Recently I’ve been playing around with Xcode Cloud, with a focus on learning more about its cloud siging feature. One question that came up is how to distinguish a cloud signing certificate from a standard one. In Certificates, Identifiers, and Profiles this is easy: Cloud signing certificates have a Managed suffix. But what about in a built binary?
After a bit of digging, I discovered that a cloud signing certificate has a special OID that identifies it as such. Consider:
% codesign -d --extract-certificates CloudSigningTest.app
…
% mv codesign0 codesign0.cer
% dumpasn1 -a -p codesign0.cer
SEQUENCE {
SEQUENCE {
…
[3] {
SEQUENCE {
…
SEQUENCE {
OBJECT IDENTIFIER '1 2 840 113635 100 6 1 32'
OCTET STRING, encapsulates {
NULL
}
}
}
}
}
…
}
This is actually documented on the Apple PKI page, in Certification Practice Statement > Developer ID > 2.2 Community and Applicability, which says:
Cloud Managed certificates include an additional non- critical custom extension OID 1.2.840.113635.100.6.1.32 to indicate they are Cloud managed.
So, there you go!
And yes, I realise that it’s possible that the only person who’ll ever need to reference this post is Future Quinn™, but I’m OK with that (-:
If you have questions or comments, start a new thread here on DevForums and tag it with Signing Certificates so that I see it.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
