I already have a Verisign issued certificate that I can use to
successfully sign our application bundle. I am also setting the
kill flag like this :
codesign -s 'Our Name' -o kill OurApp.app
If I touch anything inside the application executable (or modify the
Info.plist) codesign correctly reports it has been modified.
However, the application will still launch. From reading the man
page of codesign, I would expect it not to run? I also tried
modifying the application while it was still running, and the
application didn't immediately exit.
Code Signing's main concern is the validation of running code. For
this, it only matters what parts of the executable have been actually
loaded into memory and are now in use (and thus changing the way the
program behaves). Poking the executable file of a running program may
not affect dynamic validity for several reasons. In particular, when a
program starts execution, the system makes a (virtual) copy of the
executable, so that changes to the file during execution are not
visible to the program (and thus don't affect validity).
Furthermore, there is a division-of-labor used here. A program is
considered valid if it passes both static and dynamic checks. Static
checks examine the files on disk. Dynamic checks involve a validity
flag maintained by the kernel. The kill flag applies only to dynamic
invalidity. In particular, if you've messed with the Info.plist, that
will be detected in the static validation path, and thus won't trigger
a kernel-kill despite the kill flag (the program is still dynamically
valid).
The "acid test" for Code Signing correctness is this: if you can make
a program *behave* differently by corrupting its files, it should be
invalid (as per the "codesign -v <pid>" standard, a dynamic
validation). If you can make a "hello world" program print out "hello
hack!" by hacking its disk image, you've found a bug (modulo the known
incompletenesses, i.e. library verification and automatic resource
validation, both of which are not in Leopard).
Am I completely wrong about what 'kill' should do to an application?
Not completely. Just partially. :-)
The kill flag does not mean "don't let me run if I'm invalid." It
means "kill me when I become (dynamically) invalid." It is a tool for
certain situations.
It is obviously useful to have a "only run valid programs" feature.
The only way to get this in Leopard is to enable Parental Controls (or
its alter ego, MCX). There is no "only run *my* program if it's valid"
feature because an attacker can re-sign your program after hacking it.
It won't be recognized as *your* program after that, of course, which
is why "only my" is pointless.
Oh, and why is it that complicated? Performance. Large parts of Code
Signing are there so it doesn't hit you with a large up-front
performance cost, and instead is amortized over the running time of
your program.
Cheers
-- perry
---------------------------------------------------------------------------
Perry The Cynic email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed
Cynic.
---------------------------------------------------------------------------
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
