How to create a certificate authority for code signing in macOS

Code signing is a security measure that verifies the authenticity and integrity of software. On macOS, using a certificate from a trusted Certificate Authority (CA) is essential to ensure that the software comes from a verified source and hasn't been tampered with. This process establishes trust between the software provider and the end-user.

macOS includes built-in tools that allow developers to create and manage these certificates. While it's possible to create self-signed certificates for local testing, distributing software to a broader audience requires a certificate from a recognized public CA. Alternatively, an organization can create an in-house CA for private software distributions.

Creating a Certificate Authority (CA) on macOS involves using the Keychain Access application. This tool lets you create a CA, generate a code signing certificate, and then sign that certificate. This setup is especially useful for internal software distributions or when a public CA is not necessary.

1. Launch Keychain Access.
2. Go to Keychain Access → Certificate Assistant → Create a Certificate Authority from the menu bar.
3. Set a name for your CA.
4. Click on User Certificate select list.
5. Select Code Signing from the list.
6. Check on Let me override defaults checkbox.
7. Enter the email address for your CA.
8. Click on Continue.

   Click Continue if you encounter this warning. Related : How to create a code signing certificate in macOS

9. Accept defaults for Certificate Information and click Continue.

   Click Continue if you encounter this warning.

10. Enter certificate information and click Continue.
11. Accept defaults for Key Pair Information For This CA and click Continue.
12. Accept defaults for Key Pair Information For Users of This CA and click Continue.
13. Accept defaults for Key Usage Extensions For This CA and click Continue.
14. Accept defaults for Key Usage Extensions For Users of This CA and click Continue.
15. Click on Include Extended Key Usage Extension.
16. Click to check the Code Signing checkbox.
17. Click Continue.
18. Accept defaults for Extended Key Usage Extensions For Users of This CA and click Continue.
19. Accept defaults for Basic Constraints Extension For This CA and click Continue.
20. Accept defaults for Basic Constraints Extension For Users of This CA and click Continue.
21. Accept defaults for Subject Alternative Name For This CA and click Continue.
22. Accept defaults for Subject Alternative Name for Users of This CA and click Continue.
23. Click Create to create the CA.
24. Close the Certificate Assistant window and open Keychain Access.
25. Double click on your newly created CA in login → My Certificates.
26. Click on Trust.
27. Click on When using this certificate select list.
28. Click on Always trust.
29. Close the CA information window.
30. Authenticate to the system to enable your changes.