Apple Code Signing¶
apple-codesign Rust crate and its corresponding
tool implement code signing for Apple platforms.
We believe this crate provides the most comprehensive implementation of Apple code signing outside the canonical Apple tools. We have support for the following features:
Signing Mach-O binaries (the executable file format on Apple operating systems).
Signing, notarizing, and stapling directory bundles (e.g.
Signing, notarizing, and stapling XAR archives /
Signing, notarizing, and stapling disk images /
Notarizing zip files.
What this all means is that you can sign, notarize, and release Apple software from non-Apple operating systems (like Linux, Windows, and BSDs) without needing access to proprietary Apple software!
Other features include:
Built-in support for using smart cards (e.g. YubiKeys) for signing and key/certificate management.
A remote signing mode that enables you to delegate just the low-level cryptographic signature generation to a remote machine. This allows you to do things like have a CI job initiate signing but use a YubiKey on a remote machine to create cryptographic signatures. See Remote Code Signing for more.
Certificate Signing Request (CSR) support to enable arbitrary private keys (including those generated on smart card devices) to be easily exchanged for Apple-issued code signing certificates.
Support for dumping and diffing data structures related to Apple code signatures.
Awareness of Apple’s public PKI infrastructure, including CA certificates and custom X.509 extensions and OIDs used by Apple.
Documentation and code that are likely a treasure trove for others wanting to learn and experiment with Apple code signing.
Canonical project links:
Source code: https://github.com/indygreg/apple-platform-rs/tree/main/apple-codesign
Rust crate: https://crates.io/crates/apple-codesign
Bugs and feature requests: https://github.com/indygreg/apple-platform-rs/issues?q=is%3Aopen+is%3Aissue+label%3Aapple-codesign
While this project is developed inside a larger monorepository, it is designed to be used as a standalone project.
- Getting Started
- Managing Code Signing Certificates
- Smart Card Support
- Known Issues and Limitations
- How to Debug and Report Problems
- Remote Code Signing
- Remote Code Signing Protocol
- Remote Code Signing Design and Security Considerations
- A Primer on Gatekeeper
- Selectively Bypassing Gatekeeper with Custom Assessment Policies
- Developer Guide