Re: what is CodeResource? how to make bundles applescriptable?
Re: what is CodeResource? how to make bundles applescriptable?
- Subject: Re: what is CodeResource? how to make bundles applescriptable?
- From: Jeremy Reichman <email@hidden>
- Date: Fri, 18 Jul 2008 10:25:30 -0400
- Thread-topic: what is CodeResource? how to make bundles applescriptable?
On 7/14/2008 3:04:51 PM, "Daniel Jalkut" <email@hidden> wrote:
> Hi George - this CodeResources file is an artifact of the code signing
> functionality Apple starting making heavy use of in Leopard 10.5.
>
> It lists the cryptographic signatures of the pieces that make up a
> bundle, so that the system (or other clients) can confirm or deny its
> authenticity. Put simply: it makes it easy to tell if somebody has
> hacked/changed an application since the developer produced it.
Just to follow up on what Daniel said (and he had a good blog post on it
from a development perspective), you can read more about code signing in the
codesign man page ("man codesign" in Terminal).
Every time I look at that command, I think of "co-design," not "code." But,
that's command lets you sign an application if you have a certificate
infrastructure (even a self-signed one).
It would be reasonable to have a root CA, with at least one intermediate,
and use the intermediate one to sign your code. That way, if you ever have
to retract your code signing CA (or want to have one for testing and another
for shipping code), you can create a new one signed by the same root and
still have a chain that can be trusted back to the same source -- the root
CA. The root CA should be kept super-secure. The certificate work can be
done in the Certificate Assistant found in Keychain Access.
Leopard's Code Signing is also discussed on Apple's Developer site:
<http://bit.ly/4yqlBU>
In particular, it may be helpful to review the "How Leopard Uses Code
Signing" and "What Will Not Work For Unsigned Code" sections of that
document. It's especially important if you'd like to ship applications into
managed environments of any size, but arguably less important for software
on Leopard running on standalone/unmanaged Macs.
Note that code signing is only about the _identity_ of an app. It's still up
to people to tell the system to set up trust of that identity.
--
Jeremy Reichman
_______________________________________________
Do not post admin requests to the list. They will be ignored.
AppleScript-Users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
Archives: http://lists.apple.com/archives/applescript-users
This email sent to email@hidden