On 2 Mar '08, at 2:56 PM, Rainer Brockerhoff wrote:
Well, if your main binary is tamper-resistant with -kill,hard and
you implement some sort of checking for the other resources inside
that, producing a modified (but still signed) app becomes, at the
very least, extremely hard.
Sure. But how is the user supposed to tell whether the app is still
signed? A hacker could just strip the signature after meddling with
the binary, and the user wouldn't know the difference.
...so I want to publish some sort of public key, or file (.der?) on
my website that can be used to cross-check the signature using Apple
tools - at least the user can be sure the app matches the site.
Can't find any docs on that. Is there a recommended procedure for
such?
Export the certificate from Keychain Access and you'll have a
certificate file you can upload to your website.
A user can then download the file, double-click it, and Keychain
Access will import it. Then the user will have to open the cert in
Keychain Access and mark it as trusted.
But if you're going to make the user manually check the validity of
the app, it might be easier to just publish the SHA-1 checksum of the
binary on your website, and have the user compare it against the
output from "openssl dgst -sha1".
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
This email sent to email@hidden
