address.

    If you don’t want to use your cell phone, a http://www.magicjack.com/ account (at $40/year) will do.

  4. Get a domain name with email setup under the same address on your driver’s license and utility bill.

    Comodo does not allow use of free email accounts such as Gmail, Hotmail, etc.

  5. Use Google Chrome to register for a Comodo account using that email address.

    Comodo receives e-mail only from those with a support account.

  6. Confirm the email, then return to the website for Password Login.

  7. Get a bank checking account and printed check with the common physical address.

    You may have to wait to receive your printed checks.

  8. Scan into PDF files each proof of your identity.

    You will be asked for a copy of identity papers shortly after you apply, so don’t pay for a cert until you have all the files you will need to present.

    A property tax bill if you own your home.

    A copy of the applicant’s Articles of Incorporation. Information in the Articles should be verified by checking the relevant government corporation database wherever possible. If it is not possible to at least verify the existence of a registered entity of that name in the relevant jurisdiction, then the Articles must be supplemented with additional documentation. Acceptable additional documentation: Business License DUNS details (e.g. Dun & Bradstreet company number).

  9. Get a electric or phone utility bill under the address to be associated with the certificate.

  10. Download and print Tucow’s face-to-face verification form.

  11. Find and go to a Notary to confirm your ID and sign that verification form.

    Most banks have a notary and will notarize free for their customers.

  12. Pay for the certificate on the website.

    Some CAs require you first create a CSR (Certificate Signing Request) file.

  13. Upload PDF files to verify your identity.

  14. Wait for a phone call from the CA.

  15. Wait for the email with instructions to download the cert from their website.

    You must use the same computer and web browser used to request the certificate.

  16. Export the key from the browser

  17. Backup the key immediately to alternate media such as CD or DVD disk.

    PROTIP: USB plugs degrade over time quicker than CD or DVD disks.

  18. Put the media in a fire-safe locked box.

  19. Timestamp your signatures so the CA can “co-sign” your code such that even when your certificate has expired, Comodo continues to testify to your program’s legitimacy.

    See http://wiki.cacert.org/TimeStamping

If the above is too much of a hassle for you, self-sign your app.

Create CA root cert on Mac

Create self-signed cert on Mac

Based on https://support.apple.com/kb/PH20131?locale=en_US&viewlocale=en_US

  1. Click Apple’s search icon at the upper-right corner.

  2. Type “Keychain Access” for that GUI.

  3. Click “Keychain Access” and choose Certificate Assistant, then Create a Certificate.



  4. Enter a name for the certificate in the “Create Your Certificate” GUI.

    PROTIP: Include in the Name items separated by dashed: your email, machine name assigned by security, user name, such as “wilsonmar@gmail.com-M345-mac”.

  5. Highlight the name and copy it to your Clipboard.

  6. For Identity Type, leave it “Self Signed Root”.

  7. For Certificate Type, select “Code Signing”.

  8. Click Create and Continue for the pop-up.

    NOTE: 2048 bits is the default (the minimum now). The program can generate up to 4096 bits.

    See https://developer.apple.com/library/content/technotes/tn2326/_index.html

  9. Click Create a certificate that’s good for one year.

  10. Click Done.

    Export for running elsewhere

  11. Return to the “Keychain Access” GUI.

  12. Click to select the certificate you just created.

  13. Select menu File, Export Items.

  14. Paste in Save As field the certificate name (“wilsonmar@gmail.com-M345-mac”).



  15. Instead of “.p12” select “Certificate (.cer)”.

  16. Click Save.

  17. Quit Keychain Access.

    Sign a file on Mac

  18. Go to where you saved the cert created following the steps above.

Resources

  • https://www.sans.org/security-resources/glossary-of-terms/

  • Doug

  • http://www.wilsonmar.com/1certs.htm

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps

  4. Git and GitHub vs File Archival
  5. Git Commands and Statuses
  6. Git Commit, Tag, Push
  7. Git Utilities
  8. Data Security GitHub
  9. GitHub API
  10. TFS vs. GitHub

  11. Choices for DevOps Technologies
  12. Java DevOps Workflow
  13. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  14. AWS server deployment options

  15. Digital Ocean
  16. Cloud regions
  17. AWS Virtual Private Cloud
  18. Azure Cloud Onramp
  19. Azure Cloud
  20. Azure Cloud Powershell

  21. Powershell Ecosystem
  22. Powershell on MacOS
  23. Powershell Desired System Configuration

  24. Jenkins Server Setup
  25. Jenkins Plug-ins
  26. Jenkins Freestyle jobs
  27. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  28. Dockerize apps
  29. Docker Setup
  30. Docker Build

  31. Maven on MacOSX

  32. Ansible

  33. MySQL Setup

  34. SonarQube static code scan

  35. API Management Microsoft
  36. API Management Amazon

  37. Scenarios for load