Wilson Mar bio photo

Wilson Mar


Email me Calendar Skype call

LinkedIn Twitter Gitter Instagram Youtube

Github Stackoverflow Pinterest

Keep safe, my friend

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


This article describes the use of code-signing certificates on Macs.

For production use by the public, generate a code signing key on the website of a CA (trusted CA (Certificate Authority)) recognized in the operating system and application that uses your script/build.

You ship your script/program with the code-signing certificate generated for it.

The certificate is then imported onto the computer of those who which to use your script/program.

If your users need to reference a CA not already known to their internet browser, they also need to install a certificate to trust the CA in addition to the certificate the CA generated for you. This is the case for “self-signed” certificates and in organizations which have employees using a corporatew-owned CA.

Certificates generated for use on Macs may have a different format than those on Windows. But converters can be used.

Certificates are issued for a period of time, after which need to be renewed.

Generate a signing key on CA website

  1. Select a CA and its reseller.

    Public Trusted CAs

    This reseller offers $69.17/year for a certificate from Comodo, which sells certs direct via InstantSSL at $179/year.

    Alternately, Tucows offers certs at $75/year. VeriSign and GoDaddy (StarField) are two of the largest commercial root CAs. They charge $250 per year or more for certificates because they are the organizations behind Trusted root certificates in Apple’s OS X Trust Store and Microsoft.

    A code-signing certificate is different than “SSL/TLS” certificates used by web browsers.

    PROTIP: Even though a CA is not recognized by browsers, it doesn’t matter for code signing certificates created for PowerShell scripts, ActiveX controls, Java applets, dynamic link libraries, .cab files and .jar files.

    CAcert.org offers certificates, but are not recognized. So they are equivalent to self-signed certs.

    However, using them is less work than creating self-signed CAs and certs, described below.

    A CA in Poland, certum.pl, used to offer free certificates.

    CA StartSSL.com operates in Israel.

    Certificates cost money because issuers confirm the validity of organizations they sign. This includes verifying physical existence and business presence.

  2. Get a physical address for use on your domain, phone, utility, tax bill, bank, and drivers license.

  3. Get a telephone bill under that address.

    If you don’t want to use your cell phone, a http://www.magicjack.com/ account (at $40/year) will do.

  4. Get a domain name with email setup under the same address on your driver’s license and utility bill.

    Comodo does not allow use of free email accounts such as Gmail, Hotmail, etc.

  5. Use Google Chrome to register for a Comodo account using that email address.

    Comodo receives e-mail only from those with a support account.

  6. Confirm the email, then return to the website for Password Login.

  7. Get a bank checking account and printed check with the common physical address.

    You may have to wait to receive your printed checks.

  8. Scan into PDF files each proof of your identity.

    You will be asked for a copy of identity papers shortly after you apply, so don’t pay for a cert until you have all the files you will need to present.

    A property tax bill if you own your home.

    A copy of the applicant’s Articles of Incorporation. Information in the Articles should be verified by checking the relevant government corporation database wherever possible. If it is not possible to at least verify the existence of a registered entity of that name in the relevant jurisdiction, then the Articles must be supplemented with additional documentation. Acceptable additional documentation: Business License DUNS details (e.g. Dun & Bradstreet company number).

  9. Get a electric or phone utility bill under the address to be associated with the certificate.

  10. Download and print Tucow’s face-to-face verification form.

  11. Find and go to a Notary to confirm your ID and sign that verification form.

    Most banks have a notary and will notarize free for their customers.

  12. Pay for the certificate on the website.

    Some CAs require you first create a CSR (Certificate Signing Request) file.

  13. Upload PDF files to verify your identity.

  14. Wait for a phone call from the CA.

  15. Wait for the email with instructions to download the cert from their website.

    You must use the same computer and web browser used to request the certificate.

  16. Export the key from the browser

  17. Backup the key immediately to alternate media such as CD or DVD disk.

    PROTIP: USB plugs degrade over time quicker than CD or DVD disks.

  18. Put the media in a fire-safe locked box.

  19. Timestamp your signatures so the CA can “co-sign” your code such that even when your certificate has expired, Comodo continues to testify to your program’s legitimacy.

    See http://wiki.cacert.org/TimeStamping

If the above is too much of a hassle for you, self-sign your app.

Create CA root cert on Mac

Create self-signed cert on Mac

Based on https://support.apple.com/kb/PH20131?locale=en_US&viewlocale=en_US

  1. Click Apple’s search icon at the upper-right corner.

  2. Type “Keychain Access” for that GUI.

  3. Click “Keychain Access” and choose Certificate Assistant, then Create a Certificate.

  4. Enter a name for the certificate in the “Create Your Certificate” GUI.

    PROTIP: Include in the Name items separated by dashed: your email, machine name assigned by security, user name, such as “wilsonmar@gmail.com-M345-mac”.

  5. Highlight the name and copy it to your Clipboard.

  6. For Identity Type, leave it “Self Signed Root”.

  7. For Certificate Type, select “Code Signing”.

  8. Click Create and Continue for the pop-up.

    NOTE: 2048 bits is the default (the minimum now). The program can generate up to 4096 bits.

    See https://developer.apple.com/library/content/technotes/tn2326/_index.html

  9. Click Create a certificate that’s good for one year.

  10. Click Done.

    Export for running elsewhere

  11. Return to the “Keychain Access” GUI.

  12. Click to select the certificate you just created.

  13. Select menu File, Export Items.

  14. Paste in Save As field the certificate name (“wilsonmar@gmail.com-M345-mac”).

  15. Instead of “.p12” select “Certificate (.cer)”.

  16. Click Save.

  17. Quit Keychain Access.

    Sign a file on Mac

  18. Go to where you saved the cert created following the steps above.


  • https://www.sans.org/security-resources/glossary-of-terms/

  • Doug

  • http://www.wilsonmar.com/1certs.htm

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps
  4. Enterprise Software)

  5. Git and GitHub vs File Archival
  6. Git Commands and Statuses
  7. Git Commit, Tag, Push
  8. Git Utilities
  9. Data Security GitHub
  10. GitHub API
  11. TFS vs. GitHub

  12. Choices for DevOps Technologies
  13. Pulumi Infrastructure as Code (IaC)
  14. Java DevOps Workflow
  15. Okta for SSO & MFA

  16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  17. AWS server deployment options
  18. AWS Load Balancers

  19. Cloud services comparisons (across vendors)
  20. Cloud regions (across vendors)
  21. AWS Virtual Private Cloud

  22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
  23. Azure Certifications
  24. Azure Cloud

  25. Azure Cloud Powershell
  26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)
  27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

  28. Azure Networking
  29. Azure Storage
  30. Azure Compute
  31. Azure Monitoring

  32. Digital Ocean
  33. Cloud Foundry

  34. Packer automation to build Vagrant images
  35. Terraform multi-cloud provisioning automation
  36. Hashicorp Vault and Consul to generate and hold secrets

  37. Powershell Ecosystem
  38. Powershell on MacOS
  39. Powershell Desired System Configuration

  40. Jenkins Server Setup
  41. Jenkins Plug-ins
  42. Jenkins Freestyle jobs
  43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  44. Docker (Glossary, Ecosystem, Certification)
  45. Make Makefile for Docker
  46. Docker Setup and run Bash shell script
  47. Bash coding
  48. Docker Setup
  49. Dockerize apps
  50. Docker Registry

  51. Maven on MacOSX

  52. Ansible
  53. Kubernetes Operators
  54. OPA (Open Policy Agent) in Rego language

  55. MySQL Setup

  56. Threat Modeling
  57. SonarQube & SonarSource static code scan

  58. API Management Microsoft
  59. API Management Amazon

  60. Scenarios for load
  61. Chaos Engineering