Login or Register to Ask a Question and Join Our Community

Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

productsign(1) [osx man page]

productsign(1)						    BSD General Commands Manual 					    productsign(1)

NAME

     productsign -- Sign an OS X Installer product archive

SYNOPSIS

     productsign [options] --sign identity input-product-path output-product-path

DESCRIPTION

     productsign adds a digital signature to a product archive previously created with productbuild(1).  Although you can add a digital signature
     at the time you run productbuild(1), you may wish to add a signature later, once the product archive has been tested and is ready to deploy.
     If you run productsign on a product archive that was previously signed, the existing signature will be replaced.

     To sign a product archive, you will need to have a certificate and corresponding private key -- together called an ``identity'' -- in one of
     your accessible keychains. To add a signature, specify the name of the identity using the --sign option. The identity's name is the same as
     the ``Common Name'' of the certificate.

     If you want to search for the identity in a specific keychain, specify the path to the keychain file using the --keychain option. Otherwise,
     the default keychain search path is used.

     productsign will embed the signing certificate in the product archive, as well as any intermediate certificates that are found in the key-
     chain. If you need to embed additional certificates to form a chain of trust between the signing certificate and a trusted root certificate
     on the system, use the --cert option to give the Common Name of the intermediate certificate. Multiple --cert options may be used to embed
     multiple intermediate certificates.

     The signature can optionally include a trusted timestamp. This is enabled by default when signing with a Developer ID identity, but it can be
     enabled explicitly using the --timestamp option. A timestamp server must be contacted to embed a trusted timestamp. If you aren't connected
     to the Internet, you can use --timestamp=none to disable timestamps, even for a Developer ID identity.

ARGUMENTS AND OPTIONS

     --sign identity-name
		 The name of the identity to use for signing the product archive.

     --keychain keychain-path
		 Specify a specific keychain to search for the signing identity.

     --cert certificate-name
		 Specify an intermediate certificate to be embedded in the product archive.

     --timestamp
		 Include a trusted timestamp with the signature.

     --timestamp=none
		 Disable trusted timestamp, regardless of identity.

     input-product-path
		   The product archive to be signed.

     output-product-path
		   The path to which the signed product archive will be written. Must not be the same as input-product-path.

SEE ALSO

     productbuild(1)

Mac OS								September 15, 2010							    Mac OS

Check Out this Related Man Page

NBSVTOOL(1)						    BSD General Commands Manual 					       NBSVTOOL(1)

NAME

     nbsvtool -- create and verify detached signatures of files

SYNOPSIS

     nbsvtool [-v] [-a anchor-certificates] [-c certificate-chain] [-f certificate-file] [-k private-key-file] [-u required-key-usage] command
	      args ...

DESCRIPTION

     nbsvtool is used to create and verify detached X509 signatures of files.  Private keys and certificates are expected to be PEM encoded, sig-
     natures are in PEM/SMIME format.

     Supported commands:

     sign file			       Sign file, placing the signature in file.sp7.  The options -f and -k are required for this command.

     verify file [signature]	       Verify signature for file.  If signature is not specified, file.sp7 is used.

     verify-code file [signature]      This is a short cut for verify with the option -u code.

     Supported options:

     -a anchor-certificates	   A file containing one or more (concatenated) keys that are considered trusted.

     -c certificate-chain	   A file containing additional certificates that will be added to the signature when creating one.  They will be
				   used to fill missing links in the trust chain when verifying the signature.

     -f certificate-file	   A file containing the certificate to use for signing.  The certificate must match the key given by -k.

     -k private-key-file	   A file containing the private key to use for signing.

     -u required-key-usage	   Verify that the extended key-usage attribute in the signing certificate matches required-key-usage.	Otherwise,
				   the signature is rejected.  key usage can be one of: ``ssl-server'', ``ssl-client'', ``code'', or ``smime''.

     -v 			   Print verbose information about the signing certificate.

EXIT STATUS

     The nbsvtool utility exits 0 on success, and >0 if an error occurs.

EXAMPLES

     Create signature file hello.sp7 for file hello.  The private key is found in file key, the matching certificate is in cert, additional cer-
     tificates from cert-chain are included in the created signature.
	   nbsvtool -k key -f cert -c cert-chain sign hello hello.sp7

     Verify that the signature hello.sp7 is valid for file hello and that the signing certificate allows code signing.	Certificates in
     anchor-file are considered trusted, and there must be a certificate chain from one of those certificates to the signing certificate.
	   nbsvtool -a anchor-file verify-code hello hello.sp7

SEE ALSO

     openssl_smime(1)

CAVEATS

     As there is currently no default trust anchor, you must explicilty specify one with -a, otherwise no verification can succeed.

BSD
								  March 11, 2009							       BSD
Man Page