Code signing

Code signing is only available on the Professional and Enterprise plans. You may create an organization to start a 14 day trial of the Professional plan.

Code signing is the process of digitally signing applications and scripts to confirm the software author and guarantee that the code has not been tampered since it was signed. This helps users and other software to determine whether the software can be trusted.

Since code signing is an important part of distributing an application to users, Equo provides an automated way to sign your application for every platform, and certify that it was actually created by your company.

Signing an application with Equo

By default, Equo will automatically sign your installers and applications after you connect a Git repository to your application in the Equo Dashboard.

The only prerequisite is that you must first configure your organization certificate in the Equo Dashboard. That’s it; Equo will sign your applications automatically.

We are also working on a feature that will allow users to use our own certificates to sign their apps. Then you won’t need to configure any certificate at all to sign your application. Please contact us if you want to try this feature.

Signing an application from external CI/CD systems

Another alternative to sign your applications, libraries, and executables is by using the signing API that Equo provides from your own CI/CD infrastructure.

Prerequisites

Before you can sign your software from your CI/CD infrastructure, make sure you have done the following:

  1. Configure an organization certificate

  2. Create an organization token

  3. Get the organization slug from your organization settings (you will need it when calling the signing API)

Signing an application using the Equo API

Once you have configure a certificate and token for your organization, you can use the code signing API that Equo provides to sign your software.

With the code signing API you can sign applications, libraries, executables, and scripts. You just need to make a call to the code signing API with the file of your software, like it’s shown below:

curl -v -H "Authorization: Bearer $TOKEN" -F file=@/Users/home/Downloads/sample.jar -o signed-jar.jar https://dashboard.equo.dev/sign/ORGSLUG

The previous example shows how you can sign a jar file calling the signing API. You can also sign executables, binaries, and other libraries.

The $TOKEN parameter is the token you created for your organization, which is needed to authenticate with the Equo API.

If you are signing a macOS application, it’s a good idea to define an entitlements file. An entitlement is a right that grants an executable particular capabilities. For further information about entitlements check out the official Apple documentation.

The API call which signs a macOS application would be:

curl -v -H "Authorization: Bearer $TOKEN" -F file=@application.zip -F entitlements=@path/to/entitlements/entitlements_file.xml -o signed-application.zip https://dashboard.equo.dev/sign/ORGSLUG
macOS .app applications are actually directories, then you can’t sign a directory. In order to sign a .app application you first need to compress it (i.e. as a zip file), and use the compressed file in the API call.

Notarizing an application using the Equo API

The Notarization process gives users more confidence that the signed software you distribute has been checked by Apple for malicious components. The following API call shows how to notarize your macOS software using the Equo API:

curl -v -H "Authorization: Bearer $TOKEN" -F file=@application.zip -F entitlements=@path/to/entitlements/entitlements_file.xml -o signed-application.zip https://dashboard.equo.dev/sign/ORGSLUG
Beginning in macOS 10.14.5, software signed with a new Developer ID certificate and all new or updated kernel extensions must be notarized to run.