Mac Developer Network » Blog Archive » Security: Sharing Signing Certificates Between Multiple Machines

Security: Sharing Signing Certificates Between Multiple Machines

6 February 2010 449 views No Comment

One of the frequently asked questions regarding my impromptu code-signing talk at NSConference was: how can I share my signing certificate between multiple machines? I’ll show you, but I want to start with a bit of theory. I promise it won’t be too tedious (or it won’t be too long, anyway).

When you sign an application (either Mac or iPhone), you’re stamping that application with your identity, effectively saying “I made this”. The identity is formed from two parts: the first is a certificate, which contains the publicly-shared part of the identity (the “public key”) along with some metadata describing who issued the certificate (implying that they are asserting your claim to that identity), and to what purposes the identity can be put. When an application is signed, the certificate part is embedded into the application as part of the signature.

The second part is a private key, which as the name suggests is a secret component of the identity. The private key is required to use the identity (in this case, to sign code needs the private key), and should therefore only be known to the identity’s owner. It is the private key from which encrypted content and — more relevant for this case — content signatures are derived.

Why would you want to share your private key among different computers? Remember that you only need to sign code that will be deployed to your customers, so only the machines where you prepare release builds need access to the private key. If you work with multiple developers, then it might be appropriate for each to be able to sign releases on behalf of your company. If you prepare a project for a client then transfer it to their systems when you sign off, that is another reason to move the certificate. Or maybe you just bought a new Mac Pro and would like to migrate your build environment.

In any case, both parts of the identity must be transferred to the new computer in order for the identity to be useful for code signing. To achieve this, the identity can be exported from the keychain using the PKCS#12 (Public Key Cryptography Standard) format, a standard format for identity exchange. Keychain Access provides user interface for doing this. Select the certificate you need to share, and right/control click to choose “Export” from the contextual menu. From the “File Format” menu, select “Personal Information Exchange (.p12)”. Note that if you choose the “Certificate (.cer)” format, the private key will not be exported. This seems to be the most common problem developers were encountering.

When you choose “Save”, Keychain Access will prompt you for a password. It is important to choose a strong password as it is protecting the private key for your identity — should a malicious monster acquire the private key, they can use it to claim that software they have prepared came from you. The password is only needed until you import the .p12 file on the target computer, after which you can delete the .p12 and no longer require the password. With a good password in place the identity cannot be intercepted, so it can be transferred to the target machine using any available medium — USB stick, AFP file sharing or email perhaps.

To import the identity on the target machine, drag the .p12 file onto Keychain Access. You will be asked to enter the same password you created when exporting the identity earlier.

Depending on the trust settings on the target Mac, you may be presented with a certificate trust sheet. You can dismiss this or make any changes, as currently the code signing facility doesn’t make use of trust decisions the configuration is a bit moot. In any case, the full identity (both the certificate and the private key) is now present in the login keychain of the user on the new system, and can be used to sign built products in Xcode.

As an informative aside, the PKCS#12 format is useful for transporting any personal identity, not just code signing certificates. Keychain Services on both Mac and iPhone provide API for working with .p12 files, making it easy to distribute certificate-based identities to users.