Re: Code Sign verification on Leopard
Re: Code Sign verification on Leopard
- Subject: Re: Code Sign verification on Leopard
- From: "email@hidden" <email@hidden>
- Date: Tue, 13 Oct 2009 17:25:20 +0100
On 13 Oct 2009, at 16:41, Jens Alfke wrote:
That's sort of useless for security purposes, like yelling
downstairs "are you a burglar?"
But it's not useless in the sense that it provides feedback that the
code IS signed.
The code merely allows me to detect if I have screwed up my build
settings and managed to break the code signing.
It's also not useful for security purposes to just check the status
result of codesign. A successful result just tells you that the code
has a signature. It doesn't tell you who signed it, or who
authorized their certificate. Anyone can make their own key-pair in
30 seconds using the openssl tool or Keychain Access and use it to
sign anything they want. For real verification you also have to
examine the identity of the signer, and the chain of trust from the
signer to a trusted root cert.
There's no denying that.
Jonathan Mitchell
Developer
http://www.mugginsoft.com
_______________________________________________
Cocoa-dev mailing list (email@hidden)
Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden