At 12:00 -0800 02/03/08, email@hidden wrote:
>Date: Sun, 2 Mar 2008 13:04:38 +0000
>From: "David Simpson" <email@hidden>
>Message-ID:
> <email@hidden>
>
>I'm somewhat confused about application code signing. My goal is not
>getting keychain access or any privileged API but to make our application
>more hacker and tamper resistance.
>
>I already have a Verisign issued certificate that I can use to successfully
>sign our application bundle. I am also setting the kill flag like this :
>
>codesign -s 'Our Name' -o kill OurApp.app
>
>If I touch anything inside the application executable (or modify the
>Info.plist) codesign correctly reports it has been modified.
>
>However, the application will still launch. From reading the man page of
>codesign, I would expect it not to run? I also tried modifying the
>application while it was still running, and the application didn't
>immediately exit.
Try also setting the "hard" flag like this:
codesign -s 'Our Name' -o kill,hard OurApp.app
at least, for me, that gives a load error when a modified binary is run. It doesn't check other resources (not sure about the Info.plist).
>Date: Sun, 2 Mar 2008 10:54:19 -0800
>From: Jens Alfke <email@hidden>
>
>On 2 Mar '08, at 5:04 AM, David Simpson wrote:
> > could someone point me to some code that would allow me to check the
>> validity of the application inside our own code?
>
>Checking your own validity doesn't seem very useful for hack-
>resistance, since any hacker patching the binary can just delete the
>code that runs the check.
Well, if your main binary is tamper-resistant with -kill,hard and you implement some sort of checking for the other resources inside that, producing a modified (but still signed) app becomes, at the very least, extremely hard. I can't see any API for that but libsecurity_codesigning in the Darwin source looks, from a quick read, like it would do that.
This leads me to a complementary question. I have a self-signed certificate and I sign my code with that. Running codesign -d -vvvv on my app just yields the information that it's signed by "Rainer Brockerhoff". Anybody could strip off my signature, modify my app, and resign it with another self-signed certificate generated in my name...
...so I want to publish some sort of public key, or file (.der?) on my website that can be used to cross-check the signature using Apple tools - at least the user can be sure the app matches the site. Can't find any docs on that. Is there a recommended procedure for such?
TIA,
--
Rainer Brockerhoff <email@hidden>
Belo Horizonte, Brazil
"In the affairs of others even fools are wise
In their own business even sages err."
Weblog: http://www.brockerhoff.net/bb/viewtopic.php
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
