1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
Request, load and use OS X code signing certificates
---------------------------------------------------
This is a short step-by-step on how to generate a key on a YubiKey,
create a certificate request, submit that request to apple, load the
certificate in the YubiKey and use it for code signing.
Prerequisites
-------------
* a YubiKey with the PIV application loaded
* the yubico-piv-tool software
* the OpenSC software
* membership in the mac developer program
Steps
-----
1. Generate a key in slot 9a:
$ yubico-piv-tool -s 9a -a generate -o public.pem
2. Create a certificate request for app distribution:
$ yubico-piv-tool -a verify-pin -P 123456 -s 9a -a request-certificate \
-S "/CN=Application/" -i public.pem -o application.csr
3. Generate a key in slot 9c:
$ yubico-piv-tool -s 9c -a generate -o public.pem
4. Create a certificate request for installer distribution:
$ yubico-piv-tool -a verify-pin -P 123456 -s 9c -a request-certificate \
-S "/CN=Installer/" -i public.pem -o installer.csr
5. Go to the Apple developer program page and submit the requests.
6. When the certificates are ready and approved, download them.
7. Load the certificates:
$ yubico-piv-tool -a import-certificate -s 9a -K DER -i mac_app.cer
$ yubico-piv-tool -a import-certificate -s 9c -K DER -i mac_installer.cer
+
NOTE: -K DER is available from version 0.1.3, with earlier convert to PEM and import.
8. Set a new chuid in the application to make sure nothing is cached for the key:
$ yubico-piv-tool -a set-chuid
9. Re-plug the YubiKey and make sure the certificates show up under the keychain
"PIV_II" in Keychain Access.
10. Use the certificates as usual with codesign/pkgbuild/productbuild/productsign
|
