How to create Certificate Authority for Code Signing in macOS

Code signing ensures the authenticity and integrity of a piece of software, allowing end-users to trust the source of the application they're installing. In macOS, using certificates from a trusted certificate authority (CA) is paramount for assuring users that the software they're obtaining hasn't been altered maliciously and that it originates from a verified source.

Apple's macOS offers built-in tools for creating self-signed certificates suitable for local testing and development. However, if you're distributing software to a broader audience, Apple recommends acquiring a certificate from a public CA or, if suitable, creating an in-house CA for private distributions.

You can create a Certificate Authority (CA) for code signing in macOS using the built-in Keychain Access application. Once you have your own CA, you can then create a Code Signing certificate and use the CA to sign that certificate.

1. Launch Keychain Access.
2. Go to Keychain Access → Certificate Assistant → Create a Certificate Authority from the menu bar.
3. Set a name for your CA.
4. Click on User Certificate select list.
5. Select Code Signing from the list.
6. Check on Let me override defaults checkbox.
7. Enter the email address for your CA.
8. Click on Continue.

   Click Continue if you encounter this warning. Related : How to create code signing certificate in macOS

9. Accept defaults for Certificate Information and click Continue.

   Click Continue if you encounter this warning.

10. Enter certificate information and click Continue.
11. Accept defaults for Key Pair Information For This CA and click Continue.
12. Accept defaults for Key Pair Information For Users of This CA and click Continue.
13. Accept defaults for Key Usage Extensions For This CA and click Continue.
14. Accept defaults for Key Usage Extensions For Users of This CA and click Continue.
15. Click on Include Extended Key Usage Extension.
16. Click to check the Code Signing checkbox.
17. Click Continue.
18. Accept defaults for Extended Key Usage Extensions For Users of This CA and click Continue.
19. Accept defaults for Basic Constraints Extension For This CA and click Continue.
20. Accept defaults for Basic Constraints Extension For Users of This CA and click Continue.
21. Accept defaults for Subject Alternative Name For This CA and click Continue.
22. Accept defaults for Subject Alternative Name for Users of This CA and click Continue.
23. Click Create to create the CA.
24. Close the Certificate Assistant window and open Keychain Access.
25. Double click on your newly created CA in login → My Certificates.
26. Click on Trust.
27. Click on When using this certificate select list.
28. Click on Always trust.
29. Close the CA information window.
30. Authenticate to the system to enable your changes.