1. Is there a recommended way of signing executable (Mach-O) code
Mac OS X?
It depends on what you're after. If you want to sign a bundle and
later verify that it hasn't changed, Tiger contains a (new) "Manifest"
API that takes care of enumerating the bundle (or any other set of
files you care to specify) and produce a "signature" blob based on
CMS/X509 certificates. That will be officially supported in Tiger; it
doesn't exist in Panther and earlier.
These signatures are not currently useful for "live" self-verification
of a running program (for a number of nasty reasons). Perhaps this may
eventually change, but not for Tiger.
Can the Manifiest APIs be used to verify non-running programs or
frameworks prior to loading? In particular, I am worried about
validating plugins before I load them in my application. Also when
validating the signature, can I specify which roots the signing
certificate must chain to, or will the validation succeed if the
signing certificate chains to any of the users currently trusted root
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden