At 17:08 -0800 02/03/08, Jens Alfke wrote:
>On 2 Mar '08, at 2:56 PM, Rainer Brockerhoff wrote:
>
>>Well, if your main binary is tamper-resistant with -kill,hard and you implement some sort of checking for the other resources inside that, producing a modified (but still signed) app becomes, at the very least, extremely hard.
>
>Sure. But how is the user supposed to tell whether the app is still signed? A hacker could just strip the signature after meddling with the binary, and the user wouldn't know the difference.
Right. Of course, a more-savvy user can run "codesign -d -vvvv" on the app to check, as I said. But there really should be an easier way... maybe a "show certificate" button in the Finder's Get Info. I'll file a bug for that.
>>...so I want to publish some sort of public key, or file (.der?) on my website that can be used to cross-check the signature using Apple tools - at least the user can be sure the app matches the site. Can't find any docs on that. Is there a recommended procedure for such?
>
>Export the certificate from Keychain Access and you'll have a certificate file you can upload to your website.
>A user can then download the file, double-click it, and Keychain Access will import it. Then the user will have to open the cert in Keychain Access and mark it as trusted.
Not sure I get how this would help.
I don't want the user to import the certificate into the keychain, or mark it as trusted at all; I want the user to check the downloaded certificate against the one used in signing the app... something like:
codesign --certificate /path/to/certificate --verify /path/to/the.app
at the very least.
>But if you're going to make the user manually check the validity of the app, it might be easier to just publish the SHA-1 checksum of the binary on your website, and have the user compare it against the output from "openssl dgst -sha1".
Sure, I could do this for the .dmg file, but openssl doesn't do digests for a bundle, so it wouldn't be useful to verify that an already-installed application is still unchanged.
--
Rainer Brockerhoff <email@hidden>
Belo Horizonte, Brazil
"In the affairs of others even fools are wise
In their own business even sages err."
Weblog: http://www.brockerhoff.net/bb/viewtopic.php
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
This email sent to email@hidden
