xip(1) [osx man page]
xip(1) BSD General Commands Manual xip(1) NAME
xip -- Create a signed archive for secure distribution SYNOPSIS
xip [options] --sign identity input-file ... output-archive DESCRIPTION
The xip tool archives one or more files or directories into a signed XIP file. A XIP file is an analog to zip(1), but allows for a digital signature to be applied and verified on the receiving system, before the archive is expanded. When a XIP file is opened (by double-clicking), Archive Utility will automatically expand it (but only if the digital signature is intact). To create a XIP file, you will need to have a certificate and corresponding private key -- together called an ``identity'' -- in one of your accessible keychains. To add a signature, specify the name of the identity using the --sign option. The identity's name is the same as the ``Common Name'' of the certificate. If you want to search for the identity in a specific keychain, specify the path to the keychain file using the --keychain option. Otherwise, the default keychain search path is used. xip will embed the signing certificate in the XIP file, as well as any intermediate certificates that are found in the keychain. The signature can optionally include a trusted timestamp. This is enabled by default when signing with a Developer ID identity, but it can be enabled explicitly using the --timestamp option. A timestamp server must be contacted to embed a trusted timestamp. If you aren't connected to the Internet, you can use --timestamp=none to disable timestamps, even for a Developer ID identity. ARGUMENTS AND OPTIONS
--sign identity-name The name of the identity to use for signing the archive. --keychain keychain-path Specify a specific keychain to search for the signing identity. --timestamp Include a trusted timestamp with the signature. --timestamp=none Disable trusted timestamp, regardless of identity. input-file ... The path to one or more files or directories to be archived. output-archive The path to which the signed archive will be written. Mac OS September 23, 2011 Mac OS
Check Out this Related Man Page
productsign(1) BSD General Commands Manual productsign(1) NAME
productsign -- Sign an OS X Installer product archive SYNOPSIS
productsign [options] --sign identity input-product-path output-product-path DESCRIPTION
productsign adds a digital signature to a product archive previously created with productbuild(1). Although you can add a digital signature at the time you run productbuild(1), you may wish to add a signature later, once the product archive has been tested and is ready to deploy. If you run productsign on a product archive that was previously signed, the existing signature will be replaced. To sign a product archive, you will need to have a certificate and corresponding private key -- together called an ``identity'' -- in one of your accessible keychains. To add a signature, specify the name of the identity using the --sign option. The identity's name is the same as the ``Common Name'' of the certificate. If you want to search for the identity in a specific keychain, specify the path to the keychain file using the --keychain option. Otherwise, the default keychain search path is used. productsign will embed the signing certificate in the product archive, as well as any intermediate certificates that are found in the key- chain. If you need to embed additional certificates to form a chain of trust between the signing certificate and a trusted root certificate on the system, use the --cert option to give the Common Name of the intermediate certificate. Multiple --cert options may be used to embed multiple intermediate certificates. The signature can optionally include a trusted timestamp. This is enabled by default when signing with a Developer ID identity, but it can be enabled explicitly using the --timestamp option. A timestamp server must be contacted to embed a trusted timestamp. If you aren't connected to the Internet, you can use --timestamp=none to disable timestamps, even for a Developer ID identity. ARGUMENTS AND OPTIONS
--sign identity-name The name of the identity to use for signing the product archive. --keychain keychain-path Specify a specific keychain to search for the signing identity. --cert certificate-name Specify an intermediate certificate to be embedded in the product archive. --timestamp Include a trusted timestamp with the signature. --timestamp=none Disable trusted timestamp, regardless of identity. input-product-path The product archive to be signed. output-product-path The path to which the signed product archive will be written. Must not be the same as input-product-path. SEE ALSO
productbuild(1) Mac OS September 15, 2010 Mac OS