Server for signing .pkpasses generated by PassKeepr
curl -F "pkpass=@path/to/pass.pkpass" https://[url]/sign --output path/to/output.pkpass
A few environment variables are needed to sign passes. They are as follows:
PK_keyis the unencrypted private key from the CSR that is generated locally using Keychain Access (following these instructions: https://developer.apple.com/help/account/certificates/create-a-certificate-signing-request). Note that when you generate the CSR according to these instructions it creates a new key pair in your keychain with the Common Name you entered (so picking a name that already exists in your keychain is allowed but is annoying to deal with) You can export this as a.p12using Keychain Access (you can skip the export password by just not entering one), and then convert it to a.pemusing the following:
openssl pkcs12 -in private-key.p12 -nocerts -out pass-key.pem -nodes
PK_certand the suffixedPK_cert_[1-10]are the converted "Pass Type ID" cert that are created using the CSR, and can be downloaded from the Apple Developer website (https://developer.apple.com/account/resources/certificates/list). It is nice to have the bag attributes added to this cert, which can be done with the following:
openssl x509 -in pass.cer -inform der -out pass-cert.pem # convert the .cer downloaded from the Apple Developer website to .pem
openssl pkcs12 -export -inkey pass-key.pem -in pass-cert.pem -out pass.p12 # Combine cert and private key into a .p12
openssl pkcs12 -in pass.p12 -nokeys -out pass-cert-with-bag.pem # Convert from .p12 into .pem with Bag Attributes
Where pass-key.pem comes from the private key generated with your CSR as described above
WWDR_certis the WWDR intermediary cert, available from http://www.apple.com/certificateauthority/
You can verify the validity of your environment by signing a pass and using the signpass tool with the -v flag or by trying to open the signed pass in macOS (double click in Finder). Properly signed passes will open in a small preview window.