{"id":20329343,"url":"https://github.com/ddev/signing_tools","last_synced_at":"2025-10-04T11:57:25.603Z","repository":{"id":46398468,"uuid":"231453490","full_name":"ddev/signing_tools","owner":"ddev","description":"Signing and Notarization tools for macOS and Windows","archived":false,"fork":false,"pushed_at":"2025-08-17T21:24:35.000Z","size":75,"stargazers_count":28,"open_issues_count":1,"forks_count":7,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-08-17T21:27:15.629Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ddev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["ddev"],"custom":["https://www.paypal.com/donate/?hosted_button_id=MCNCSZHC7LHSQ","https://ddev.com/support-ddev/"]}},"created_at":"2020-01-02T20:21:36.000Z","updated_at":"2025-08-17T20:04:15.000Z","dependencies_parsed_at":"2023-02-04T23:46:53.048Z","dependency_job_id":"c306b526-8c2d-49a5-b60d-c86de0da9317","html_url":"https://github.com/ddev/signing_tools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ddev/signing_tools","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fsigning_tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fsigning_tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fsigning_tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fsigning_tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ddev","download_url":"https://codeload.github.com/ddev/signing_tools/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ddev%2Fsigning_tools/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278308622,"owners_count":25965654,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-04T02:00:05.491Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T20:10:14.902Z","updated_at":"2025-10-04T11:57:25.596Z","avatar_url":"https://github.com/ddev.png","language":"Shell","funding_links":["https://github.com/sponsors/ddev","https://www.paypal.com/donate/?hosted_button_id=MCNCSZHC7LHSQ","https://ddev.com/support-ddev/"],"categories":[],"sub_categories":[],"readme":"[![last commit](https://img.shields.io/github/last-commit/ddev/signing_tools)](https://github.com/ddev/signing_tools/commits)\n\n# signing_tools: macOS Signing and Notarization Tools\n\nThis set of scripts currently provides macOS signing and notarization tools for command-line binaries.\n\nThe macOS signing and notarization tools (`macos_sign.sh` and `macos_notarize.sh`) must be run on macOS.\n\nExamples:\n\n`./macos_sign.sh --signing-password=\"${SIGNING_TOOLS_SIGNING_PASSWORD}\" --cert-file=${CERTFILE} --cert-name=\"${CERTNAME}\"  --target-binary=\"${TARGET_BINARY}\"`\n\n`./macos_notarize.sh  --app-specific-password=${APP_SPECIFIC_PASSWORD} --apple-id=${APPLE_ID} --primary-bundle-id=com.ddev.test-signing-tools --target-binary=${TARGET_BINARY} [ --team-id=\u003cshort-id\u003e ]`\n\nThe rest of this file explains the methods and resources for signing.\n\n## macOS Command-line Binary Signing and Notarization\n\n[DDEV](https://github.com/ddev/ddev) and other tools use this to do macOS signing and notarization.\n\n### Overview\n\nApple's ongoing initiatives at controlling what runs on their platforms took a new turn with macOS Catalina (10.15), with required app and command-line binary signing.\n\nNotarization requires\n\n* An Apple Developer Program organization membership from developer.apple.com\n* Obtaining a signing cert from Apple.\n* Signing the binary or app with a Developer ID Certificate (not  a distribution cert)\n* Notarization (uploading the binary to Apple for approval)\n* Validating code signing\n* Validating notarization\n* An app-specific password created on your Apple account.\n* You may need a new \"Developer Relations Intermediate Certificate\". From https://developer.apple.com/forums/thread/662300 :\n  \u003e Just download the certificate from here and install it. If it doesn't works have a look on https://developer.apple.com/support/expiration/\n\n### Creating and exporting the signing certificate\n\n* Signing requires the one-time task of obtaining a doing a certificate request (and creating associated private key) and downloading the certificate. See [docs](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html).\n  * Open `Keychain Access` and go to `Certificate Assistant -\u003e Request a Certificate from a Certificate Authority`\n  * Provide the `User Email Address` and a `Common Name` identifier and save to disk.\n  * Sign in with organization owner credentials at [developer.apple.com](https://developer.apple.com)\n  * At \"Certificates, Identiifiers \u0026 Profiles\" click the `+` to create a new certificate.\n  * Choose \"Developer ID Application\"\n  * Upload the CSR you created.\n  * Download the created certificate (it's a `.cer file).\n  * Open the downloaded cert in Keychain Access\n  * In \"My Certificates\" export the cert at a .p12 file (it absolutely must be a .p12 file)\n  * Export the new cert with a password and place it to be used in your CI process.\n\n### Signing a command-line binary\n\n* The process requires that binaries be hardened and signed with the *Developer ID certificate*, so, for example, DDEV's Apple account on developer.apple.com might have a cert called 'Developer ID Application: DDEV Foundation (9HQ298V2BW)'. This cert can be used for signing multiple binaries or applications.\n* Signing is done with the macOS tool `codesign`. For example,\n`codesign --keychain buildagent -s 'Developer ID Application: DDEV Foundation (9HQ298V2BW)' --timestamp --options runtime .gotmp/bin/darwin_amd64/ddev`. The [macos_sign.sh](macos_sign.sh) tool here just codifies that process.\n\n#### Validating the signature on the binary\n\nSignature validation can be done with `codesign -v`, for example, `codesign -vv -d .gotmp/bin/darwin_amd64/ddev`.\n\n### Notarizing a binary\n\nNotarizing a binary means\n\n* Uploading the signed binary to Apple for its approval\n* Verifying that the process completes successfully and has no warnings\n* Verifying from the build process (a link given at notarization completed) that there are no warnings. (When I first got notarization to work, it reported that the package was accepted, but there was a warning that it did not have a \"Developer ID\" certificate, and thus was *not* successful.)\n* In the case of a .app or other types of artifact, \"stapling\" the approval to the artifact. In the case of a command-line binary it is not possible to staple the approval. [Apple announcement](https://developer.apple.com/news/?id=06032019i) specifies that stapling is for apps, installer packages, and kernel extensions. We can expect this to be added in the future for command-line binaries, but at this time there is no place in the binary architecture for anything to be stapled. The [Apple notarizing article](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow#3087720) says\n    \u003e Although tickets are created for standalone binaries, it’s not currently possible to staple tickets to them.\n\n#### Validating notarization\n\nThe best technique I've found for validating succesful notarization was [archichect](https://eclecticlight.co/2019/11/26/how-to-check-quarantine-64-bit-signature-and-notarization-for-almost-anything/), which validates the signing and also checks in with Apple to see if it's been notarized.\n\n`codesign --test-requirement=\"=notarized\" --verify --verbose ddev` was suggested as an approach, but it doesn't seem to work on a binary that can't be stapled.\n\n### CI-based Signing and Notarization\n\nSigning and Notarizing are implemented in [DDEV's Makefile](https://github.com/ddev/ddev/blob/9f43569444c9c28fbfb3bab77f35aa49a4bd6a09/Makefile#L130-L141) and `make darwin_signed` there does the whole process using the tools from this repo.\n\n## Resources and Links\n\n* Apple regularly changes their developer agreements. Every time they do, you have to agree to the change before notarizing will work. You have to sign into your apple account and then visit [appstoreconnect.apple.com](https://appstoreconnect.apple.com/agreements/#/) to accept the agreement. (When trying to notarize, you'll get \"Error: Unable to notarize app.\" and \"Error: code 1048 (You must first sign the relevant contracts online. (1048))\" from altool.)\n* [Basic Step-by-step Signing and Notarization Walkthrough](http://www.zarkonnen.com/signing_notarizing_catalina)\n* [Testing Notarization](https://eclecticlight.co/2019/11/26/how-to-check-quarantine-64-bit-signature-and-notarization-for-almost-anything/) and [Archichect validation tool](https://eclecticlight.co/32-bitcheck-archichect/)\n* [Notarization Answer on Stack Overflow](https://stackoverflow.com/questions/56890749/macos-notarize-in-script/56890758#56890758)\n* [notarize-app](https://www.notion.so/randyfay/Notarization-Catalina-e8d037cb6caf44fc9eef339f092faa64#e590379f4a35498181b18554a49fac88) script for CI notarization.\n* [Apple's general Notarizing article](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution)\n* [Apple's Customizing the Notarization Workflow](https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/customizing_the_notarization_workflow) article\n* [CI Signing technique](https://stackoverflow.com/a/40039594/215713) (Stack Overflow)\n* [Signing without the popup password](https://stackoverflow.com/a/40039594/215713) (for CI, same SO question)\n* [Apple's Code Signing docs](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html)\n* [Common Code Signing Errors](https://medium.com/@SharpFive/common-code-signing-errors-codesign-failed-with-exit-code-1-1ffa5f4785c9)\n\n## Developer and Contribution information\n\n* If you're making changes, use `make test` to test them. You'll need these environment variables set\n    * `APPLE_ID` (the apple username/email related to the `APP_SPECIFIC_PASSWORD`)\n    * `APP_SPECIFIC_PASSWORD` (Apple app specific password)\n    * `SIGNING_TOOLS_SIGNING_PASSWORD` (signing password for the provided certificate).\n* Forked PRs will not run tests in this repo, because they could expose the `APP_SPECIFIC_PASSWORD`.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fddev%2Fsigning_tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fddev%2Fsigning_tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fddev%2Fsigning_tools/lists"}