add some text about how to use for codesigning on OS X
This commit is contained in:
@@ -0,0 +1,53 @@
|
|||||||
|
Request, load and use OS X codesigning certificates
|
||||||
|
---------------------------------------------------
|
||||||
|
|
||||||
|
This is a short step-by-step on how to generate a key in the Neo,
|
||||||
|
create a certificate request, submit that request to apple, load the
|
||||||
|
certificate in the Neo and use it for codesigning.
|
||||||
|
|
||||||
|
Prerequisites
|
||||||
|
-------------
|
||||||
|
|
||||||
|
* a YubiKey Neo with the PIV applet loaded
|
||||||
|
* the yubico-piv-tool software
|
||||||
|
* the OpenSC software
|
||||||
|
* membership in the mac developer program
|
||||||
|
|
||||||
|
Steps
|
||||||
|
-----
|
||||||
|
|
||||||
|
1. Generate a key in slot 9a:
|
||||||
|
|
||||||
|
$ yubico-piv-tool -s 9a -a generate -o public.pem
|
||||||
|
|
||||||
|
2. Create a certificate request for app distribution:
|
||||||
|
|
||||||
|
$ yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \
|
||||||
|
-S "/CN=Application/" -i public.pem -o application.csr
|
||||||
|
|
||||||
|
3. Generate a key in slot 9c:
|
||||||
|
|
||||||
|
$ yubico-piv-tool -s 9c -a generate -o public.pem
|
||||||
|
|
||||||
|
4. Create a certificate request for installer distribution:
|
||||||
|
|
||||||
|
$ yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate \
|
||||||
|
-S "/CN=Installer/" -i public.pem -o installer.csr
|
||||||
|
|
||||||
|
5. Go to the Apple developer program page and submit the requests.
|
||||||
|
|
||||||
|
6. When the certificates are ready and approved, download them.
|
||||||
|
|
||||||
|
7. Load the certificates:
|
||||||
|
|
||||||
|
$ yubico-piv-tool -a import-certificate -s 9a -K DER -i mac_app.cer
|
||||||
|
$ yubico-piv-tool -a import-certificate -s 9c -K DER -i mac_installer.cer
|
||||||
|
|
||||||
|
8. Set a new chuid in the applet to make sure nothing is cached for the key:
|
||||||
|
|
||||||
|
yubico-piv-tool -a set-chuid
|
||||||
|
|
||||||
|
9. Re-plug the Neo and make sure the certificates show up under the keychain
|
||||||
|
"PIV_II" in Keychain Access.
|
||||||
|
|
||||||
|
10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign
|
||||||
Reference in New Issue
Block a user