Mailing Lists: Apple Mailing Lists
 Image of Mac OS face in stamp
Development/release workflows with code signing?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Development/release workflows with code signing?

My real question's pretty vague, so I'll skip it for the moment and ask a fairly focused one. Then, I'll just sort of casually mention the real, vague one, in case someone feels loquacious and wants to preach at me off-list ;-)

Focused question: is there some way I can get the Keychain code- signature check to report the "subject" details of the signing identity on a program requesting Keychain access? By default, I get a dialog that names the program requesting the access, and details of what it's requesting, and I can use codesigning to suppress that prompt (all to the good), but if the signing key changes, I'd like the user to have access to the identity of the new key. Possible? By some GUI-enabled, reasonable-to-expect-for-non-hackers sort of means?

Real / vague question: how do I craft the workflows among my team (of open-source developers, mind you) to get maximum benefit out of this codesigning feature, with minimum hassle for the developers? I want to improve the security of the end users above what we get without code signing (which is basically "your binary changed, you sure about that?"). But I don't want to throw obstacles at the developers, who are after all volunteers (this being open source and all). I'm unclear, for example, on what happens if someone installs one of my Officially Really Signed distributions, and then builds one of their own, either with no signing or with some key of their own. Likewise, if some developer-signed build happens to get into circulation, how does it interact with my Offeeecial distros? Can I empower my possibly- not-so-hackerish users to know the difference easily? I've done some experimenting, but this involves some tricks with the keyrings, and particular verification steps, but both kinda assume I actually understand what's going on, which actually I don't, totally.


-==-
Jack Repenning
email@hidden
Project Owner
SCPlugin
http://scplugin.tigris.org
"Subversion for the rest of OS X"


_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden






















Visit the Apple Store online or at retail locations.

1-800-MY-APPLE


Contact Apple | Terms of Use | Privacy Policy


Copyright © 2011 Apple Inc. All rights reserved.