How to make new certificate recognised?

Question

We have a large number of Mac Minis that are running a piece of software that we have developed and have been distributed to various clients.

We recently updated our code signing certificate as the old one had expired. However, when we put a new version of the application which is signed with the new certificate on one of these machines, it pops up asking to 'Allow Once', 'Allow Always' etc.

Since we have to remotely update these machines, it is not practical to click 'Allow Always' and type in the password on all these machines. Is there a command line way to make the new certificate recognised so that if a machine is updated with a version containing the new certificate, it will run straight away?

Answer 1

Turned out it wasn't a problem with the certificate after all, it was that the application signature used by parental controls changed when the certificate changed. This was fixed by manually editing the parental controls file to contain the new signature.

Answer 2

Copy the certificate to the client (in DER or PEM format), then run:

sudo security add-trusted-cert -d /path/to/certificate

At least, that works for SSL certificates; I haven't tried it for code signing. You might need to add -p codeSign or something similar. Also, this sets a trust policy for the certificate, but doesn't actually add it to the system keychain. If you want it to appear there as well, you also need to run:

sudo security add-certificate -k /Library/Keychains/System.keychain /path/to/certificate