site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com man codesign http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuid... -Andrew On Apr 22, 2008, at 5:11 AM, Army Research Lab wrote: Also, I know there is the whole key management problem, etc. I'm not concerned with that here; I'm only asking, is it possible to embed the signature in the mach-o file? Thanks, Cem Karan _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... A good point, I'll keep it in mind, although I think I'd like to test both ways. I just had a sudden, sideways thought; mach-o allows us to define new segments, right? Can we put pure data into a segment? SHA-1, MD5, etc. got me to thinking about putting in a segment that contains the digital signature of the rest of the mach-o data. Is that possible? More importantly, for signed mach-o files, can the loader be set up to check the signature prior to running the program, each time? That might help cut down on viruses, etc (which are not a problem on the mac yet, but I like to think ahead, to prevent small problems from becoming big problems) As for programs that aren't yet signed, the loader could ask the user if they want to run the program, and if the user says yes, then the loader could add a new segment that signs the mach-o file with the user's personal key. From then on, unless the program was modified, the user would not be bothered. Other programs (e.g., system libraries, etc.) would ship with signatures, and the certs for those signatures would be installed in the System keychain (or whatever is the Darwin equivalent). This email sent to site_archiver@lists.apple.com