Customizing Signing Manager for a Web API
Overview
Signing Manager uses a script located in ~/Library/Application Scripts/com.twocanoes.signing-manager.tcstoken to discover and sign binaries. The binary is named “token” and requires the following options:
Operations -s: perform signing operation. Requires -i, -a, -f and optionally -t. Returns a base64-encoded string of binary signature. -x: List certificates. Should return a JSON array of dictionaries that contain the certificates for signing operations. Requires Options -i <URL>: The URL the script should use when calling an endpoint -f <fingerprint>: a hex string of the SHA1 hash of the certificate to use when signing. -t: use self signing. If this option is specified, the script should allow a web API request that uses an untrusted certificate. -a <hash>: a base-64 encoded hash of the signature to be signed. Must be in PKCS#1 1.5 format. API Key The API key is passed on STDIN
Example Operations
Listing Certificates
printf "demo-key-d5103381-7822-4f7d-a816-cf03b56f6e8f" |~/Library/Application\ Scripts/com.twocanoes.signing-manager.tcstoken/token -x -i https://ubuntu.local:3000 -t [{"cn":"Twocanoes Test Package Certificate","certificate":"-----BEGIN CERTIFICATE-----\nMIIDNjCCAh6gAwIBAgIGAXA036ryMA0GCSqGSIb3DQEBCwUAMDoxCzAJBgNVBAYT\nAlVTMSswKQYDVQQDDCJUd29jYW5vZXMgVGVzdCBQYWNrYWdlIENlcnRpZmljYXRl\nMB4XDTIwMDIxMTE1MzAzOFoXDTIxMDIxMDE1MzAzOVowOjELMAkGA1UEBhMCVVMx\nKzApBgNVBAMMIlR3b2Nhbm9lcyBUZXN0IFBhY2thZ2UgQ2VydGlmaWNhdGUwggEi\nMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+D6DUrrUlj28e4U2KRPDKiJjT\nR1GQJ8+iDgorxu8z+XWF0AZD7IkByohhZNdA1c1R5UTFQZU8dgK0S1TRESgNW6Zg\nZZ0lAwQCgueuLNbiqzAUnMDrF9l6Bq9t5h+N7aeu5NrwLdPIS83WRRFAwp2yz1Bn\nwSOxww+iVPIKr6FtskAzy1OSvFstcLCfvzCFyw/3szW9SzRnuN6S84Vo787oHBPn\naYZUiaQVy+ly5T5rNoU5bytGcp5PlBsbbGY0hAG+SzOjLfIAcpwpEFkFePIN3r5i\nEoAnx2+S1kYOM0a1LqljnjfEbcJtG8EIec18Gxg5pCPDNw3hCOh4GRTylAwBAgMB\nAAGjQjBAMB8GA1UdIwQYMBaAFEr/83w8/fC4/xs8XxlaviWVzpw4MB0GA1UdDgQW\nBBRK//N8PP3wuP8bPF8ZWr4llc6cODANBgkqhkiG9w0BAQsFAAOCAQEARdCbEbg3\nHoZBAp4aQuq2bRJxc4tPHexpC0T8Vjs2XrJODLdqbQ1HAsoE20tgVtud0FXIKwvl\nbUnlZoIS0KAWrG7dlWHaOBMMfjVb1gB0LGRj+dvDy6DCqH0PdxVzd0NcLhX6V0Kt\no269Peu4bKuG7aA/WztUqq5Y32ogCBMqQjbJqFVQcexraP6UDujhqUb0AsavicJn\nkjtU4e+5oifeYb5gcmgN7NwF8mid6DNX5zvlFSMXcJk2XRGHslxrQZgH9QnX28Fj\nHJk4s7fyUiTC2mr4MqxQs2ICgEra1ffrbS9FDU3pCCknKtZF/tmyuuLoi4N/qOUe\nlJNKoDH2OQPUmQ==\n-----END CERTIFICATE-----\n"},{"cn":"Twocanoes Package Utilities Certificate","certificate":"-----BEGIN CERTIFICATE-----\nMIIDQDCCAiigAwIBAgIGAXA6/ptzMA0GCSqGSIb3DQEBCwUAMD8xCzAJBgNVBAYT\nAlVTMTAwLgYDVQQDDCdUd29jYW5vZXMgUGFja2FnZSBVdGlsaXRpZXMgQ2VydGlm\naWNhdGUwHhcNMjAwMjEyMjAwMjA5WhcNMjEwMjExMjAwMjEwWjA/MQswCQYDVQQG\nEwJVUzEwMC4GA1UEAwwnVHdvY2Fub2VzIFBhY2thZ2UgVXRpbGl0aWVzIENlcnRp\nZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApblurXOYyGyL\nQ6vLywObRnukjsJHc6MkREfy1Y1sRsyGMKxzuc0PoQ8QPRTR5YFKEwjz+QrMc8xX\nCx+cLn/2LLz512Ldr9j6a5ntlft6rwD7f5Fk3QYnyr0Z1dE/ZEuwZYgGwkrFnton\nCtSqp9sLbj0bAXOpybrFAIvF2Km3ghRg8es3biTtrS1ixAHUbceXL1m03C3T/jgt\nNziVgCZAC7fdNzK839WpvbfvNhYMUis5mJ+/VSbFkGnv1nxCxOICJKyLfvBi3MuO\n04HSZ/WZP1OeyMAmAaX/7JsIaGr/7iKxym6ProxsIy/qma+CazEPXn4/XfBsIfCf\nsf0sb6xsNwIDAQABo0IwQDAfBgNVHSMEGDAWgBQpxfHA0I9uCD++w9gh2XR0tqqv\nFjAdBgNVHQ4EFgQUKcXxwNCPbgg/vsPYIdl0dLaqrxYwDQYJKoZIhvcNAQELBQAD\nggEBAJ28MPmodUQOMx9R2cAX05rzBX+R5f+JZRoRtGA6A4J4t4AmAA6VdMuP7045\nwyhoEf886G+hgac90Y3vPPR2TwF0D7uggnG3DkxvRtxraWq1nW4uK1FImarGAEmG\nPU7z8qtVz2TvLju2QnIlVZ91b5/4prwjG8quqY0VS+D0k5sRr48wUZugofykAAJf\nJr+4Qg+uHtDVHixVT8/VustBI8PvSpMjHU+vcbyIwpLkPdRzFgCFeUI3IFkiIbEt\nHVW6nbV1wGH/z7yaHPSvyEOl0you2EeAeTfIuXk96Sjn+jTmxfmCwQxP3cKSwSaf\nBI2apHBP4sjniT8FGXiAt/maOoU=\n-----END CERTIFICATE-----\n"},{"cn":"Test Software Distribution: Twocanoes Software, Inc. (UXP6YEHSSS)","certificate":"Test Software Distribution: Twocanoes Software, Inc. (UXP6YEHSSS)-----BEGIN CERTIFICATE-----\nMIIEDTCCAvWgAwIBAgIGAW9P0iw+MA0GCSqGSIb3DQEBCwUAMIGLMQswCQYDVQQG\nEwJVUzEbMBkGA1UECgwSVHdvY2Fub2VzIFNvZnR3YXJlMRMwEQYDVQQLDApVWFA2\nWUVIU1NTMUowSAYDVQQDDEFUZXN0IFNvZnR3YXJlIERpc3RyaWJ1dGlvbjogVHdv\nY2Fub2VzIFNvZnR3YXJlLCBJbmMuIChVWFA2WUVIU1NTKTAeFw0xOTEyMjkwNDAy\nNTFaFw0yMDEyMjgwNDAyNTJaMIGLMQswCQYDVQQGEwJVUzEbMBkGA1UECgwSVHdv\nY2Fub2VzIFNvZnR3YXJlMRMwEQYDVQQLDApVWFA2WUVIU1NTMUowSAYDVQQDDEFU\nZXN0IFNvZnR3YXJlIERpc3RyaWJ1dGlvbjogVHdvY2Fub2VzIFNvZnR3YXJlLCBJ\nbmMuIChVWFA2WUVIU1NTKTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAJQoQgyWwmLStQgF57h0QGaYu7wmTxHWMT3ahtOxMqz46XZvAUdn1TQy73KXv9Sv\nXIvzGLHKKivYKybxUDGS9t6r5CqN0lQNguVwbL3quva6es1hGIhs5xzNW/e2JWuY\nELbT923GB7cZnZ8E8UjcS5IF2IGNJ34ZUv0I+JzFoFLbSSe9Ml9DmqBXglAZQYGS\nJScnHlLthTgOnaPhJWS5ykzvDl7qDul4r09wrc6VMnUx/Ya/DRv+e/E6C6vhgoYe\n6aw2xdBXDsIIX8Ia1y7qD1n6SQZJNlaSSLs5kaAxYTo2AXN17P7S7ylt6Uk6sd4H\nsZfj1Cbm1p1ouu9xEZTYcEcCAwEAAaN1MHMwHwYDVR0jBBgwFoAUTotDfx/UqLzN\n5eqvP/c8BiMexr8wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0O\nBBYEFE6LQ38f1Ki8zeXqrz/3PAYjHsa/MBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G\nCSqGSIb3DQEBCwUAA4IBAQAZiw5yAYJbWuzUImYwVw1pwoaduMzalKcyj43xroUw\ne67MlH2DKlTViB/8BG9XRr6g7wzOd4HQZckN6lew6LMa9wHkOkslIJorFpcFF0c+\nxVa7T6UI+Mhl43ZIiprsdzV18uYiGNiPiaQY9azTYaBa8Tr9pyzQm6BuJYFYxXAr\n2/wXjGk5LAHQSR8Y+Gdl54iDoDhroYgYRk05F5fzN0ldVYUF/wuy5Rvqua/VS9VT\n9A3T1NFc3XtSYqIeOqXQpY5nX8cCa9FnS4phQc53KBoHI1pCTjLExjqz3FQQoYSh\nMbMHrFa/Cc5n0VTQirDuoB3PQ/HAs5UFVsa3Y07dk4uf\n-----END CERTIFICATE-----"},{"cn":"Twocanoes watchOS Code Signing","certificate":"-----BEGIN CERTIFICATE-----\nMIIDYTCCAkmgAwIBAgIGAXA7AVwWMA0GCSqGSIb3DQEBCwUAMDYxCzAJBgNVBAYT\nAlVTMScwJQYDVQQDDB5Ud29jYW5vZXMgd2F0Y2hPUyBDb2RlIFNpZ25pbmcwHhcN\nMjAwMjEyMjAwNTA5WhcNMjEwMjExMjAwNTEwWjA2MQswCQYDVQQGEwJVUzEnMCUG\nA1UEAwweVHdvY2Fub2VzIHdhdGNoT1MgQ29kZSBTaWduaW5nMIIBIjANBgkqhkiG\n9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqq0it5B/cxNaKgByGdtGSx0IivkhLaA+Ewof\nrnba+B5mXtzgkY4jll2jI/U9LOWYHA89HPm7o32WuoheoWFwoA5JTzlp/YxAl6An\naunBMDKTWlEjrVW8cXLDZvEPk+YQyK2exCOegUC3wgehYpFyZ2M02vz4w7KrdBFH\nqeRJSyPe5fRXkoxpFLhFCslg3wfsQDVGdZACnXAMDlbx0wYLL+17LeiypEDStMJn\nejbGEqKb5eR4NljuXRbbWZv/P3RrF0u7/g4HLxeDbyYOJ67Fyeh4OmjKOW4SBSbJ\nI9VUzKFMtkq2999ido2wAglrzti6191TwMIQSM5Bv6I2Xz8LmwIDAQABo3UwczAf\nBgNVHSMEGDAWgBRkOv2n4DEfhHLaemahhYCIt016LzAMBgNVHRMBAf8EAjAAMA4G\nA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUZDr9p+AxH4Ry2npmoYWAiLdNei8wEwYD\nVR0lBAwwCgYIKwYBBQUHAwMwDQYJKoZIhvcNAQELBQADggEBACU3QUc9KHWf9K5H\nR1RfV9U6FHHrH71zqenE1XBax0vrVzk62dLKc2YgtIn7PJ2lnbQ5+2OXcVqGjPX6\nRqvXRM0YGARJjbSfEE3CPUKjQDBN5FFz+hki0IFZZMgpMlao8CVU3JW7/wITV8Dl\n68XxPB6JiHjP0IMvylpST7jEstdSB3wxkQNbVmqL3vy3mDwABmi+HnvMWsF0/amI\njcd0kHPZkHtnGiv8dA7MTvWzFWL+WjEyeC4DUL9vCdrwwbExGu3ycQ90qGNP27aj\nUCTz6kKMCjyeCHnI5fAWUQB494wWIyPcfy4oOEE6jpf7+VSpXTTrXJQtt6MJWJgq\nJyFg+VQ=\n-----END CERTIFICATE-----\n"},{"cn":"Twocanoes iOS Code Signing","certificate":"-----BEGIN CERTIFICATE-----\nMIIDWTCCAkGgAwIBAgIGAXA7AywLMA0GCSqGSIb3DQEBCwUAMDIxCzAJBgNVBAYT\nAlVTMSMwIQYDVQQDDBpUd29jYW5vZXMgaU9TIENvZGUgU2lnbmluZzAeFw0yMDAy\nMTIyMDA3MDhaFw0yMTAyMTEyMDA3MDlaMDIxCzAJBgNVBAYTAlVTMSMwIQYDVQQD\nDBpUd29jYW5vZXMgaU9TIENvZGUgU2lnbmluZzCCASIwDQYJKoZIhvcNAQEBBQAD\nggEPADCCAQoCggEBAKG0aeaILEzRAF+US3BOTRMYpZ2o65MdfsUXmYRTQOOKIkQF\nvwFrlKJ3uT8P7ddL0MhH1xOprD0ETJoTBnZIHeL5LvrR3Zosn2ij6kO+eXqkr7/S\n0EixeWSI/uAZ4ysXy+vNLW7pLMl7LpUq1BAgmhccK3cRFYOpGsm9XpKIegyke9yv\n0LfgxzvVEXIa08NRPl0N9pTrtturydohhtEjjqY2petV8gq1QO90Ik0oJLLSNRis\n5nOf9lBeChENto3XIhLQ2LUxpcJVLSk7YzSf6+3XC+qFURopKlXifRt1u6AvbVpQ\nMw+Zd4JVnLfYhmR2vxDlcq8gYKarETKHfXFTwg8CAwEAAaN1MHMwHwYDVR0jBBgw\nFoAU4IRDuoDGnZpsHfiOXPIFKhGgDKMwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8E\nBAMCBaAwHQYDVR0OBBYEFOCEQ7qAxp2abB34jlzyBSoRoAyjMBMGA1UdJQQMMAoG\nCCsGAQUFBwMDMA0GCSqGSIb3DQEBCwUAA4IBAQCSyJiYCkyC+S/7KfG/3Vpbyxva\njIlbWjVfElJhYVKF8Fz+qgNuUPtusd2UPcnPgpxrCPtiqTGIGcPzaqC2K49Imz6l\nSu1fN39BzZcF2Z1aMPB+sA+mBB+XEnIxxQLBDebFR4rDaMfpDFLmZ03nmEHM2MRL\n6aCUow3RtoHHP9ZWEuouBNxdDNiKSOqoBdQ984wQX5JgKHs8vKGF+9hbWndw01c5\nvg2y6peevn8j7C9akn+yepBn1xnktm5ONuHcU1Ki/yw3GkpetDfPnnkINZiJi6Ov\nX7qnu2nPeLgjoN0YVeuQuZEkd+qLF3bzcYXd+6HTwNBkf08ErTET9ZM3k1NV\n-----END CERTIFICATE-----\n"},{"cn":"Twocanoes Deployment Package Signing","certificate":"-----BEGIN CERTIFICATE-----\nMIIDOjCCAiKgAwIBAgIGAXA7BSd2MA0GCSqGSIb3DQEBCwUAMDwxCzAJBgNVBAYT\nAlVTMS0wKwYDVQQDDCRUd29jYW5vZXMgRGVwbG95bWVudCBQYWNrYWdlIFNpZ25p\nbmcwHhcNMjAwMjEyMjAwOTE4WhcNMjEwMjExMjAwOTE5WjA8MQswCQYDVQQGEwJV\nUzEtMCsGA1UEAwwkVHdvY2Fub2VzIERlcGxveW1lbnQgUGFja2FnZSBTaWduaW5n\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxLVqk7b4LlZYSk24Yju7\neCCEgNjXbzCMHRZq0F4e9gVR4zyPSDkhLWmgRyyMpp52urBatC01AeLbtPmFNtel\nfLVQdyKXHO40wOyF82/NWNpP5/HteMMZecodtPN8g9cpr+cwu7nkBHpZeHXXioUg\nj71OAyOlRYLKekHZpHcf8ldWLpFkD2nsEmSTt8GI62BAFIrt6M3rlsbr/K//Z1ca\nya8V76nWA/9DRJZ/vGAYt+bI/bFLlNsfD3GtBhdcyStCfAJXPPhzILBQfnn9o0P0\n9rlH9F6VyWCThEcLt1eca7E8n63TnklaTjDfGhdNBr1DgJkNmRiAH/oPg0L8gldN\ndwIDAQABo0IwQDAfBgNVHSMEGDAWgBRHZaywDHzUIyG5APPHpASFuPcg8DAdBgNV\nHQ4EFgQUR2WssAx81CMhuQDzx6QEhbj3IPAwDQYJKoZIhvcNAQELBQADggEBACOo\nuXqa+pROt7Je50vDXe1FoTxdEa1cNg1er3UkqpSTmXdt20QNcN1K+DoHRqI8KqHj\n+K6fkay7NL8afUBKRHitqAYKOmj6tfs02ajc9hAUbdfbHvPkfupdhIInVm6ZpuGz\nkXjQ80knOW+zTsQL4ZeUEDp33Uj3P1rj8KPIVxoHbxsA/2Tkxj8rB+vcPHnp+MnR\nvd4AEkiBx6gLEXlNL4RKq3CAyy6tl8mc+OuMjfNBxLZKxAMODoeFZuEnQoclQSwx\nj5NuRlZEPx1AwLyZ2fjjuWGYGR/3ajNyTkTDoeh75LeaNpc73Lwe9mmsv+/eZPsK\n7imbtMeG3ZLisc5Mqiw=\n-----END CERTIFICATE-----\n"}]
Sign
printf "demo-key-d5103381-7822-4f7d-a816-cf03b56f6e8f" |~/Library/Application\ Scripts/com.twocanoes.signing-manager.tcstoken/token -s -f 7baca7c5e122e715882935b3b9b4f5243af2ada4 -a 'AAH/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////ADAxMA0GCWCGSAFlAwQCAQUABCAfKAOd0R08XYVgkXRHWEU9LRC/BB/yrPJIxixQ+ThD6A==' -i https://ubuntu.local:3000 -t {"signature":"XA9/F6ftZm6IfAC5xoE4S7qxPLIxVpFNf30Mut2DjKCp3kak4MfS4zGYrg0jYHxjispAZ9Evj2J3wACURatfI2YBEKXPOE/zzy6oGqFxf2H2PBIG22PGPWEK3flE5