From ec1b0cccb996aa388fc1af42e967f6e81b924ccc Mon Sep 17 00:00:00 2001
From: Daan Boerlage <d@boerlage.me>
Date: Mon, 12 Feb 2024 21:01:22 +0100
Subject: [PATCH] Document how to sign on macOS

---
 readme.md | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/readme.md b/readme.md
index 1f52191..aa85160 100644
--- a/readme.md
+++ b/readme.md
@@ -17,8 +17,24 @@ The setup was mostly done by following these two guides:
 ### Required Software
 
 * OpenSSL
+* libp11
 * [YKCS11](https://developers.yubico.com/yubico-piv-tool/YKCS11/)
-  * [AUR Link](https://aur.archlinux.org/packages/ykcs11-p11-kit-module)
+  *[AUR Link](https://aur.archlinux.org/packages/ykcs11-p11-kit-module)
+
+**macOS note:** openssl installed via homebrew does not pickup on libp11, you need to manually copy the pkcs11 library (update the versions):
+`cp /opt/homebrew/Cellar/libp11/0.4.12/lib/engines-3/pkcs11.dylib /opt/homebrew/Cellar/openssl@3/3.2.1/lib/engines-3/`
+
+### Environment Variables
+
+These must be set for all openssl operations.
+
+Linux:
+
+- `PKCS11_MODULE_PATH="/usr/lib/libykcs11.so"`
+
+macOS:
+
+- `PKCS11_MODULE_PATH="/opt/homebrew/lib/libykcs11.dylib"`
 
 ### Generating the Root
 
@@ -31,9 +47,6 @@ echo 1000 > serial
 echo 1000 > crlnumber
 # OpenSSL CA config file
 vim config/ca.conf
-# Setting up PKCS11
-export PKCS11_MODULE_PATH="/usr/lib/libykcs11.so"
-export MODULE_PATH="/usr/lib/libykcs11.so"
 # Generating the root
 openssl req -new -x509 -days 8000 -sha256 -extensions v3_ca -engine pkcs11 -keyform engine -key "pkcs11:object=Private key for PIV Authentication" -out certs/root.ca.cert.pem
 ```