code signing strategies
code signing strategies
- Subject: code signing strategies
- From: Jack Howarth <email@hidden>
- Date: Tue, 30 Mar 2010 10:18:52 -0400
I am trying to prepare fink packaging of the
new FSF gdb 7.1 release on i386 and x86_64 fink.
Unfortunately Apple's changes in 10.5.8 or later
require that gdb binary be code signed (or run as root)
in order to access the required Mach port for
debugging code.
Are their any code signing gurus here who
could suggest the best approach to cope with this
problem? I am hoping to implement something along
these lines but am unsure if it is feasible.
1) Provide an openssl certificate bundled with the
fsf-gdb fink package.
2) Provide a shell script which when run, guides
the user through the steps of loading the provided
certificate manually in the KeyChain application and then
code signs the fsf-gdb binary from within the shell
script using command line tools. My understanding is
that only the creation and/or loading of the openssl
certificates no longer have CLI tool access.
3) Have a postinstall script in the fsf-gdb that
would check if the certificate exists in the Keychain
when the fsf-gdb package is installed, reinstalled
or upgraded and launch the shell script described in
step 2 if not present. Otherwise it would just
code sign the newly installed fsf gdb binary again.
Thanks in advance for any advice on these issues.
Needless to say, the FSF gdb developers were a
tad miffed that this restriction popped up after
all the effort to support intel darwin in the official
FSF gdb releases.
Jack
ps It will be essential to have access to a working
FSF gdb 7.1 debugger for users who want to use the
upcoming FSF gcc 4.5 compiler release. There are
changes in debug code generation which are incompatible
with the older gdb releases.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden