At 12:00 -0800 03/03/08, email@hidden wrote:
>Date: Mon, 3 Mar 2008 11:20:02 -0800
>From: Perry The Cynic <email@hidden>
>Message-ID: <email@hidden>
>
>You can pick those apart:
> codesign -v -R='anchor leaf =
>H"061b3ea8addbb69e2f33d20e6b40aa596b33dd2e"' /some/program
>only checks whether /some/program was signed by your certificate, and
>so it will pass all code signed by you (well, with that identity). You
>can also put these requirement formulae in binary form into files (man
>csreq).
Well thanks Perry, it took me a few days to realize you were answering my question about checking who signed an app.
However the line above gives an error, but some experimenting showed me that if I do:
codesign -vvvv -R='anchor = H"4CBB97C74336F7EE6AA566122A5E7688E1C725DC"' My.app
I get:
My.app: valid on disk
My.app: satisfies its Designated Requirement
My.app: explicit requirement satisfied
Notice no "leaf" in the command. The H"..." part is the SHA1 fingerprint for my self-signed root certificate.
So for now I'll publish that on my site. It _would_ be useful if there were some Apple utility for that, useable by the mythical "Aunt Tillie".
> > It seems more useful to use code-checking to verify plug-ins/bundles
>> that your app loads, since that way the code doing the check is
>> separate from the possibly-tampered-with code.
>
>Yup. The basic idea is to check newly added code before it can affect
>you, and if it doesn't verify, then either refuse to use it (that's
>what the HARD flag is about), or clear your own dynamic validity,
>thereby announcing (irrevocably) to everyone that you're no longer
>(sure you are) valid.
Is there, or will there be, a code snippet to show how to check a plugin before loading it? Or is it NSTasking codesign for now?
Thanks again,
--
Rainer Brockerhoff <email@hidden>
Belo Horizonte, Brazil
"In the affairs of others even fools are wise
In their own business even sages err."
Weblog: http://www.brockerhoff.net/bb/viewtopic.php
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Apple-cdsa mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/apple-cdsa/email@hidden
This email sent to email@hidden
