Signing OS X app on Windows (without codesign)
We have tried to reverse-engineer the code signing using source code of libsecurity_codesigning
library. Although it seems feasible, it's still too much effort, so we consider giving up. We would like to at least share what we have found so far, so others may build upon.
We have found that when codesign
does not find MachO binary, it falls back to "architecture agnostic" signing implemented in SecCodeSigner::Signer::signArchitectureAgnostic
.
Key steps there:
CodeDirectory
file generation. The directory includes few SHA-1 hashes of various pieces of the bundle in addition to file header (including directory version)CodeSignature
file generation. The signature signsCodeDirectory
file using Cryptographic Message Syntax (CMS) format. The signature can be verified on any platform using OpenSSL:openssl cms -verify -in CodeSignature -inform DER -content CodeDirectory -noverify -out CodeDirectory.verified
Note that
-noverify
is needed to skip certificate validation as OpenSSL does not seem to support "code signing" purpose of certificates.OpenSSL should be able to create CMS signature using following command:
openssl cms -sign -in CodeDirectory -out CodeSignature -signer certificate.pem -outform DER
But such signature is not accepted by OS X.
We didn't get any further.
Not strictly signing on Windows, but have you considered Remote Desktop into a friends Mac or renting a Mac in the Cloud? http://www.macincloud.com seems to have fairly reasonable plans.
Could save a lot of the trouble. All you really need access to is the codesign tool and the Terminal.
Edit: You will still need an Apple Developer account to sign the application - Gatekeeper only allows signatures from Apple-issued developer ID certificates.