Request, load and use Mac code signing certificates

This is a short step-by-step on how to generate a key on a YubiKey, create a certificate request, submit that request to Apple, load the certificate in the YubiKey and use it for code signing.

Prerequisites

  • a YubiKey with the PIV application loaded

  • the yubico-piv-tool software

  • the OpenSC software

  • membership in the Apple developer program

Steps

  1. Generate a key in slot 9a:

    yubico-piv-tool -s 9a -a generate -o public.pem
    
  2. Create a certificate request for app distribution:

    yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \
          -S "/CN=Application/" -i public.pem -o application.csr
    
  3. Generate a key in slot 9c:

    yubico-piv-tool -s 9c -a generate -o public.pem
    
  4. Create a certificate request for installer distribution:

    yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate \
          -S "/CN=Installer/" -i public.pem -o installer.csr
    
  5. Go to the Apple developer program page and submit the requests.

  6. When the certificates are ready and approved, download them.

  7. Load the certificates:

    yubico-piv-tool -a import-certificate -s 9a -K DER -i mac_app.cer
    yubico-piv-tool -a import-certificate -s 9c -K DER -i mac_installer.cer
    
    Note
    -K DER is available from version 0.1.3, with earlier convert to PEM and import.
  8. Set a new chuid in the application to make sure nothing is cached for the key:

    yubico-piv-tool -a set-chuid
    
  9. Re-plug the YubiKey and make sure the certificates show up under the keychain "PIV_II" in Keychain Access.

  10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign