Wilson Mar bio photo

Wilson Mar

Hello. Hire me!

Email me Calendar Skype call 310 320-7878

LinkedIn Twitter Gitter Google+ Youtube

Github Stackoverflow Pinterest

Keep safe, my friend


Overview

This article describes the use of code-signing certificates on Macs.

For production use by the public, generate a code signing key on the website of a CA (trusted CA (Certificate Authority)) recognized in the operating system and application that uses your script/build.

You ship your script/program with the code-signing certificate generated for it.

The certificate is then imported onto the computer of those who which to use your script/program.

If your users need to reference a CA not already known to their internet browser, they also need to install a certificate to trust the CA in addition to the certificate the CA generated for you. This is the case for “self-signed” certificates and in organizations which have employees using a corporatew-owned CA.

Certificates generated for use on Macs may have a different format than those on Windows. But converters can be used.

Certificates are issued for a period of time, after which need to be renewed.


Generate a signing key on CA website

  1. Select a CA and its reseller.

    Public Trusted CAs

    This reseller offers $69.17/year for a certificate from Comodo, which sells certs direct via InstantSSL at $179/year.

    Alternately, Tucows offers certs at $75/year. VeriSign and GoDaddy (StarField) are two of the largest commercial root CAs. They charge $250 per year or more for certificates because they are the organizations behind Trusted root certificates in Apple’s OS X Trust Store and Microsoft.

    A code-signing certificate is different than “SSL/TLS” certificates used by web browsers.

    PROTIP: Even though a CA is not recognized by browsers, it doesn’t matter for code signing certificates created for PowerShell scripts, ActiveX controls, Java applets, dynamic link libraries, .cab files and .jar files.

    CAcert.org offers certificates, but are not recognized. So they are equivalent to self-signed certs.

    However, using them is less work than creating self-signed CAs and certs, described below.

    A CA in Poland, certum.pl, used to offer free certificates.

    CA StartSSL.com operates in Israel.

    Certificates cost money because issuers confirm the validity of organizations they sign. This includes verifying physical existence and business presence.

  2. Get a physical address for use on your domain, phone, utility, tax bill, bank, and drivers license.

  3. Get a telephone bill under that address.

    If you don’t want to use your cell phone, a http://www.magicjack.com/ account (at $40/year) will do.

  4. Get a domain name with email setup under the same address on your driver’s license and utility bill.

    Comodo does not allow use of free email accounts such as Gmail, Hotmail, etc.

  5. Use Google Chrome to register for a Comodo account using that email address.

    Comodo receives e-mail only from those with a support account.

  6. Confirm the email, then return to the website for Password Login.

  7. Get a bank checking account and printed check with the common physical address.

    You may have to wait to receive your printed checks.

  8. Scan into PDF files each proof of your identity.

    You will be asked for a copy of identity papers shortly after you apply, so don’t pay for a cert until you have all the files you will need to present.

    A property tax bill if you own your home.

    A copy of the applicant’s Articles of Incorporation. Information in the Articles should be verified by checking the relevant government corporation database wherever possible. If it is not possible to at least verify the existence of a registered entity of that name in the relevant jurisdiction, then the Articles must be supplemented with additional documentation. Acceptable additional documentation: Business License DUNS details (e.g. Dun & Bradstreet company number).

  9. Get a electric or phone utility bill under the address to be associated with the certificate.

  10. Download and print Tucow’s face-to-face verification form.

  11. Find and go to a Notary to confirm your ID and sign that verification form.

    Most banks have a notary and will notarize free for their customers.

  12. Pay for the certificate on the website.

    Some CAs require you first create a CSR (Certificate Signing Request) file.

  13. Upload PDF files to verify your identity.

  14. Wait for a phone call from the CA.

  15. Wait for the email with instructions to download the cert from their website.

    You must use the same computer and web browser used to request the certificate.

  16. Export the key from the browser

  17. Backup the key immediately to alternate media such as CD or DVD disk.

    PROTIP: USB plugs degrade over time quicker than CD or DVD disks.

  18. Put the media in a fire-safe locked box.

  19. Timestamp your signatures so the CA can “co-sign” your code such that even when your certificate has expired, Comodo continues to testify to your program’s legitimacy.

    See http://wiki.cacert.org/TimeStamping

If the above is too much of a hassle for you, self-sign your app.

Create CA root cert on Mac

Create self-signed cert on Mac

Based on https://support.apple.com/kb/PH20131?locale=en_US&viewlocale=en_US

  1. Click Apple’s search icon at the upper-right corner.

  2. Type “Keychain Access” for that GUI.

  3. Click “Keychain Access” and choose Certificate Assistant, then Create a Certificate.



  4. Enter a name for the certificate in the “Create Your Certificate” GUI.

    PROTIP: Include in the Name items separated by dashed: your email, machine name assigned by security, user name, such as “wilsonmar@gmail.com-M345-mac”.

  5. Highlight the name and copy it to your Clipboard.

  6. For Identity Type, leave it “Self Signed Root”.

  7. For Certificate Type, select “Code Signing”.

  8. Click Create and Continue for the pop-up.

    NOTE: 2048 bits is the default (the minimum now). The program can generate up to 4096 bits.

    See https://developer.apple.com/library/content/technotes/tn2326/_index.html

  9. Click Create a certificate that’s good for one year.

  10. Click Done.

    Export for running elsewhere

  11. Return to the “Keychain Access” GUI.

  12. Click to select the certificate you just created.

  13. Select menu File, Export Items.

  14. Paste in Save As field the certificate name (“wilsonmar@gmail.com-M345-mac”).



  15. Instead of “.p12” select “Certificate (.cer)”.

  16. Click Save.

  17. Quit Keychain Access.

    Sign a file on Mac

  18. Go to where you saved the cert created following the steps above.

Resources

  • https://www.sans.org/security-resources/glossary-of-terms/

  • Doug

  • http://www.wilsonmar.com/1certs.htm

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. User Stories for DevOps

  3. Choices for DevOps Technologies
  4. Java DevOps Workflow
  5. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  6. AWS server deployment options

  7. Digital Ocean
  8. Cloud regions
  9. AWS Virtual Private Cloud
  10. Azure Cloud Powershell

  11. Git and GitHub vs File Archival
  12. Git Commands and Statuses
  13. Data Security GitHub
  14. Git Commit, Tag, Push
  15. Git Utilities
  16. GitHub API

  17. TFS vs. GitHub

  18. Jenkins Server Setup
  19. Jenkins Plug-ins
  20. Jenkins Freestyle jobs
  21. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  22. Dockerize apps
  23. Docker Setup
  24. Docker Build

  25. Maven on MacOSX

  26. Powershell Ecosystem
  27. Powershell on MacOS
  28. Powershell Desired System Configuration

  29. Ansible

  30. MySQL Setup

  31. SonarQube static code scan

  32. API Management Microsoft
  33. API Management Amazon

  34. Scenarios for load