On Mar 2, 2008, at 5:08 PM, Jens Alfke wrote:
On 2 Mar '08, at 2:56 PM, Rainer Brockerhoff wrote:
Well, if your main binary is tamper-resistant with -kill,hard and
you implement some sort of checking for the other resources inside
that, producing a modified (but still signed) app becomes, at the
very least, extremely hard.
Sure. But how is the user supposed to tell whether the app is still
signed? A hacker could just strip the signature after meddling with
the binary, and the user wouldn't know the difference.
In order to achieve the nirvana of only running valid code, the
system must completely refuse to run unsigned code. Since that would
really have ruined third party developers' Leopard experience, we
don't do that in Leopard (except for the Parental Controls and
firewall cases, where we surreptitiously sign unsigned programs when
they are "enabled" to run).
Eventually you will all have signed your recent releases, and we'll
have fixed all the (important) bugs and closed all the (important)
holes, and a switch will materialize to this effect - to refuse (at
the kernel level) to run any code that isn't valid. But not in
Leopard. You can all thank me later. :-)
