site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Thread-index: AcikmfBiLv+3ZxCNEd20BQAdT0T19A== Thread-topic: mach-o digital signature segment? (was: Re: mach-o section question) User-agent: Microsoft-Entourage/11.4.0.080122 Well, nice to know its possible AND its already been done! :D I'll go back to my mach-o parser planning now... Thanks, Cem Karan ------------------------------ Message: 14 Date: Tue, 22 Apr 2008 09:20:56 -0700 From: Andrew Myrick <amyrick@apple.com> Subject: Re: mach-o digital signature segment? (was: Re: mach-o section question) To: darwin-dev@lists.apple.com Message-ID: <672FF329-FA1C-4C6A-B279-A761CC9535CF@apple.com> Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes man codesign http://developer.apple.com/documentation/Security/Conceptual/CodeSigningGuid e/Introduction/chapter_1_section_1.html#//apple_ref/doc/uid/TP40005929-CH1-D ontLinkElementID_13 -Andrew On Apr 22, 2008, at 5:11 AM, Army Research Lab wrote:

A good point, I'll keep it in mind, although I think I'd like to test both ways.

I just had a sudden, sideways thought; mach-o allows us to define new segments, right? Can we put pure data into a segment? SHA-1, MD5, etc. got me to thinking about putting in a segment that contains the digital signature of the rest of the mach-o data. Is that possible? More importantly, for signed mach-o files, can the loader be set up to check the signature prior to running the program, each time? That might help cut down on viruses, etc (which are not a problem on the mac yet, but I like to think ahead, to prevent small problems from becoming big problems)

As for programs that aren't yet signed, the loader could ask the user if they want to run the program, and if the user says yes, then the loader could add a new segment that signs the mach-o file with the user's personal key. From then on, unless the program was modified, the user would not be bothered. Other programs (e.g., system libraries, etc.) would ship with signatures, and the certs for those signatures would be installed in the System keychain (or whatever is the Darwin equivalent).

Also, I know there is the whole key management problem, etc. I'm not concerned with that here; I'm only asking, is it possible to embed the signature in the mach-o file?

Thanks, Cem Karan

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com