Re: Code Sign verification on Leopard
Re: Code Sign verification on Leopard
- Subject: Re: Code Sign verification on Leopard
- From: Jens Alfke <email@hidden>
- Date: Tue, 13 Oct 2009 08:41:36 -0700
This code sample seems to be designed to verify the binary that it's
compiled into. That's sort of useless for security purposes, like
yelling downstairs "are you a burglar?" If your own code's already
been modified, it's easy enough for the hacker to disable the code
that does the checking. Code signing only makes sense for verifying
external code before it's loaded. (Note that even loading a dynamic
library and then verifying the code is insecure, since the library
could have code that runs at load-time, like C++ static initializers,
that clobbers you before you get a chance to verify it.)
It's also not useful for security purposes to just check the status
result of codesign. A successful result just tells you that the code
has a signature. It doesn't tell you who signed it, or who authorized
their certificate. Anyone can make their own key-pair in 30 seconds
using the openssl tool or Keychain Access and use it to sign anything
they want. For real verification you also have to examine the identity
of the signer, and the chain of trust from the signer to a trusted
root cert.
[FYI, it also looks like that sample assumes GC. It doesn't release
the NSTask.]
—Jens
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden