apple-codesign 0.29.0

Pure Rust interface to code signing on Apple platforms
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117

.. _apple_codesign_getting_started:

===============
Getting Started
===============

Installing
==========

Pre-built binaries are published as GitHub Releases. Go to
https://github.com/indygreg/apple-platform-rs/releases and look for the latest
release of ``Apple Codesign``.

To install the latest release version of the ``rcodesign`` executable using Cargo
(Rust's package manager):

.. code-block:: bash

    cargo install apple-codesign

To enable smart card integration (i.e. use a YubiKey for signing):

.. code-block:: bash

    cargo install --features smartcard apple-codesign

To compile and run from a Git checkout of its canonical repository (developer mode):

.. code-block:: bash

    cargo run --bin rcodesign -- --help

To install from a Git checkout of its canonical repository:

.. code-block:: bash

    cargo install --bin rcodesign

To install from the latest commit in the canonical Git repository:

.. code-block:: bash

    cargo install --git https://github.com/indygreg/apple-platform-rs --branch main rcodesign

Obtaining a Code Signing Certificate
====================================

Follow the instructions at :ref:`apple_codesign_certificate_management` to obtain
a code signing certificate. This is required if signing software for
distribution to other machines.

If you just want to play around, you can use
``rcodesign generate-self-signed-certificate`` to create a self-signed
certificate.

.. _apple_codesign_app_store_connect_api_key:

Obtaining an App Store Connect API Key
======================================

To notarize and staple, you'll need an App Store Connect API Key to
authenticate connections to Apple's servers.

You can generate one at https://appstoreconnect.apple.com/access/api.

This requires joining the Apple Developer Program, which has an annual
fee.

See
https://developer.apple.com/documentation/appstoreconnectapi/creating_api_keys_for_app_store_connect_api
for Apple's official documentation on creating these API Keys.

.. important::

   For the *Access Role*, ``Developer`` should be sufficient.

   Other roles may or may not work for notarization.

App Store Connect API Keys have 3 components:

* An *Issuer ID* (likely a UUID).
* A *Key ID* (an alphanumeric string like ``DEADBEEF42``).
* A PEM encoded ECDSA private key (a file beginning with
  ``-----BEGIN PRIVATE KEY-----`` that you can download at most
  once when you create an API Key).

All 3 of these components are required to talk to the App Store Connect
API server. To make management of these keys simpler, we provide the
``encode-app-store-connect-api-key`` command to write out a JSON document
holding all the key info.

.. important::

   We highly recommend using our JSON keys created with
   ``encode-app-store-connect-api-key`` as it is simpler to manage a single
   entity instead of 3.

You can perform an encode of your key as follows:

.. code-block:: bash

   rcodesign encode-app-store-connect-api-key -o ~/.appstoreconnect/key.json \
     <issuer-id> <key-id> /path/to/downloaded/private_key

e.g.

.. code-block:: bash

   rcodesign encode-app-store-connect-api-key -o ~/.appstoreconnect/key.json \
     11dda589-8632-49a8-a432-03b5e17fe1d2 DEADBEEF42 ~/Downloads/AuthKey_DEADBEAF42.p8

Next Steps
==========

Once you have a code signing certificate and/or App Store Connect API Key,
read :ref:`apple_codesign_rcodesign` to learn how to sign and/or notarize
software.