RE: Verify productsign on flat packages
RE: Verify productsign on flat packages
- Subject: RE: Verify productsign on flat packages
- From: Khushneet Inder Singh <email@hidden>
- Date: Fri, 21 Jun 2013 15:51:52 +0530
- Thread-topic: Verify productsign on flat packages
Hi,
Is there any way to get/extract certificate from the Flat package so
that it can be accessed via openssl x509 on 10.7.5 and later MacOSX.
My intent is to validate the digital signing of flat package on USER's
machine. I know the pkgutil--check-signature and spctl commands. But I
want something more reliable as I want to validate programmatically the
SHA fingerprint of package.
Open to any ideas to validate the productsign on all 10.7.5 and later
MacOSX
Thanks and regards,
Khushneet
-----Original Message-----
From: installer-dev-bounces+ksingh=email@hidden
[mailto:installer-dev-bounces+ksingh=email@hidden] On
Behalf Of Khushneet Inder Singh
Sent: Monday, October 29, 2012 12:34 PM
To: Stephane Sudre; email@hidden
Subject: RE: Verify productsign on flat packages
Hi Stephane,
The --extract-certs option somehow doesn't work. xar said unrecognized
option `--extract-certs` and the manual of xar doesn't have any
extract-certs option :( ...
NOTE: xar version is 1.6dev
But --dump-toc works well :), I just want to know that the following
info is about the "MY Apple Developer ID Installer certificates" ?
"<X509Data>
<X509Certificate>CERT1<\X509Certificate>
<X509Certificate>CERT2<\X509Certificate>
<\X509Data>"
And is this info is different for different Apple Developer ID
certificates ?
I signed two different payload with same developer ID, then I check the
diff of both xml header info. There is no diff between the signature
info part of header file. That's why I am assuming the above xml info
has one-to-one relation with certificate used to sign the package. I
don't have any other certificate to counter check this which makes it
sure.
Thanks,
Khushneet
-----Original Message-----
From: installer-dev-bounces+ksingh=email@hidden
[mailto:installer-dev-bounces+ksingh=email@hidden] On
Behalf Of Stephane Sudre
Sent: Friday, October 26, 2012 12:52 PM
To: email@hidden
Subject: Re: Verify productsign on flat packages
On Fri, Oct 26, 2012 at 7:15 AM, Khushneet Inder Singh
<email@hidden> wrote:
> Hi,
>
> Thanks for reply, but the "--check-signature" option in pkgutil was
> introduced later in 10.7(Lion). So for me the problem remains the same
> , I am still unable to verify signature on snow leopard and leopard.
Considering that a flat package/distribution is a xar archive, a
solution could be to:
1. extract the certificates from the archive either using --dump-toc and
some XML parsing or using a fork of the xar project:
http://mackyle.github.com/xar/howtosign.html
2. use 'openssl x509' to retrieve the information you need.
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Installer-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden