codesign - macOS


Overview

codesign is a command-line utility used on macOS systems for creating, checking, and displaying code signatures, as well as for verifying the integrity of signed apps and bundles. Its primary purpose is to assure users that the software they download and run has not been altered or corrupted. This tool is indispensable in a development environment, particularly for developers distributing through the Apple App Store or using Developer ID signing for outside distribution.

Syntax

The basic syntax of the codesign command is as follows:

codesign [options] [path ...]
  • [options]: Flags and options that determine the operation mode.
  • [path …]: One or more files or directories to process.

Options/Flags

  • -s identity: Sign the code with identity. This can be a name of a certificate or a hash.
  • -v: Increase verbosity of output. This can be specified multiple times to increase the verbosity further.
  • -d: Display information about the code signature.
  • -V: Verify the code signature.
  • -f: Force the signing. Re-sign the target even if it is already signed.
  • -i identifier: Explicitly specify an identifier to override the automatically determined identifier in the code.
  • -r requirements: Apply the specified requirements to the signing process.
  • -o options: Specify options such as where the code is expected to execute which influences how the signing is verified.

Examples

  1. Signing an application

    codesign -s "My Developer ID" /path/to/MyApp.app
    

    This signs the application using the specified Developer ID certificate.

  2. Verifying a signature

    codesign -v /path/to/MyApp.app
    

    This verifies the signature of the specified application.

  3. Displaying signature information

    codesign -d -v /path/to/MyApp.app
    

    This command displays detailed information about the application’s code signature.

  4. Resigning an application with a specific identifier

    codesign -f -s "My Developer ID" -i "com.example.myapp" /path/to/MyApp.app
    

    Force-signs the app with a new identifier.

Common Issues

  • Expired Certificate: If your signing certificate has expired, codesign will fail. Renew your certificate through the proper Apple channel.
  • Mismatching certificate name: Ensure that the name provided with the -s flag exactly matches the name of a certificate in your keychain.
  • Permissions error: codesign might report an error due to insufficient permissions. Make sure you have the proper rights to the files you are trying to sign.

Integration

codesign can be integrated with automation scripts and other macOS utilities. For example, it can be combined with xcodebuild for automating the build and sign process in a continuous integration workflow.

xcodebuild -project MyProject.xcodeproj -scheme "MyScheme" build | tee xcodebuild.log
codesign -s "My Developer ID" /path/to/output/MyApp.app
  • spctl: This command is used to manage and assess security assessment policies on macOS.
  • security: A command line tool for managing keychains, keys, certificates, and the Security framework.

For more detailed information, visit the Apple Code Signing Guide.