Getting Started


Pre-built binaries are published as GitHub Releases. Go to and look for the latest release of Apple Codesign.

To install the latest release version of the rcodesign executable using Cargo (Rust’s package manager):

cargo install apple-codesign

To enable smart card integration (i.e. use a YubiKey for signing):

cargo install --features smartcard apple-codesign

To compile and run from a Git checkout of its canonical repository (developer mode):

cargo run --bin rcodesign -- --help

To install from a Git checkout of its canonical repository:

cargo install --bin rcodesign

To install from the latest commit in the canonical Git repository:

cargo install --git --branch main rcodesign

Obtaining a Code Signing Certificate

Follow the instructions at Managing Code Signing Certificates to obtain a code signing certificate. This is required if signing software for distribution to other machines.

If you just want to play around, you can use rcodesign generate-self-signed-certificate to create a self-signed certificate.

Obtaining an App Store Connect API Key

To notarize and staple, you’ll need an App Store Connect API Key to authenticate connections to Apple’s servers.

You can generate one at

This requires joining the Apple Developer Program, which has an annual fee.

See for Apple’s official documentation on creating these API Keys.


For the Access Role, Developer should be sufficient.

Other roles may or may not work for notarization.

App Store Connect API Keys have 3 components:

  • An Issuer ID (likely a UUID).

  • A Key ID (an alphanumeric string like DEADBEEF42).

  • A PEM encoded ECDSA private key (a file beginning with -----BEGIN PRIVATE KEY----- that you can download at most once when you create an API Key).

All 3 of these components are required to talk to the App Store Connect API server. To make management of these keys simpler, we provide the encode-app-store-connect-api-key command to write out a JSON document holding all the key info.


We highly recommend using our JSON keys created with encode-app-store-connect-api-key as it is simpler to manage a single entity instead of 3.

You can perform an encode of your key as follows:

rcodesign encode-app-store-connect-api-key -o ~/.appstoreconnect/key.json \
  <issuer-id> <key-id> /path/to/downloaded/private_key


rcodesign encode-app-store-connect-api-key -o ~/.appstoreconnect/key.json \
  11dda589-8632-49a8-a432-03b5e17fe1d2 DEADBEEF42 ~/Downloads/AuthKey_DEADBEAF42.p8

Next Steps

Once you have a code signing certificate and/or App Store Connect API Key, read Using rcodesign to learn how to sign and/or notarize software.