Signing Manager is a macOS app to enable Code Signing on remote systems without access to the private key. It works with built-in Apple tools such as Xcode, codesign, and productsign. Signing Service is a service to store and limit access to sensitive signing identities. It can be used as a cloud service or installed locally in your environment.
In this Quick Start Guide, you’ll go through the setup of Signing Service and Signing Manager; the images below use test identities, but you are free to use your own. After completing the four steps below, you’ll be able to start signing right away.
Step 1: Login with your credentials
- Click the login link in your purchase confirmation email. If you did not receive the confirmation email, please contact us at email@example.com
- Log in at https://signing-server.twocanoes.com and change your password.
Step 2: Download and Install Signing Manager
- Download the latest version of Signing Manager. A link is provided on the main page at https://signing-server.twocanoes.com.
- Install Signing Manager by double clicking on the .dmg and following the instructions. (To uninstall, use the uninstaller included in the installation package)
Step 3: Import your identities and add new users
- Click on the identities tab in the menu bar of the Signing Service page, then choose the files you’d like to import.
- After typing the password, click the Import button. Sample identities can be downloaded here: https://tcs-signing-manager.s3.us-west-2.amazonaws.com/TestP12.zip (Use password “abc123”)
- Visit the users tab in the menu bar to add new users
Step 4: Connect Signing Manager to Signing Service
- Go to Preferences in Signing Manager. You should see fields for Signing Service Domain and API Key.
- On the main page of Signing Service, find the Signing Service Domain and API Key at the bottom of the page. Copy and Paste each into their corresponding field in Signing Manager.
- Click OK, then click refresh on the menu bar. Within a few seconds, you should see the Identities you imported in Step 2.
You are now ready to sign with Signing Manager!
Using Signing Manager
Sign an Application:
- After completing Step 4, you should see the signing certificates available in the main interface of the Signing Manager app.
- Select a certificate to sign an application and right-click on the certificate.
- Select Copy “codesign” command and paste into Terminal.
- Provide the path to the app to sign. For example, if the app is called “TextEdit.app” and is in the /tmp folder:
codesign -fs "4F7F430FFC4F27B9B48BA31CF54A6E7E6D8B13B8" /tmp/TextEdit.app
(The string of characters may be different in your setup)
- Once the app has been signed, verify it using the codesign -dvvv command. For example:
codesign -dvvv /tmp/TextEdit.app
- You should see the signing authority match your signing certificate. For example:
Executable=/private/tmp/TextEdit.app/Contents/MacOS/TextEdit Identifier=com.apple.TextEdit Format=app bundle with Mach-O universal (x86_64 arm64e) CodeDirectory v=20400 size=1643 flags=0x0(none) hashes=45+3 location=embedded Hash type=sha256 size=32 CandidateCDHash sha256=803b3af7685656505d2c43962469ed8e988b250a CandidateCDHashFull sha256=803b3af7685656505d2c43962469ed8e988b250a63bc08d935f3e628eef1b06d Hash choices=sha256 CMSDigest=803b3af7685656505d2c43962469ed8e988b250a63bc08d935f3e628eef1b06d CMSDigestType=2 CDHash=803b3af7685656505d2c43962469ed8e988b250a Signature size=2745 Authority=Twocanoes Test Code Signing Authority=ca.twocanoes.com Signed Time=Apr 12, 2021 at 3:49:57 PM Info.plist entries=34 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=476 Internal requirements count=1 size=96
Sign a Package:
- Select a certificate to sign a package and right-click on the certificate.
- Select Copy “productsign” command and paste into Terminal.
- Replace source.pkg and destination.pkg with the path to the source and destination.
For example, if the app is called “Test.pkg” and is in the /tmp folder:
productsign --sign "4A72196F535A51A98FF2480132F024222B65060C" /tmp/Test.pkg /tmp/Test-signed.pkg
- Once signed, double click on the signed package and click on the lock in the upper right corner of the window to verify it has been signed correctly.
Using with Xcode:
In order to use Signing Manager with Xcode, the certificate (but not the private key) must be imported to the local keychain. This allows Xcode to find the remote identity and use it for signing. The certificate does not need to be trusted and made available to Xcode. This is not required when using codesign directly.
Command line tool and more information:
All commands and setup are available via the command line.
For more information on command line and other features, please read the Signing Manager Administrator Guide.