From 72f6e57595f6aa56330c22d8744e0d869896bf85 Mon Sep 17 00:00:00 2001 From: Klas Lindfors Date: Fri, 5 Dec 2014 11:17:08 +0100 Subject: [PATCH] add some text about how to use for codesigning on OS X --- doc/OS-X-Codesigning.txt | 53 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 doc/OS-X-Codesigning.txt diff --git a/doc/OS-X-Codesigning.txt b/doc/OS-X-Codesigning.txt new file mode 100644 index 0000000..b07dd66 --- /dev/null +++ b/doc/OS-X-Codesigning.txt @@ -0,0 +1,53 @@ +Request, load and use OS X codesigning certificates +--------------------------------------------------- + +This is a short step-by-step on how to generate a key in the Neo, +create a certificate request, submit that request to apple, load the +certificate in the Neo and use it for codesigning. + +Prerequisites +------------- + +* a YubiKey Neo with the PIV applet loaded +* the yubico-piv-tool software +* the OpenSC software +* membership in the mac developer program + +Steps +----- + +1. Generate a key in slot 9a: + + $ yubico-piv-tool -s 9a -a generate -o public.pem + +2. Create a certificate request for app distribution: + + $ yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \ + -S "/CN=Application/" -i public.pem -o application.csr + +3. Generate a key in slot 9c: + + $ yubico-piv-tool -s 9c -a generate -o public.pem + +4. Create a certificate request for installer distribution: + + $ yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate \ + -S "/CN=Installer/" -i public.pem -o installer.csr + +5. Go to the Apple developer program page and submit the requests. + +6. When the certificates are ready and approved, download them. + +7. Load the certificates: + + $ yubico-piv-tool -a import-certificate -s 9a -K DER -i mac_app.cer + $ yubico-piv-tool -a import-certificate -s 9c -K DER -i mac_installer.cer + +8. Set a new chuid in the applet to make sure nothing is cached for the key: + + yubico-piv-tool -a set-chuid + +9. Re-plug the Neo and make sure the certificates show up under the keychain +"PIV_II" in Keychain Access. + +10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign