A command-line utility that extracts Apple-issued signing identities (i.e. certificates and private keys) from a keychain.
Its main use case is to transfer signing identities from one computer to another, for example from a developer's computer to a build machine.
The program reads the identities from a given keychain, filters them according to specified criteria, then copies them to a second keychain. Note that the newly-copied identities don't have any access control, therefore any application can access their private keys as long the the keychain is unlocked. This is useful in CI scenarios.
The program's arguments are as follows:
- -c TYPE
- Filters the exported certificates according to their type. Allowed values are :
- all All certificates types (the default).
- ios Certificates for iOS, tvOS and watchOS applications
- mac Certificates for Mac App Store applications.
- devid Certificates for Developer ID applications.
- -e ENV
- Filters the exported certificates according to the environment. Allowed values are :
- all All environments (the default).
- dev Development environment
- prod Production environment.
- -f
- Remove any existing destination keychain.
- -k PATH
- The path to the source keychain.
- -o PATH
- The path to the destination keychain.
- -p PASSWD
- The password with which to protect the destination keychain.
- -t TEAMID
- Filters the exported certificates according to the given Apple Developer Program (ADP) Team ID.
- -u USER
- Filters the exported certificates according to the given ADP user name.
- Validating that the certificates were actually issued by Apple.
- Validating that the certificates are valid and haven't been revoked.
- Validating the key usage.