On Mar 2, 2008, at 5:39 PM, Rainer Brockerhoff wrote:
Right. Of course, a more-savvy user can run "codesign -d -vvvv" on
the app to check, as I said. But there really should be an easier
way... maybe a "show certificate" button in the Finder's Get Info.
I'll file a bug for that.
The implementation of code signing Leopard gave birth to was
stillborn,
Technically no, it isn't, but I think the "birth" analogy is probably
correct. There is a newborn code signing mechanism introduced in
Leopard that we know needs to "grow up" in future releases. We wanted
what came out in Leopard to fullfil a couple of purposes:
1) Change the way keychain ACLs behave when code is updated
2) Provide a means for "beefier" enforcement of Parental Controls/
Managed Desktop
3) Provide a means for the Application Firewall to recognize code
1 and 2 worked out very well. Keychain "application changed" dialogs
for signed applications are pretty much a thing of the past now. MCX
no longer relies on simplistic mechanisms to determine if an
application is allowed to run.
3 was not as good as we would have liked. We're working on further
solutions for our part of that. Part of the problem is lack of signed
3rd party applications/tools. The more applications that are signed
by the developer the better the system will work. Failing that, we
end up needing to "ad-hoc" sign them in place. The ad-hoc signing
caused several apps to break.
and aside from a few fringe cases, going through all the trouble
required to use it typically has very little effect on anything.
It has a huge effect on things in Leopard if you need to access
keychain items, go through the firewall, or want to make sure that if
someone is using your applicaiton in a managed environment that
administrators (or parents) don't need to re-allow the application to
be run.
I wouldn't expect to see any kind of meaningful certificate
validation being done for a very long time, if ever, so I'd probably
spend some time evaluating whether or not my application was really
attractive enough a target to the gangs of roving hackers you seem
to be afraid of before going hog wild here. Jens' suggestion makes
the most sense to me.
The code is capable of supporting very stringent cert chain validation
if we decide to enable it.
Signing your code allows it to interact with Leopard for some basic
functionality that allows the system to recognize your application.
As Mac OS X progresses there will be more of the system that will rely
on applications and tools being positively identified before special
services are made available to them. Getting your process setup now
to sign your applications and tools will allow you to benefit as the
OS introduces those features.
- murf
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
