Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: codesign can't find appropriate CRL
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: codesign can't find appropriate CRL



On Nov 1, 2009, at 3:42 PM, Martin Hairer wrote:

> Dear all,
>
> My application's code is signed with a self-signed Code Signing Certificate. Upon launch, it checks for its own integrity by running codesign against itself. This works fine for most users, but for some of them codesign returns a "can't find appropriate CRL" error.
>
> I suspect that these users have their keychain preferences set up differently, although I tried enabling CRL checking in my keychain and it had no impact. Is there a way of explicitly telling codesign not to care about CRLs? Am I completely off-track in interpreting this message? Thanks for any insight you might offer,

There is no way to explicitly disable CRL checks (at all). There is a way for force it *on* for a particular validation, but not off. (Yes, that's on purpose.)

CRL validation is done if the user preference is on *and* the certificate has a CRL Distribution Point extension.

Ask your reporters to turn off CRL checking in the keychain access preferences and see if that solves their problem. There *are* ways to configure this in ways that have interesting consequences (not the default; but we've had users twiddle with those preferences, forget all about it, and then wonder why stuff started going wrong for them).

Oh, and if you used something other than Certificate Assistant to make your self-signed certificate, check it for a CRL Distribution Point extension. You don't want one.

Cheers
  -- perry
---------------------------------------------------------------------------
Perry The Cynic                                             email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed Cynic.
---------------------------------------------------------------------------

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

References: 
 >codesign can't find appropriate CRL (From: Martin Hairer <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.