This is a short step-by-step on how to generate a key on a YubiKey, create a certificate request, submit that request to Apple, load the certificate in the YubiKey and use it for code signing.
a YubiKey with the PIV application loaded
the yubico-piv-tool software
the OpenSC software
membership in the Apple developer program
Generate or import a key in slot 9a:
Import a key:
yubico-piv-tool -s 9a -a import-key -i key.pem
Generate a key:
yubico-piv-tool -s 9a -a generate -o public.pem
Create a certificate request for app distribution:
yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \
-S "/CN=Application/" -i public.pem -o application.csr
Generate or import a key in slot 9c:
Import a key:
yubico-piv-tool -s 9c -a import-key -i key.pem
Generate a key:
yubico-piv-tool -s 9c -a generate -o public.pem
Create a certificate request for installer distribution:
yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate \
-S "/CN=Installer/" -i public.pem -o installer.csr
Go to the Apple developer program page and submit the requests.
When the certificates are ready and approved, download them.
Load the certificates:
yubico-piv-tool -a import-certificate -s 9a -K DER -i mac_app.cer yubico-piv-tool -a import-certificate -s 9c -K DER -i mac_installer.cer
|
Note
|
-K DER is available from version 0.1.3, with earlier convert to PEM and import. |
Set a new chuid in the application to make sure nothing is cached for the key:
yubico-piv-tool -a set-chuid
Re-plug the YubiKey and make sure the certificates show up under the keychain "PIV_II" in Keychain Access.
Use the certificates as usual with codesign/pkgbuild/productbuild/productsign