Skip to content

Instantly share code, notes, and snippets.

@jpmens

jpmens/codesign.md

Last active April 21, 2023 17:14
Show Gist options
  • Save jpmens/6136898a5d68c650956b to your computer and use it in GitHub Desktop.
Save jpmens/6136898a5d68c650956b to your computer and use it in GitHub Desktop.
Download ZIP
Code signing on OS/X to disable pesky "do you want to allow incoming connections" after every damn make
Raw
codesign.md

I called my certificate OTrecorderSign

Sign

$ vi *.c
$ make
$ codesign -f -s OTrecorderSign myprog

You are now asked "wants to sign using OTrecorderSign ... your keychain"
=> ALWAYS allow

$ /usr/libexec/ApplicationFirewall/socketfilterfw --add /Users/jpm/myprog
The application is already a part of the firewall	# this is OK
$ /usr/libexec/ApplicationFirewall/socketfilterfw --unblock /Users/jpm/myprog
$ myprog	# asked to allow incoming connections; say Allow

$ vi *.c
$ make
$ codesign -f -s OTrecorderSign myprog
$ myprog		# NO LONGER asked to allow incoming connections

Create signing identity

From here

  1. Open Keychain Access.
  2. Go to the Keychain Access menu, and under Certificate Assistant, choose Create a Certificate
  3. Name your Certificate. (I recommend using something other than your first and last names)
  4. For Type, choose Self Signed Root.
  5. Make sure Let me override defaults is checked and click Continue.
  6. Under Serial Number, use a random number. Just make sure there is no other certificate on your system with the same name and serial number
  7. Give yourself a sufficiently long validity period. For a little over 5 years, use 2000 days. For almost 11 years, choose 4000 days.
  8. Under Certificate Type, choose Code Signing, and click Continue.
  9. Enter your personal information on the next screen. Have fun with Organization and Organizational Unit. After all, this is for your own personal use. Don't use "Apple." I myself used something like "Orange Computer" for Organization and "Hacking Department" for Organizational Unit. Click Continue when all has been filled out.
  10. For Key Pair Information, accept the defaults and click Continue.
  11. For Key Usage Extension, accept the defaults and click Continue.
  12. For Extended Key Usage Extension, accept the defaults and click Continue.
  13. For Basic Constraints Extension, accept the defaults and click Continue.
  14. For Subject Alternate Name Extension, accept the defaults and click Continue.
  15. Use your "login" keychain to store the certificate and click Continue.
  16. Now you have to set your certificate to be "trusted."
  17. Go to your keychain, and right click (control click) on the new certificate you made and choose Get Info.
  18. Open the triangle next to Trust.
  19. Go down to Code Signing, and choose Always Trust.
  20. Close the box. The system will ask for your admin password. Enter it and click OK.

You're done, and you have a certificate you can use for signing your own code, or re-signing someone else's code that you've modified or tinkered with.

@Habbie
Copy link

Habbie commented Jul 31, 2016
edited
Loading

Certificate Type (step 8) is on screen 1 (the one you exit at step 5) for me on 10.10. However, if I leave Type at S/MIME (email) and enable Code Signing in step 12 I get a cert - that can sign but does not actually provide the promised benefits!

@Habbie
Copy link

Habbie commented Jul 31, 2016
edited
Loading

It turns out I cannot get this to work on 10.10 for some reason :( I must have broken something, the process now fails at step 6 or 14 with 'The specified item could not be found.'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment