codesign

TLDR

Sign an application

$ codesign -s "[Developer ID]" [MyApp.app]

Sign with timestamp

$ codesign -s "[Developer ID]" --timestamp [MyApp.app]

Sign recursively (deep)

$ codesign -s "[Developer ID]" --deep [MyApp.app]

Force re-sign

$ codesign -s "[Developer ID]" --force [MyApp.app]

Verify signature

$ codesign -v [MyApp.app]

Display signature info

$ codesign -d -v [MyApp.app]

Remove signature

$ codesign --remove-signature [MyApp.app]

SYNOPSIS

codesign operation [options] path...

DESCRIPTION

codesign creates, verifies, and displays code signatures on macOS. Required for Gatekeeper approval and notarization. Signs applications, frameworks, plugins, and executables.

PARAMETERS

--force, -f

Replace existing signature

--deep

Recursively sign nested content

--timestamp[=url]

Request timestamp from server

--options flags

Set code signing options (runtime, etc.)

-a arch, --architecture arch

Specify architecture for fat binaries

--all-architectures

Verify all architectures

--entitlements file

Embed entitlements from file

-r requirement

Set code requirement

-i identifier

Set bundle identifier

--strict

Strict verification

OPERATIONS

-s identity, --sign identity

Sign code with identity

-v, --verify

Verify code signature

-d, --display

Display signature information

--remove-signature

Remove existing signature

EXIT CODES

0: Success
1: Signing/verification failed
2: Invalid arguments
3: Signature valid but requirement failed

CAVEATS

Option order matters (verb before noun). Use --force to replace signatures. Requires valid signing identity from Keychain.