Obtaining a Code Signing Certificate
In order to sign applications, you need to have a code signing certificate in your keychain. You can purchase one from one of the certificate authorities, such as Verisign, Thawte, or RSA, but they’re fairly expensive that way.
If you’re doing it just to modify applications for your own use (or you’re a freeware or shareware developer who doesn’t want the independent verification), you can generate your own certificate to use. This is done using the Keychain Access application, in the Utilities folder. Here’s how:
1. Open Keychain Access.
2. Go to the Keychain Access menu, and under Certificate Assistant, choose Create a Certificate
3. Name your Certificate. (I recommend using something other than your first and last names)
4. For Type, choose Self Signed Root.
5. Make sure Let me override defaults is checked and click Continue.
6. Under Serial Number, use a random number. Just make sure there is no other certificate on your system with the same name and serial number
7. Give yourself a sufficiently long validity period. For a little over 5 years, use 2000 days. For almost 11 years, choose 4000 days.
8. Under Certificate Type, choose Code Signing, and click Continue.
9. Enter your personal information on the next screen. Have fun with Organization and Organizational Unit. After all, this is for your own personal use. Don’t use “Apple.” I myself used something like “Orange Computer” for Organization and “Hacking Department” for Organizational Unit. Click Continue when all has been filled out.
10. For Key Pair Information, accept the defaults and click Continue.
11. For Key Usage Extension, accept the defaults and click Continue.
12. For Extended Key Usage Extension, accept the defaults and click Continue.
13. For Basic Constraints Extension, accept the defaults and click Continue.
14. For Subject Alternate Name Extension, accept the defaults and click Continue.
15. Use your “login” keychain to store the certificate and click Continue.
16. Now you have to set your certificate to be “trusted.”
17. Go to your keychain, and right click (control click) on the new certificate you made and choose Get Info.
18. Open the triangle next to Trust.
19. Go down to Code Signing, and choose Always Trust.
20. Close the box. The system will ask for your admin password. Enter it and click OK.
You’re done, and you have a certificate you can use for signing your own code, or re-signing someone else’s code that you’ve modified or tinkered with.
Re-Signing a Modified Apple Application
Before you re-sign an application that you’ve modified, make sure you’re done with the modifications, because otherwise you’ll have to sign it again. Once you’ve re-signed the application, it will look to the system like a different application than the one Apple provided. For this reason, make sure you do this on a copy of the Apple-supplied application. Besides, you’ve got to make sure that an update from Apple doesn’t screw up your modifications, or vice versa.
Re-signing the application is quite simple.
1. Open Terminal.
2. Type “codesign -f -s (name of certificate) /path/to/application
(name of certificate) is the name you gave your certificate in the creating a certificate section. Remember that you’ll have to escape any spaces or other nonstandard characters that appear. For example, if your certificate were called “Harry Potter’s Certificate,” you would use “Harry\ Potter\’s\ Certificate.” As an alternative, you can use a portion (substring) of the certificate’s name as long as that portion does not appear anywhere else in your keychain. So you could type “Potter” instead of the full string with escaped characters.
Once again, you can type “codesign -f -s (name of certificate) ” and drag the application to be resigned from the Finder to the Terminal window to enter the path name if you don’t want to type it out yourself.
When you’re done, you can use “codesign -dvvvv /path/to/application” to verify that the signature has changed.
NOTE: you may want to add the –deep option, this will codesign any plugins or other code in the bundle