Wednesday, February 7, 2024

Inside Code Signing: Certificates

TN3161 (via Quinn):

To condense this into plain English, this certificate says that “Apple certifies that this developer is associated with this public key, and the matching private key can be used to sign Mac code.” This is clearly a simplification—it doesn’t touch on the valid date range, serial number, or even how Apple identified the developer in the first place—but it’s a reasonable model to start out with.

Apple issues a variety of different code-signing certificate types. For a complete list, see Certificate types.


Certificates often form a chain of trust: the verifier uses the issuer information in a certificate to find the issuer’s certificate, then uses its issuer information to find the next certificate in the chain, and so on, until it hits an anchor, that is, a certificate it trusts as a matter of policy.


To sign code you need a certificate and the private key that matches the public key in that certificate. This combination is called a digital identity or, if it’s for signing code, a code-signing identity.


It’s easy to miss that your most critical code-signing asset, your private key, is tucked away in your login keychain. And if you do miss that, you might lose your private key, for example, when you migrate to a new Mac.


3 Comments RSS · Twitter · Mastodon

What a delightfully informal style!

Quinn the Eskimo is the man!

Old Unix Geek

Speaking of Apple bullshit, have you seen this?

Leave a Comment