On 2 Mar '08, at 2:56 PM, Rainer Brockerhoff wrote:
Well, if your main binary is tamper-resistant with -kill,hard and
you implement some sort of checking for the other resources inside
that, producing a modified (but still signed) app becomes, at the
very least, extremely hard.
Sure. But how is the user supposed to tell whether the app is still
signed? A hacker could just strip the signature after meddling with
the binary, and the user wouldn't know the difference.
In order to achieve the nirvana of only running valid code, the system
must completely refuse to run unsigned code. Since that would really
have ruined third party developers' Leopard experience, we don't do
that in Leopard (except for the Parental Controls and firewall cases,
where we surreptitiously sign unsigned programs when they are
"enabled" to run).
Eventually you will all have signed your recent releases, and we'll
have fixed all the (important) bugs and closed all the (important)
holes, and a switch will materialize to this effect - to refuse (at
the kernel level) to run any code that isn't valid. But not in
Leopard. You can all thank me later. :-)
...so I want to publish some sort of public key, or file (.der?) on
my website that can be used to cross-check the signature using
Apple tools - at least the user can be sure the app matches the
site. Can't find any docs on that. Is there a recommended procedure
for such?
Export the certificate from Keychain Access and you'll have a
certificate file you can upload to your website.
A user can then download the file, double-click it, and Keychain
Access will import it. Then the user will have to open the cert in
Keychain Access and mark it as trusted.
Careful with the "trusted" word; it doesn't quite mean what most
people think. In most circumstances, Code Signing does not actually
require *on its own* that a signing certificate be trusted by the
system. Some subsystems do (the firewall, for example). But most don't.
But there's perfectly good ways to get this effect. You can make a
Code Requirement that expresses "made by me" and pass that during
validation.
Take a look at what Code Signing thinks your program is about:
$ codesign -d -r- cstest
...
# designated => identifier "com.apple.test.security.cstesttool" and
anchor leaf = H"061b3ea8addbb69e2f33d20e6b40aa596b33dd2e"
That "designated" line (gotten from -d -r, "give me the program's
internal requirements") tells you what Code Signing thinks it means to
be your program. The "identifier" clause determines the specific
program's identifier, and the "anchor leaf" clause requires that it be
signed by you. (The specific clauses vary depending on how you signed
your program, and what your certificates look like.) This is what (for
example) the keychain embeds in an item ACL to determine whether a
program is considered (equivalent to) yours when it requests access to
a keychain item.
You can pick those apart:
codesign -v -R='anchor leaf =
H"061b3ea8addbb69e2f33d20e6b40aa596b33dd2e"' /some/program
only checks whether /some/program was signed by your certificate, and
so it will pass all code signed by you (well, with that identity). You
can also put these requirement formulae in binary form into files (man
csreq).
Oh, and the magic word for "trusted certificate" is
codesign -v -R="anchor trusted" ...
which (by itself) means "anything signed by an identity that traces to
an anchor that *this system* trusts for Code Signing purposes. So
that's what you'd do after the "trust the certificate in Keychain
Access" step, if you want to go that way.
But if you're going to make the user manually check the validity of
the app, it might be easier to just publish the SHA-1 checksum of
the binary on your website, and have the user compare it against the
output from "openssl dgst -sha1".
You can (and, in fact, you can check for the SHA-1 hash of the
signature (the "cdhash") if you like, which includes resources and
such in the protected area). But using Code Signing (and CS
Requirements) means that *updates* are automatically recognized as
legitimate, and it allows you to express things like "everything made
by me" and such.
And, of course, Code Signing validation can be applied to running
programs (-v <pid>). That's where it really gets interesting...
Cheers
-- perry
---------------------------------------------------------------------------
Perry The Cynic email@hidden
To a blind optimist, an optimistic realist must seem like an Accursed
Cynic.
---------------------------------------------------------------------------
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
