codesign

Sign an application

$ codesign -s "[Developer ID]" [MyApp.app]

$ codesign -s "[Developer ID]" --timestamp [MyApp.app]

$ codesign -s "[Developer ID]" --deep [MyApp.app]

$ codesign -s "[Developer ID]" --force [MyApp.app]

$ codesign -v [MyApp.app]

$ codesign -d -v [MyApp.app]

$ codesign --remove-signature [MyApp.app]

codesign operation [options] path...

codesign creates, verifies, and displays code signatures on macOS. Code signing is required for Gatekeeper approval, notarization, and distribution of applications. It cryptographically signs executables, applications, frameworks, plugins, and other code to verify their authenticity and integrity.
The tool integrates with macOS security frameworks to enforce that code comes from identified developers and hasn't been tampered with. Signing requires valid certificates from Apple stored in the Keychain. Timestamps from Apple's servers ensure signatures remain valid even after certificates expire.
Deep signing recursively signs all nested content within bundles, which is necessary for complex applications with embedded frameworks and plugins. Entitlements files specify security capabilities and permissions. Verification confirms signatures are valid and meet specified requirements.

--force, -f

Replace existing signature

Recursively sign nested content

Request timestamp from server

Set code signing options (runtime, etc.)

Specify architecture for fat binaries

Verify all architectures

Embed entitlements from file

Set code requirement

Set bundle identifier

Strict verification

-s identity, --sign identity

Sign code with identity

Verify code signature

Display signature information

Remove existing signature

0: Success
1: Signing/verification failed
2: Invalid arguments
3: Signature valid but requirement failed

Option order matters (verb before noun). Use --force to replace signatures. Requires valid signing identity from Keychain.

security(1), spctl(8), xcrun(1)