Re: Code Signing
Re: Code Signing
- Subject: Re: Code Signing
- From: "John C. Welch" <email@hidden>
- Date: Thu, 11 Dec 2008 13:22:13 -0500
- Thread-topic: Code Signing
On 12/11/08 12:54 PM, "Bill Cheeseman" <email@hidden> wrote:
>> If you want it signed, you sort of really want to do it via someone who has
>> a well-known chain of trust. However, I've not seen a *requirement* that you
>> use a well-known cert provider.
>
> John, I'm not sure that's consistent with Apple's current purposing of the
> code-signing mechanism. Apple's code-signing documentation indicates that
> using a certificate you make yourself for free (using Keychain Access) is
> perfectly acceptable. It's what I am doing myself with the next version of
> my commercial products.
>
> What follows is my understanding from recent reading. I don't guarantee that
> I've got it exactly right.
>
> An Apple code-signing engineer explained the idea behind code signing
> recently on another Apple mailing list. As I understood him, it is meant
> only to assure users that an upgrade to an application comes from the same
> source as an earlier version installed on the machine. For that reason, Mac
> OS X won't put up the same level of warning alerts when updating software
> that is code-signed. So, if a user has had a good experience (i.e., a safe
> experience) with the first version of an application, he/she can have
> whatever confidence follows from knowing that the second version is from the
> same source. Privately signed certificates are as good as certificates
> signed by a commercial certificate-issuing company for this purpose, due to
> the encryption/authentication mechanisms built into code-signing
> certificates. Code signing reliably indicates that two certificates have the
> same source, not that the source is safe.
Right. However, for whatever reason, and I'm not saying I necessarily agree
completely, self-signed certs have a bad rep as OMGHACKER. Most of this rep
comes from, (surprise), the major cert authorities.
But, there are enough people who get weird about such things that to avoid
the headache, esp. if you want to sell to companies, etc., that the few
hundred a year could be worth it.
>
> I can see the case for relying on code signing for something more, such as
> an assurance that the first version of an application is not from a hacker
> masquerading as a legitimate developer. But that would only work if the
> commercial certificate issuing companies undertook to investigate and
> guarantee the bona fides of the developers to whom they issue certificates.
> I haven't researched the topic, but I'm not aware that the certificate
> issuing companies do that at this time.
Oh no, they don't, not really. Every time I buy a cert for Jabber, et al,
it's not much more "secure" than "You gotta PINKY SWEAR you're not a bad
guy! PINKY SWEAR!!!!"
But, when technical correctness runs into the kind of PR push that Verisign
et al have done over the years...after a while you get tired of explaining
it to people, and you just say FINE, THERE, NO YOU DON'T GET TEH BADZ0R
DIALOGS.
Sometimes you write the "if I do this, will you go away now?" check.
>
> Somebody please correct me if I've got any of that wrong.
Nope, you're pretty much spot on, technically. I just hate the OMG aspect of
self-signed certs.
--
Love is a merry elf dancing a happy jig, when suddenly, he turns on you with
a submachine gun.
Matt Groening
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden