June, 2024 – Graham Miln

Ad-Hoc Code Signing a Mac Application

For third party applications and binaries that you compile yourself, and that require code signing, use an ad hoc code signature.

An ad-hoc signature does not provide reliable security benefits. It can be used to determine if the application has been changed and it can be used to apply security restrictions, such as entitlements, to an application.

An ad-hoc signature will validate against codesign but not spctl. This may or may not matter depending on the binary being signed. For applications and executables, this is unlikely to matter because spctl is not run on locally created binaries.

Why Code Sign?

Regarding the refined question:

How I should handle unsigned source code that I compile myself, since I don’t expect contributers to always be able to, or remember to, sign their code, especially when it comes to tiny contributions to open source projects with many contributers.

For most self compiled applications, there is no need for code signing. This assumes you trust the application’s code. On macOS, you can open untrusted applications from the Finder, see Apple’s Open an app from an unidentified developer.

If you do not trust the code or the developers, do not compile or run the application.

Your Responsibility

The provider of the source code has no responsibility or obligation to provide pre-built code signed binaries. Being self compiled, all code signing is your choice and responsibility.

In both cases, only the final binaries are signed. The original source code and resources are not signed.

Source Code is Not Signed

Source code itself can not be code signed in a meaningful way for macOS. Source files and code can be digitally signed, as any other file can be, but this makes no impact on how the resulting application or binary is treated by macOS.

How to Ad-Hoc Code Sign a Mac Application

To codesign an application on macOS with an ad-hoc signature, set the identity -s flag to -:

codesign --force -s - </path/to/application>

All the other rules, requirements, and permutations of the codesign command remain the same.

The flag --force is used here to overwrite any existing signature.

You might need to add the --deep flag to the codesign command to sign sub-resources such as frameworks and embedded services.

I originally published this answer on Ask Different.