Re: mach-o digital signature segment? (was: Re: mach-o section question)
Re: mach-o digital signature segment? (was: Re: mach-o section question)
- Subject: Re: mach-o digital signature segment? (was: Re: mach-o section question)
- From: Andrew Myrick <email@hidden>
- Date: Tue, 22 Apr 2008 09:20:56 -0700
man codesign
http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuide/Introduction/chapter_1_section_1.html#//apple_ref/doc/uid/TP40005929-CH1-DontLinkElementID_13
-Andrew
On Apr 22, 2008, at 5:11 AM, Army Research Lab wrote:
A good point, I'll keep it in mind, although I think I'd like to
test both
ways.
I just had a sudden, sideways thought; mach-o allows us to define new
segments, right? Can we put pure data into a segment? SHA-1, MD5,
etc. got
me to thinking about putting in a segment that contains the digital
signature of the rest of the mach-o data. Is that possible? More
importantly, for signed mach-o files, can the loader be set up to
check the
signature prior to running the program, each time? That might help
cut down
on viruses, etc (which are not a problem on the mac yet, but I like
to think
ahead, to prevent small problems from becoming big problems)
As for programs that aren't yet signed, the loader could ask the
user if
they want to run the program, and if the user says yes, then the
loader
could add a new segment that signs the mach-o file with the user's
personal
key. From then on, unless the program was modified, the user would
not be
bothered. Other programs (e.g., system libraries, etc.) would ship
with
signatures, and the certs for those signatures would be installed in
the
System keychain (or whatever is the Darwin equivalent).
Also, I know there is the whole key management problem, etc. I'm not
concerned with that here; I'm only asking, is it possible to embed the
signature in the mach-o file?
Thanks,
Cem Karan
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden