Signing with a PKCS#12 / PFX file works ``` $ rcodesign debug-create-macho exe assuming default minimum version 11.0.0 writing Mach-O to exe $ rcodesign sign --p12-file src/testdata/self-signed-rsa-apple-development.p12 --p12-password password --signing-time 2023-11-05T10:00:00Z --timestamp-url none exe exe.signed registering signing key signing exe to exe.signed signing exe as a Mach-O binary setting binary identifier to exe parsing Mach-O creating cryptographic signature with certificate Apple Development: RSA Apple Development (test) writing Mach-O to exe.signed $ rcodesign extract cms-info exe.signed signed content (embedded): None signed content (external): Some("fade0c020000013c00020400000000000000009c000000580000000200000005000040102002000c")... (316 bytes) signed content SHA-1: e1c19ec9ec8c13b3940f8385a8f5f9b56309330a signed content SHA-256: fbd3393f2015c87653f2ccef69a864fb60985e21d38485b3bb1c7deeb76d825c signed content SHA-384: 25a7989a6cb024c4d037cd56f0bcfcea0ba4b178362dc4d1694a2080e47d7c63bb178b5a85dfddc9bedf8764ac8d380a signed content SHA-512: 16db5b4b1ea0529186a760790ce2d2325ea31f3d009eb74a182beb97ac26617e5495bf638d4b79746eee8f469aa991ba3a341af41b46d3b8d59079cf6d376950 certificate count: 1 certificate #0: subject CN=Apple Development: RSA Apple Development (test); self signed=true signer count: 1 signer #0: digest algorithm: Sha256 signer #0: signature algorithm: RsaSha256 signer #0: content type: 1.2.840.113549.1.7.1 signer #0: message digest: fbd3393f2015c87653f2ccef69a864fb60985e21d38485b3bb1c7deeb76d825c signer #0: signing time: Some(2023-11-05T10:00:00Z) signer #0: signature content SHA-1: fc8004e694122f8e134b5e39380392165732f648 signer #0: signature content SHA-256: c07c8319b33e4410d2f6b06ad5344aebbd7a848894f9c5004057cbbe8e17474d signer #0: signature content SHA-384: 8b53dc40ee48b34eee4c4ba0c2d0fe411929ef4f80e9dbc167cf96c6ef4abd8d633affefffdca0ef6eadc0a055c31827 signer #0: signature content SHA-512: f4cf4a8f0e4de256e07bbfedff1455d50ae05cdbd2d3fec3a12bbc055a1e77d7746b8f1b2bf55fc6380164fda04e1d12d3fd03085b5842f6fb7c5a00348eec84 signer #0: signature valid: true signer #0: time-stamp token present: false $ rcodesign extract cms exe.signed SignedData { digest_algorithms: { Sha256, }, signed_content: None, certificates: Some( [ CapturedX509Certificate { original: Ber(308203f7308202dfa003020102020101300d06092a864886f70d01010b050030818c31143012060a0992268993f22c6401010c04746573743138303606035504030c2f4170706c6520446576656c6f706d656e743a20525341204170706c6520446576656c6f706d656e7420287465737429310d300b060355040b0c0474657374311e301c060355040a0c15525341204170706c6520446576656c6f706d656e74310b3009060355040613025553301e170d3233313130373130343932385a170d3337303731363130343932385a30818c31143012060a0992268993f22c6401010c04746573743138303606035504030c2f4170706c6520446576656c6f706d656e743a20525341204170706c6520446576656c6f706d656e7420287465737429310d300b060355040b0c0474657374311e301c060355040a0c15525341204170706c6520446576656c6f706d656e74310b300906035504061302555330820122300d06092a864886f70d01010105000382010f003082010a0282010100e6c9e2a15c321fbad0442e10bebb9824c6319fdaa7afd7c227bda4a81e152b9728855a375e34249f85f4127207a658bc091b447bb499f1f0884eecc98187630200f24c4d08e557624c33a4021ab5528581a92b902b4d436c3033cc27f67242f3eff171ed62f316fc0f138eb927e8d0568aecf11fc519487608509037e1382d81998c12f7b5913dd14bf9c26880bcc270c46b872023f83bdd1ba2395b34d6873ca5ff703dffbce5f561b55361a5a3bd01bfeda19f20b1a6bc89aadffb643d3e8faf2329609e11a587732f85405102de6a2cd76c2f95c95e22dd7af7ae9b8f238d2c60abad0595b3fa9c96b52e9ab95ef7af4596112de6fa5862aebc7aa24fe1fb0203010001a3623060300c0603551d130101ff0402300030160603551d250101ff040c300a06082b06010505070303300e0603551d0f0101ff0404030207803013060a2a864886f763640601020101ff040205003013060a2a864886f7636406010c0101ff04020500300d06092a864886f70d01010b0500038201010099563303c646c61728b9758f16c559e6e1be2eae0884c8535834062b81f21c89a94c89c0ffb25b93b886535749d81e94440f6d257438e07cc701a7e69aa8bdeca71c3d2f686357f842c62a27b045c671b487d89fd3e69458aae19d69274e7b2d54f7f736e25196738185cab05ccd71b4d8a180610e1f771cfeee0198047692ec87fd3a4dbac1db4ff8205ddd7445d6184b11e3ca7018d6a495fa4b44bc1325fdd68050b45dddadf3a9a9ea0575a5b6d7a9d636f052f3b3d79729bf475efc9c95db4154f14d2ae598cb0debd424e0f0bfe59f11668f1e80e52412ae3f722bab026439addcf9a07b81cd17dec724afa51128e092038203c137f602cb154397c05a), inner: X509Certificate( Certificate { tbs_certificate: TbsCertificate { version: Some( V3, ), serial_number: Integer( b"/x01", ), signature: AlgorithmIdentifier { algorithm: 1.2.840.113549.1.1.11, parameters: Some( AlgorithmParameter( [ 05 00 ], ), ), }, issuer: RdnSequence( RdnSequence( [ RelativeDistinguishedName( [ AttributeTypeAndValue { type: 0.9.2342.19200300.100.1.1, value: 0c0474657374, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.3, value: 0c2f4170706c6520446576656c6f706d656e743a20525341204170706c6520446576656c6f706d656e7420287465737429, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.11, value: 0c0474657374, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.10, value: 0c15525341204170706c6520446576656c6f706d656e74, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.6, value: 13025553, }, ], ), ], ), ), validity: Validity { not_before: UtcTime( UtcTime( 2023-11-07T10:49:28Z, ), ), not_after: UtcTime( UtcTime( 2037-07-16T10:49:28Z, ), ), }, subject: RdnSequence( RdnSequence( [ RelativeDistinguishedName( [ AttributeTypeAndValue { type: 0.9.2342.19200300.100.1.1, value: 0c0474657374, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.3, value: 0c2f4170706c6520446576656c6f706d656e743a20525341204170706c6520446576656c6f706d656e7420287465737429, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.11, value: 0c0474657374, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.10, value: 0c15525341204170706c6520446576656c6f706d656e74, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.6, value: 13025553, }, ], ), ], ), ), subject_public_key_info: SubjectPublicKeyInfo { algorithm: AlgorithmIdentifier { algorithm: 1.2.840.113549.1.1.1, parameters: Some( AlgorithmParameter( [ 05 00 ], ), ), }, subject_public_key: 3082010a0282010100e6c9e2a15c321fbad0442e10bebb9824c6319fdaa7afd7c227bda4a81e152b9728855a375e34249f85f4127207a658bc091b447bb499f1f0884eecc98187630200f24c4d08e557624c33a4021ab5528581a92b902b4d436c3033cc27f67242f3eff171ed62f316fc0f138eb927e8d0568aecf11fc519487608509037e1382d81998c12f7b5913dd14bf9c26880bcc270c46b872023f83bdd1ba2395b34d6873ca5ff703dffbce5f561b55361a5a3bd01bfeda19f20b1a6bc89aadffb643d3e8faf2329609e11a587732f85405102de6a2cd76c2f95c95e22dd7af7ae9b8f238d2c60abad0595b3fa9c96b52e9ab95ef7af4596112de6fa5862aebc7aa24fe1fb0203010001 (unused 0), }, issuer_unique_id: None, subject_unique_id: None, extensions: Some( Extensions( [ Extension { id: 2.5.29.19, critical: Some( true, ), value: 3000, }, Extension { id: 2.5.29.37, critical: Some( true, ), value: 300a06082b06010505070303, }, Extension { id: 2.5.29.15, critical: Some( true, ), value: 03020780, }, Extension { id: 1.2.840.113635.100.6.1.2, critical: Some( true, ), value: 0500, }, Extension { id: 1.2.840.113635.100.6.1.12, critical: Some( true, ), value: 0500, }, ], ), ), raw_data: Some("308202dfa003020102020101300d06092a864886f70d01010b050030818c31143012060a0992268993f22c6401010c04746573743138303606035504030c2f4170706c6520446576656c6f706d656e743a20525341204170706c6520446576656c6f706d656e7420287465737429310d300b060355040b0c0474657374311e301c060355040a0c15525341204170706c6520446576656c6f706d656e74310b3009060355040613025553301e170d3233313130373130343932385a170d3337303731363130343932385a30818c31143012060a0992268993f22c6401010c04746573743138303606035504030c2f4170706c6520446576656c6f706d656e743a20525341204170706c6520446576656c6f706d656e7420287465737429310d300b060355040b0c0474657374311e301c060355040a0c15525341204170706c6520446576656c6f706d656e74310b300906035504061302555330820122300d06092a864886f70d01010105000382010f003082010a0282010100e6c9e2a15c321fbad0442e10bebb9824c6319fdaa7afd7c227bda4a81e152b9728855a375e34249f85f4127207a658bc091b447bb499f1f0884eecc98187630200f24c4d08e557624c33a4021ab5528581a92b902b4d436c3033cc27f67242f3eff171ed62f316fc0f138eb927e8d0568aecf11fc519487608509037e1382d81998c12f7b5913dd14bf9c26880bcc270c46b872023f83bdd1ba2395b34d6873ca5ff703dffbce5f561b55361a5a3bd01bfeda19f20b1a6bc89aadffb643d3e8faf2329609e11a587732f85405102de6a2cd76c2f95c95e22dd7af7ae9b8f238d2c60abad0595b3fa9c96b52e9ab95ef7af4596112de6fa5862aebc7aa24fe1fb0203010001a3623060300c0603551d130101ff0402300030160603551d250101ff040c300a06082b06010505070303300e0603551d0f0101ff0404030207803013060a2a864886f763640601020101ff040205003013060a2a864886f7636406010c0101ff04020500"), }, signature_algorithm: AlgorithmIdentifier { algorithm: 1.2.840.113549.1.1.11, parameters: Some( AlgorithmParameter( [ 05 00 ], ), ), }, signature: 99563303c646c61728b9758f16c559e6e1be2eae0884c8535834062b81f21c89a94c89c0ffb25b93b886535749d81e94440f6d257438e07cc701a7e69aa8bdeca71c3d2f686357f842c62a27b045c671b487d89fd3e69458aae19d69274e7b2d54f7f736e25196738185cab05ccd71b4d8a180610e1f771cfeee0198047692ec87fd3a4dbac1db4ff8205ddd7445d6184b11e3ca7018d6a495fa4b44bc1325fdd68050b45dddadf3a9a9ea0575a5b6d7a9d636f052f3b3d79729bf475efc9c95db4154f14d2ae598cb0debd424e0f0bfe59f11668f1e80e52412ae3f722bab026439addcf9a07b81cd17dec724afa51128e092038203c137f602cb154397c05a (unused 0), }, ), }, ], ), signers: [ SignerInfo { issuer: RdnSequence( RdnSequence( [ RelativeDistinguishedName( [ AttributeTypeAndValue { type: 0.9.2342.19200300.100.1.1, value: 0c0474657374, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.3, value: 0c2f4170706c6520446576656c6f706d656e743a20525341204170706c6520446576656c6f706d656e7420287465737429, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.11, value: 0c0474657374, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.10, value: 0c15525341204170706c6520446576656c6f706d656e74, }, ], ), RelativeDistinguishedName( [ AttributeTypeAndValue { type: 2.5.4.6, value: 13025553, }, ], ), ], ), ), serial_number: Integer( b"/x01", ), digest_algorithm: Sha256, signature_algorithm: RsaSha256, signature: 427dab648570de5bb97d6660434a47057abd7fdbd2598419a96307c2e3b72f8dd3db12e4b540d3976ba30220c49a19ef82193d66b04cefdf5066ab49472b4c6b333cabf9c789167d04c25974b3ca2a3bf9d26a47cf575b209216fa3b6f7f849b026e168d248692db61f68ed974462423bcc69fe152b8db05c58b5b1dae0a6cde4c1f085c51ddba0621935ae4cc5fa764073a9681241dd03db9497844200749b31f1cb53345ab1c1626f4bc41c0171dd24178d14c66bc6392fc0cb1b7b8a27622af16bd52fdc54661939a07d49d0f9aebf833765fbaf4c2f8febc6741643ae4dc133ef35cf01eeb205b309d56ab240ae73ebf013ea80203b9c7dd613355c7585b, signed_attributes: Some( SignedAttributes { content_type: 1.2.840.113549.1.7.1, message_digest: fbd3393f2015c87653f2ccef69a864fb60985e21d38485b3bb1c7deeb76d825c, signing_time: Some( 2023-11-05T10:00:00Z, ), }, ), digested_signed_attributes_data: Some("318201d4301806092a864886f70d010903310b06092a864886f70d010701301c06092a864886f70d010905310f170d3233313130353130303030305a302f06092a864886f70d01090431220420fbd3393f2015c87653f2ccef69a864fb60985e21d38485b3bb1c7deeb76d825c303c06092a864886f763640902312f302d06096086480165030402010420fbd3393f2015c87653f2ccef69a864fb60985e21d38485b3bb1c7deeb76d825c3082012906092a864886f7636409013182011a048201163c3f786d6c2076657273696f6e3d22312e302220656e636f64696e673d225554462d38223f3e0a3c21444f435459504520706c697374205055424c494320222d2f2f4170706c652f2f44544420504c49535420312e302f2f454e222022687474703a2f2f7777772e6170706c652e636f6d2f445444732f50726f70657274794c6973742d312e302e647464223e0a3c706c6973742076657273696f6e3d22312e30223e0a3c646963743e0a093c6b65793e63646861736865733c2f6b65793e0a093c61727261793e0a09093c646174613e0a09092b394d355079415679485a5438737a766161686b2b3243595869453d0a09093c2f646174613e0a093c2f61727261793e0a3c2f646963743e0a3c2f706c6973743e0a"), unsigned_attributes: None, }, ], } $ rcodesign print-signature-info exe.signed - path: exe.signed file_size: 22544 file_sha256: b79b1797e7e4da470e94c4b4881e1a04dab26e515cf3ecdc69e31cb16f48812d entity: mach_o: macho_linkedit_start_offset: 16384 / 0x4000 macho_signature_start_offset: 16400 / 0x4010 macho_signature_end_offset: 18841 / 0x4999 macho_linkedit_end_offset: 22544 / 0x5810 macho_end_offset: 22544 / 0x5810 linkedit_signature_start_offset: 16 / 0x10 linkedit_signature_end_offset: 2457 / 0x999 linkedit_bytes_after_signature: 3703 / 0xe77 signature: superblob_length: 2441 / 0x989 blob_count: 3 blobs: - slot: CodeDirectory (0) magic: fade0c02 length: 316 sha1: e1c19ec9ec8c13b3940f8385a8f5f9b56309330a sha256: fbd3393f2015c87653f2ccef69a864fb60985e21d38485b3bb1c7deeb76d825c - slot: RequirementSet (2) magic: fade0c01 length: 80 sha1: 4f9d3e687a7622d7209180eeca44e6a4c97a2187 sha256: f48f861e449222d508463e8342afee0c2241817878cab57b21e38e6aea0c08fa - slot: CMS Signature (65536) magic: fade0b01 length: 2009 sha1: faa96064b748df76d40c73c847cad6664772324c sha256: f77bac63ecd33d9a152f4011d5cfefe695682e4dd15da5d89cdb9d8347350404 code_directory: version: '0x20400' flags: CodeSignatureFlags(0x0) identifier: exe digest_type: sha256 platform: 0 signed_entity_size: 16400 executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY) code_digests_count: 5 slot_digests: - 'Info (1): 0000000000000000000000000000000000000000000000000000000000000000' - 'RequirementSet (2): f48f861e449222d508463e8342afee0c2241817878cab57b21e38e6aea0c08fa' code_requirements: - 'designated(3): 0: (identifier "exe") and (certificate root = H"e1c7216e46533c923b7cfc94e86c7043790b96e9");' cms: certificates: - subject: 'CN=Apple Development: RSA Apple Development (test), OU=test, O=RSA Apple Development, C=US' issuer: 'CN=Apple Development: RSA Apple Development (test), OU=test, O=RSA Apple Development, C=US' key_algorithm: RSA signature_algorithm: SHA-256 with RSA encryption signed_with_algorithm: SHA-256 with RSA encryption is_apple_root_ca: false is_apple_intermediate_ca: false chains_to_apple_root_ca: false apple_extended_key_usages: - Code Signing apple_code_signing_extensions: - iPhone Developer - Mac Developer apple_certificate_profile: apple-development apple_team_id: test signers: - issuer: 'CN=Apple Development: RSA Apple Development (test), OU=test, O=RSA Apple Development, C=US' digest_algorithm: SHA-256 signature_algorithm: SHA-256 with RSA encryption attributes: - 1.2.840.113549.1.9.3 - 1.2.840.113549.1.9.4 - 1.2.840.113549.1.9.5 - 1.2.840.113635.100.9.1 - 1.2.840.113635.100.9.2 content_type: 1.2.840.113549.1.7.1 message_digest: fbd3393f2015c87653f2ccef69a864fb60985e21d38485b3bb1c7deeb76d825c signing_time: 2023-11-05T10:00:00Z cdhash_plist: - - - ' ' - ' cdhashes' - ' ' - ' ' - "/t/t+9M5PyAVyHZT8szvaahk+2CYXiE=" - "/t/t" - ' ' - ' ' - cdhash_digests: - - 2.16.840.1.101.3.4.2.1 - fbd3393f2015c87653f2ccef69a864fb60985e21d38485b3bb1c7deeb76d825c signature_verifies: true ```