site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Thread-index: AcmTm13RnDFBsFkXTMGzTyCoOkhgzQAAxBsQAADcO+U= Thread-topic: Code Signing Examples User-agent: Microsoft-Entourage/12.15.0.081119
That is a good point. Someone else also pointed out that once a hacker gets root authority all bets are off. Ideally this level of authentication belongs in the OS. Once a signed application or process is installed the OS should enforce the signature before executing the process. Not sure if this can be done with 10.5 or 10.6. And I'm not sure how you prevent someone from replacing the module with a corrupt unsigned version. For now we are just looking for a reasonable approach to validate the authenticity of our application components.
Once the process is running, the code signing API allows you to check the signature of the process based on its PID. You might also want to investigate the "hard" and "kill" options to codesign. My understanding is that "hard" should prevent (in some cases, not sure which) applications with broken signatures from running, and "kill" should kill the process when its signature becomes invalid (again, not sure in which cases). *********************************************************************** This e-mail and its attachments are confidential, legally privileged, may be subject to copyright and sent solely for the attention of the addressee(s). Any unauthorized use or disclosure is prohibited. Statements and opinions expressed in this e-mail may not represent those of Radialpoint. Le contenu de ce courriel est confidentiel, privilégié et peut être soumis à des droits d'auteur. Il est envoyé à l'intention exclusive de son ou de ses destinataires. Il est interdit de l'utiliser ou de le divulguer sans autorisation. Les opinions exprimées dans le présent courriel peuvent diverger de celles de Radialpoint. _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com