Hi, Is there any way to get/extract certificate from the Flat package so that it can be accessed via openssl x509 on 10.7.5 and later MacOSX. My intent is to validate the digital signing of flat package on USER's machine. I know the pkgutil--check-signature and spctl commands. But I want something more reliable as I want to validate programmatically the SHA fingerprint of package. Open to any ideas to validate the productsign on all 10.7.5 and later MacOSX Thanks and regards, Khushneet -----Original Message----- From: installer-dev-bounces+ksingh=quark.com@lists.apple.com [mailto:installer-dev-bounces+ksingh=quark.com@lists.apple.com] On Behalf Of Khushneet Inder Singh Sent: Monday, October 29, 2012 12:34 PM To: Stephane Sudre; installer-dev@lists.apple.com Subject: RE: Verify productsign on flat packages Hi Stephane, The --extract-certs option somehow doesn't work. xar said unrecognized option `--extract-certs` and the manual of xar doesn't have any extract-certs option :( ... NOTE: xar version is 1.6dev But --dump-toc works well :), I just want to know that the following info is about the "MY Apple Developer ID Installer certificates" ? "<X509Data> <X509Certificate>CERT1<\X509Certificate> <X509Certificate>CERT2<\X509Certificate> <\X509Data>" And is this info is different for different Apple Developer ID certificates ? I signed two different payload with same developer ID, then I check the diff of both xml header info. There is no diff between the signature info part of header file. That's why I am assuming the above xml info has one-to-one relation with certificate used to sign the package. I don't have any other certificate to counter check this which makes it sure. Thanks, Khushneet -----Original Message----- From: installer-dev-bounces+ksingh=quark.com@lists.apple.com [mailto:installer-dev-bounces+ksingh=quark.com@lists.apple.com] On Behalf Of Stephane Sudre Sent: Friday, October 26, 2012 12:52 PM To: installer-dev@lists.apple.com Subject: Re: Verify productsign on flat packages On Fri, Oct 26, 2012 at 7:15 AM, Khushneet Inder Singh <ksingh@quark.com> wrote:

Hi,

Thanks for reply, but the "--check-signature" option in pkgutil was introduced later in 10.7(Lion). So for me the problem remains the same

, I am still unable to verify signature on snow leopard and leopard.

Considering that a flat package/distribution is a xar archive, a solution could be to: 1. extract the certificates from the archive either using --dump-toc and some XML parsing or using a fork of the xar project: http://mackyle.github.com/xar/howtosign.html 2. use 'openssl x509' to retrieve the information you need. _______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/installer-dev/ksingh%40quark.com This email sent to ksingh@quark.com _______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/installer-dev/ksingh%40quark.com This email sent to ksingh@quark.com _______________________________________________ Do not post admin requests to the list. They will be ignored. Installer-dev mailing list (Installer-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/installer-dev/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com