How to create an Apple Installer Package Signing Certificate
-
How can we create a certificate with the following Extended Key Usage extension using OpenSSL? Extended Key Usage extension, critical, with a purpose containing Developer ID Installer Package Code Signing (1.2.840.113635.100.4.13) Apple's developer tool productsign requires the signing certificate to conform to the Installer Package Signing Certificate profile described in http://images.apple.com/certificateauthority/pdf/Developer_ID_CPS_v1.0.pdf (page 14 of 18). I would like to sign our product preview releases with our own certificates, rather than those issued by Apple.
-
Answer:
A copy-paste documentation for myself. For more information about the certificate extensions, have a look at Apple Developer ID http://images.apple.com/certificateauthority/pdf/Developer_ID_CPS_v1.0.pdf. Create apple.conf with the following content: [ req ] distinguished_name = req_name prompt = no [ req_name ] CN = my-test-installer [ extensions ] basicConstraints=critical,CA:false keyUsage=critical,digitalSignature extendedKeyUsage=critical,1.2.840.113635.100.4.13 1.2.840.113635.100.6.1.14=critical,DER:0500 Generate the key: openssl genrsa -out apple.key 2048 Create the self-signed certificate: openssl req -x509 -new -config apple.conf -nodes \ -key apple.key -extensions extensions -sha256 -out apple.crt Wrap the key and certificate into PKCS#12: openssl pkcs12 -export -inkey apple.key -in apple.crt -out apple.p12 Import it into keychain with open apple.p12. Select "Always trust". Use the certificate to sign installers: productbuild --sign "my-test-installer" ...
Graham Miln at Information Security Visit the source
Other answers
To add extensions in an issued certificate with OpenSSL, you must use a "configuration file" which contains the extension value. See http://www.openssl.org/docs/apps/x509v3_config.html for a description (there is a section about the Extended Key Usage extension). The configuration file is then used with the openssl ca command, with the -config and -extensions command-line flags (see http://www.openssl.org/docs/apps/ca.html).
Thomas Pornin
Related Q & A:
- How To Create Certificate For Mobile?Best solution by Stack Overflow
- How To Create Certificate To Your Mobile?Best solution by Stack Overflow
- How To Create Mobile Certificate And Key Quickly?Best solution by Stack Overflow
- how to Create a Java Package from MATLAB Code?Best solution by Stack Overflow
- How to set up Apple Mail for Yahoo?Best solution by Yahoo! Answers
Just Added Q & A:
- How many active mobile subscribers are there in China?Best solution by Quora
- How to find the right vacation?Best solution by bookit.com
- How To Make Your Own Primer?Best solution by thekrazycouponlady.com
- How do you get the domain & range?Best solution by ChaCha
- How do you open pop up blockers?Best solution by Yahoo! Answers
For every problem there is a solution! Proved by Solucija.
-
Got an issue and looking for advice?
-
Ask Solucija to search every corner of the Web for help.
-
Get workable solutions and helpful tips in a moment.
Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.