Signing Manager is a macOS app to enable Code Signing on remote systems without access to the private key. It works with built-in Apple tools such as Xcode, codesign, and productsign. Signing Service is a service to store and limit access to sensitive signing identities. It can be used as a cloud service or installed locally in your environment. 

In this Quick Start Guide, you’ll go through the setup of Signing Service and Signing Manager; the images below use test identities, but you are free to use your own. After completing the four steps below, you’ll be able to start signing right away. 


Setup

Step 1: Login with your credentials

Step 2: Download and Install Signing Manager

  • Download the latest version of Signing Manager. A link is provided on the main page at https://signing-server.twocanoes.com.
  • Install Signing Manager by double clicking on the .dmg and following the instructions. (To uninstall, simply drag the application to Trash)

Step 3: Import your identities and add new users

  • Click on the identities tab in the menu bar of the Signing Service page, then choose the files you’d like to import. 
  • After typing the password, click the Import button. Sample identities can be downloaded here: https://tcs-signing-manager.s3.us-west-2.amazonaws.com/TestP12.zip (Use password “abc123”)
  • Visit the users tab in the menu bar to add new users

Step 4: Connect Signing Manager to Signing Service

  • Go to Preferences in Signing Manager. You should see fields for Signing Service Domain and API Key.
  • On the main page of Signing Service, find the Signing Service Domain and API Key at the bottom of the page. Copy and Paste each into their corresponding field in Signing Manager.
  • Click OK, then click refresh on the menu bar. Within a few seconds, you should see the Identities you imported in Step 2.

You are now ready to sign with Signing Manager!


Using Signing Manager

Sign an Application:

  • After completing Step 4, you should see the signing certificates available in the main interface of the Signing Manager app. 
  • Select a certificate to sign an application and right-click on the certificate. 
  • Select Copy “codesign” command and paste into Terminal.
  • Provide the path to the app to sign. For example, if the app is called “TextEdit.app” and is in the /tmp folder:
codesign -fs "4F7F430FFC4F27B9B48BA31CF54A6E7E6D8B13B8" /tmp/TextEdit.app

(The string of characters may be different in your setup)

  • Once the app has been signed, verify it using the codesign -dvvv command. For example:
codesign -dvvv /tmp/TextEdit.app
  • You should see the signing authority match your signing certificate. For example:
Executable=/private/tmp/TextEdit.app/Contents/MacOS/TextEdit
Identifier=com.apple.TextEdit
Format=app bundle with Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=1643 flags=0x0(none) hashes=45+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=803b3af7685656505d2c43962469ed8e988b250a
CandidateCDHashFull sha256=803b3af7685656505d2c43962469ed8e988b250a63bc08d935f3e628eef1b06d
Hash choices=sha256
CMSDigest=803b3af7685656505d2c43962469ed8e988b250a63bc08d935f3e628eef1b06d
CMSDigestType=2
CDHash=803b3af7685656505d2c43962469ed8e988b250a
Signature size=2745
Authority=Twocanoes Test Code Signing
Authority=ca.twocanoes.com
Signed Time=Apr 12, 2021 at 3:49:57 PM
Info.plist entries=34
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=476
Internal requirements count=1 size=96

Sign a Package:

  • Select a certificate to sign a package and right-click on the certificate. 
  • Select Copy “productsign” command and paste into Terminal.
  • Replace source.pkg and destination.pkg with the path to the source and destination.

For example, if the app is called “Test.pkg” and is in the /tmp folder:

productsign --sign "4A72196F535A51A98FF2480132F024222B65060C" /tmp/Test.pkg /tmp/Test-signed.pkg 
  • Once signed, double click on the signed package and click on the lock in the upper right corner of the window to verify it has been signed correctly.

Using with Xcode:

In order to use Signing Manager with Xcode, the certificate (and not the private key) of the certificate must be imported to the local keychain. This allows Xcode to find the remote identity and use it for signing. The certificate does not need to be trusted and made available to Xcode. This is not required when using codesign directly.

Command line tool and more information:

All commands and setup are available via the command line. For more details and information, please see the the Signing Manager and Signing Service guide.