I am integrating code signing into our builds and have created a custom keychain which is held within the source code tree and used to sign the code (it's copied to ~/Library/Keychains
before being used, so it's in a well known location).
However when attempting to sign I get an error:
$ /usr/bin/codesign --sign='Mac Developer: John Doe (AA1AAA1AAA)' \
--keychain=~/Library/Keychains/xxx.keychain \
dist/64/gmake/release/bin/libmylib.dylib
Mac Developer: John Doe (AA1AAA1AAA): no identity found
However:
$ security find-identity -p codesigning ~/Library/Keychains/xxx.keychain
Policy: Code Signing
Matching identities
1) 49F2FBE79899DF18A9638AC6B1302E2EB6E079AD "Mac Developer: John Doe (AA1AAA1AAA)"
1 identities found
Valid identities only
1) 49F2FBE79899DF18A9638AC6B1302E2EB6E079AD "Mac Developer: John Doe (AA1AAA1AAA)"
So I don't understand why codesign
is unable to find the identity.
Can anyone suggest a solution?
Note that I have also tried with the identity's SHA-1, with the same result.
You use the codesign command to interrogate an app or other signed entity about its signature. To verify the signature on a signed binary, use the -v option with no other options: codesign -v <code-path>
And, the Signing Identity in the Code Signing Identity is something, which consists of a public and private key pair that are specially created by an Apple. In other words, Code Signing Identity is referred to as the Common Name of the certificates which are installed in the Developer's machine Keychain.
Mac (and iOS) App Store certs have a "Revoke" button you can press, whereas Developer ID certs do not have a "Revoke" button. You have to email Apple Product Security to request that your Developer ID cert be revoked. You might do this if the private key for your cert becomes compromised.
Some of codesign's error messages are less than clear. The problem here is that codesign couldn't find the keychain, and that is caused by the use of --keychain=~/path
. This is interpreted as a single argument and no tilde expansion is performed. If you modify your command to use separate arguments it should work as expected:
codesign --sign 'Mac Developer: John Doe (AA1AAA1AAA)' \
--keychain ~/Library/Keychains/xxx.keychain \
dist/64/gmake/release/bin/libmylib.dylib
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With