• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
RE: Verify productsign on flat packages
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Verify productsign on flat packages

  • Subject: RE: Verify productsign on flat packages
  • From: Khushneet Inder Singh <email@hidden>
  • Date: Mon, 29 Oct 2012 12:34:24 +0530
  • Thread-topic: Verify productsign on flat packages
Hi Stephane,

The --extract-certs option somehow doesn't work. xar said unrecognized
option `--extract-certs` and the manual of xar doesn't have any
extract-certs option :( ...
NOTE: xar version is 1.6dev
But --dump-toc works well :), I just want to know that the following
info is about the "MY Apple Developer ID Installer certificates" ?
"<X509Data>
	<X509Certificate>CERT1<\X509Certificate>
	<X509Certificate>CERT2<\X509Certificate>
<\X509Data>"

And is this info is different for different Apple Developer ID
certificates ?

I signed two different payload with same developer ID, then I check the
diff of both xml header info. There is no diff between the signature
info part of header file. That's why I am  assuming the above xml info
has one-to-one relation with certificate used to sign the package. I
don't have any other certificate to counter check this which makes it
sure.

Thanks,
Khushneet

-----Original Message-----
From: installer-dev-bounces+ksingh=email@hidden
[mailto:installer-dev-bounces+ksingh=email@hidden] On
Behalf Of Stephane Sudre
Sent: Friday, October 26, 2012 12:52 PM
To: email@hidden
Subject: Re: Verify productsign on flat packages

On Fri, Oct 26, 2012 at 7:15 AM, Khushneet Inder Singh
<email@hidden> wrote:
> Hi,
>
> Thanks for reply, but the "--check-signature" option in pkgutil was
> introduced later in 10.7(Lion). So for me the problem remains the same

> , I am still unable to verify signature on snow leopard and leopard.

Considering that a flat package/distribution is a xar archive, a
solution could be to:

1. extract the certificates from the archive either using --dump-toc and
some XML parsing or using a fork of the xar project:
http://mackyle.github.com/xar/howtosign.html

2. use 'openssl x509' to retrieve the information you need.
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden

 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >Verify productsign on flat packages (From: Khushneet Inder Singh <email@hidden>)
 >Re: Verify productsign on flat packages (From: Prema Kumar <email@hidden>)
 >RE: Verify productsign on flat packages (From: Khushneet Inder Singh <email@hidden>)
 >Re: Verify productsign on flat packages (From: Stephane Sudre <email@hidden>)

  • Prev by Date: Re: Distribution file and http URL as package location
  • Next by Date: Packagemaker installer is allowing downgrade of packages.
  • Previous by thread: Re: Verify productsign on flat packages
  • Next by thread: Distribution file and http URL as package location
  • Index(es):
    • Date
    • Thread