# π Create Apple Certificates for Code Signing
This guide explains how to generate a Certificate Signing Request (CSR), obtain a certificate from Apple Developer, and create a `.p12` certificate file on Linux for code signing.
## Step 1: Generate a Certificate Signing Request (CSR) on Linux
Apple requires a **Certificate Signing Request (CSR)** to issue a signing certificate. You can generate the CSR using OpenSSL on Linux:
1. **Generate a private key**:
Open a terminal and run the following command to generate a new private key (`private.key`):
```bash
openssl genrsa -out private.key 2048
```
2. **Generate a CSR**:
Use the private key to generate a CSR file. Replace `Your Name`, `Your Organization`, and `Your Company` with your actual details:
```bash
openssl req -new -key private.key -out certificate.csr -subj "/CN=Your Name/OU=Your Organization/O=Your Company/C=US"
```
Keep the `private.key` safe, as it will be used later for code signing.
## Step 2: Upload the CSR to Apple Developer and Obtain a Certificate
Once you have your CSR, you need to upload it to Apple's Developer portal to get a signing certificate.
1. Log in to [Apple Developer](https://developer.apple.com) using your Apple ID.
2. Navigate to **Certificates, Identifiers & Profiles β Certificates**.
3. Click the "+" button to create a new certificate.
4. Choose either **Apple Development** (for development) or **Apple Distribution** (for App Store releases).
5. Upload the `certificate.csr` file you generated in Step 1.
6. Apple will generate a `.cer` certificate file for you. Download this file to your computer.
## Step 3: Convert the `.cer` File to a `.p12` File on Linux
Appleβs `.cer` file needs to be combined with the private key to create a `.p12` file, which is required for code signing. Follow these steps:
1. **Convert the `.cer` file to `.pem` format**:
Convert the `.cer` file to a `.pem` file using the following OpenSSL command:
```bash
openssl x509 -in development.cer -inform DER -out certificate.pem -outform PEM
```
2. **Create the `.p12` file**:
This is the **correct** command to generate the `.p12` file, which combines the private key and the `.pem` certificate. Youβll be prompted to enter an export password (this password is used when importing the `.p12` file later, so make sure to remember it):
```bash
openssl pkcs12 -export -inkey private.key -in certificate.pem -out new_certificate.p12 -macalg sha1 -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES
```
**Note:** DO NOT use this older command:
```bash
openssl pkcs12 -export -inkey private.key -in certificate.pem -out certificate.p12
```
The newer command with additional parameters (`-macalg`, `-keypbe`, and `-certpbe`) ensures better security and compatibility.
3. **Convert the `.p12` file to base64 for GitHub Secrets**:
After generating the `.p12` file, you can encode it to base64 format, which is required for uploading it as a secret to GitHub Actions:
```bash
base64 -w 0 new_certificate.p12 > certificate.p12.base64
```
The `certificate.p12.base64` file can now be securely added as a GitHub secret for use in your CI/CD pipeline.
---
### Summary of Commands:
1. Generate private key:
```bash
openssl genrsa -out private.key 2048
```
2. Generate CSR:
```bash
openssl req -new -key private.key -out certificate.csr -subj "/CN=Your Name/OU=Your Organization/O=Your Company/C=US"
```
3. Convert `.cer` to `.pem`:
```bash
openssl x509 -in certificate.cer -inform DER -out certificate.pem -outform PEM
```
4. Create `.p12` file:
```bash
openssl pkcs12 -export \
-inkey private.key \
-in certificate.pem \
-out new_certificate.p12 \
-macalg sha1 \
-keypbe PBE-SHA1-3DES \
-certpbe PBE-SHA1-3DES
```
5. Convert `.p12` to base64:
```bash
base64 -w 0 new_certificate.p12 > certificate.p12.base64
```
By following these steps, you will have successfully generated a `.p12` file that can be used for code signing, and you will be ready to integrate it into your CI/CD pipeline for macOS applications.
Sign in with Wallet
Connect another wallet