codesign - macOS
Overview
codesign
is a command-line utility used on macOS systems for creating, checking, and displaying code signatures, as well as for verifying the integrity of signed apps and bundles. Its primary purpose is to assure users that the software they download and run has not been altered or corrupted. This tool is indispensable in a development environment, particularly for developers distributing through the Apple App Store or using Developer ID signing for outside distribution.
Syntax
The basic syntax of the codesign
command is as follows:
codesign [options] [path ...]
- [options]: Flags and options that determine the operation mode.
- [path …]: One or more files or directories to process.
Options/Flags
-s identity
: Sign the code withidentity
. This can be a name of a certificate or a hash.-v
: Increase verbosity of output. This can be specified multiple times to increase the verbosity further.-d
: Display information about the code signature.-V
: Verify the code signature.-f
: Force the signing. Re-sign the target even if it is already signed.-i identifier
: Explicitly specify an identifier to override the automatically determined identifier in the code.-r requirements
: Apply the specified requirements to the signing process.-o options
: Specify options such as where the code is expected to execute which influences how the signing is verified.
Examples
-
Signing an application
codesign -s "My Developer ID" /path/to/MyApp.app
This signs the application using the specified Developer ID certificate.
-
Verifying a signature
codesign -v /path/to/MyApp.app
This verifies the signature of the specified application.
-
Displaying signature information
codesign -d -v /path/to/MyApp.app
This command displays detailed information about the application’s code signature.
-
Resigning an application with a specific identifier
codesign -f -s "My Developer ID" -i "com.example.myapp" /path/to/MyApp.app
Force-signs the app with a new identifier.
Common Issues
- Expired Certificate: If your signing certificate has expired,
codesign
will fail. Renew your certificate through the proper Apple channel. - Mismatching certificate name: Ensure that the name provided with the
-s
flag exactly matches the name of a certificate in your keychain. - Permissions error:
codesign
might report an error due to insufficient permissions. Make sure you have the proper rights to the files you are trying to sign.
Integration
codesign
can be integrated with automation scripts and other macOS utilities. For example, it can be combined with xcodebuild
for automating the build and sign process in a continuous integration workflow.
xcodebuild -project MyProject.xcodeproj -scheme "MyScheme" build | tee xcodebuild.log
codesign -s "My Developer ID" /path/to/output/MyApp.app
Related Commands
spctl
: This command is used to manage and assess security assessment policies on macOS.security
: A command line tool for managing keychains, keys, certificates, and the Security framework.
For more detailed information, visit the Apple Code Signing Guide.