Signing with rcodesign sign

The rcodesign sign command is used to sign a filesystem path.

If you simply rcodesign sign <path>, it will attempt to create an ad-hoc signature (read: no code signing certificate), rewriting the file/directory in place. Arguments like --p12-file, pem-file, and --smartcard-slot can be used to sign with a code signing certificate/key.

Nested Signing By Default

One of the areas where rcodesign sign varies from Apple’s codesign is that we recursively sign entities by default. e.g. if you sign a bundle, we’ll recursively sign nested bundles/frameworks and Mach-O binaries inside that bundle unless told otherwise.

Unlike Apple’s codesign, rcodesign has a signing settings mechanism that allows you to scope settings to particular paths. This gives you low-level control over how every binary, bundle, and even individual Macho-O within a universal Macho-O binary are signed. Whereas codesign requires N invocations with N different settings configurations, rcodesign can perform the same operation in a single invocation.

Simple Examples

To sign a Mach-O executable:

rcodesign sign \
  --p12-file developer-id.p12 --p12-password-file ~/.certificate-password \
  --code-signature-flags runtime \

To sign an .app bundle (and all Mach-O binaries inside):

rcodesign sign \
  --p12-file developer-id.p12 --p12-password-file ~/.certificate-password \

To sign a DMG image:

rcodesign sign \
  --p12-file developer-id.p12 --p12-password-file ~/.certificate-password \

To sign a .pkg installer:

rcodesign sign \
 --p12-file developer-id-installer.p12 --p12-password-file ~/.certificate-password \