added signing

Author: Wolfgang-check24

assets/images/spm_ca_cert_create_1.jpg

@@ -45,3 +45,26 @@ save this file as `package-metadata.json`
 - [Create via Keychain](packagesigningkeychain.md)
 - [Create manually via commandline](packagesigningmanual.md)
 
+### 3. Trusted store configuration
+Add the following to [(Security Configuration)](https://github.com/swiftlang/swift-package-manager/blob/main/Documentation/PackageRegistry/PackageRegistryUsage.md#security-configuration){:target="_blank"}
+in ```~/.swiftpm/configuration/registries.json```
+```json
+{
+    "security": {
+    "default": {
+      "signing": {
+        "onUnsigned": "error",
+        "onUntrustedCertificate": "error",
+        "trustedRootCertificatesPath": "/Users/[user]/.swiftpm/security/trusted-root-certs/",
+        "includeDefaultTrustedRootCertificates": true,
+        "validationChecks": {
+          "certificateExpiration": "disabled",
+          "certificateRevocation": "disabled"
+        }
+      }
+    }
+  },
+  ...
+}
+```
+This will ensure the signing is checked and the certificate is trusted by the client (xcode and/or swift-package).

assets/images/spm_ca_cert_create_2.jpg

@@ -7,21 +7,28 @@ nav_order: 1
 # Sign & create via Keychain_
 _Create a self-signed certificate via Keychain_
 
-## Create a Certificate
+### Create a Certificate
 1. Open keychain
-2. Create new certificate
+2. Go to Certificate Assistant > Create a Certificate Authority
+![Create CA 1](../../assets/images/spm_ca_create_1.jpg)
+![Create CA 2](../../assets/images/spm_ca_create_2.jpg)
+3. Go to Certificate Assistant > Create a Certificate
+3.a. Overwrite the default settings (leaf, code signing)
+![Create Cert 1](../../assets/images/spm_ca_cert_create_1.jpg)
+3.b. Choose previously created CA
+![Create Cert 2](../../assets/images/spm_ca_cert_create_2.jpg)
+3.c. Change Key Pair Information to ECC and 256 bits
+![Create Cert 3](../../assets/images/spm_ca_cert_create_3.jpg)
+3.d. Ensure Code Signing is enabled
+![Create Cert 4](../../assets/images/spm_ca_cert_create_4.jpg)
+4. Save it to keychain
 
-![Create Cert 1](../../assets/images/spm_cert_create_1.jpg)
-2a. Overright the default settings
-![Create Cert 2](../../assets/images/spm_cert_create_2.jpg)
-2b. Change Key Pair Information to ECC and 256 bits
-![Create Cert 3](../../assets/images/spm_cert_create_3.jpg)
-![Create Cert 4](../../assets/images/spm_cert_create_4.jpg)
-2c. Ensure Code Signing is enabled
-![Create Cert 5](../../assets/images/spm_cert_create_5.jpg)
-3. Save it to keychain
+### Add CA to trusted root
+1. Export the CA
+![Export CA](../../assets/images/spm_cert_export.jpg)
+2. Save in as CER in the trusted root dir: `~/.swiftpm/security/trusted-root-certs/`
 
-## Sign a Package & Publish
+### Sign a Package & Publish
 ```shell
 swift package-registry publish [scope].[Package] [version] \
       --metadata-path package-metadata.json \

assets/images/spm_ca_cert_create_3.jpg

@@ -5,14 +5,16 @@ nav_order: 2
 ---
 
 # Sign & create cert manually
-Manually create a self-signed certificate via commandline
+Manually create a self-signed certificate via commandline.
+{: .warning }
+Might be outdated or not working on your system. Recommend to use [Keychain](packagesigningkeychain.md) instead.
 
-#### Create a CA
+### Create a CA
 ```shell
 openssl genpkey -algorithm RSA  -outform der -out ca.key -pkeyopt rsa_keygen_bits:2048
 openssl req -x509 -new -nodes -key ca.key -sha256 -days 365  -outform der -out ca.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=OrgUnit/CN=RootCA"
 ```
-#### Create a certificate
+### Create a certificate
 ```shell
 openssl ecparam -genkey -name prime256v1  -outform der -out ecdsa.key
 openssl pkcs8 -topk8 -inform DER -outform PEM -in ecdsa.key -out ecdsa_temp.pem -nocrypt
@@ -33,33 +35,11 @@ extendedKeyUsage = codeSigning" > code_signing_ext.cnf
 
 openssl x509 -req -in ecdsa.csr -CA ca.crt -CAkey ca.key -CAcreateserial -outform der -out ecdsa.crt -days 365 -sha256 -extfile code_signing_ext.cnf -extensions v3_code_sign 
 ```
-#### Add CA to trusted root
+### Add CA to trusted root
 ```
 cp ca.crt ~/.swiftpm/security/trusted-root-certs/ca.cer
 ```
-##### Trusted store configuration
-Add the following to [(Security Configuration)](https://github.com/swiftlang/swift-package-manager/blob/main/Documentation/PackageRegistry/PackageRegistryUsage.md#security-configuration){:target="_blank"}
-in ```~/.swiftpm/configuration/registries.json``` 
-```json
-{
-    "security": {
-    "default": {
-      "signing": {
-        "onUnsigned": "error",
-        "onUntrustedCertificate": "error",
-        "trustedRootCertificatesPath": "/Users/[user]/.swiftpm/security/trusted-root-certs/",
-        "includeDefaultTrustedRootCertificates": true,
-        "validationChecks": {
-          "certificateExpiration": "disabled",
-          "certificateRevocation": "disabled"
-        }
-      }
-    }
-  },
-  ...
-}
-```
-#### publish with signing
+### publish with signing
 ```shell
 swift package-registry publish [scope].[Package] [version] \
       --metadata-path package-metadata.json \