Verifying Code Signing Identity
Verifying Code Signing Identity
- Subject: Verifying Code Signing Identity
- From: "Georg C. Brückmann" <email@hidden>
- Date: Wed, 12 Nov 2008 23:37:14 +0100
Hi all –
To make it harder for malicious code to be injected into my
application, I want to require plug-ins for this application to be
signed. In the end this should be done using certificates issued by an
in-house authority. My understanding is that I should be able to
verify, whether a given product has been signed using a certificate
issued by this authority. To start things off, I thought I’d begin
with a simpler method, that is with just verifying whether the plug-in
has been signed using a specific certificate. In short:
1. Sign the plug-in using codesign -s <CERTIFICATE NAME> foo.plugin.
2. Verify the signature using codesign --verify -R="certificate leaf
= H\"<SHA1>\"" foo.plugin (where <SHA1> is the SHA1 fingerprint of
the certificate as found in the Keychain Access application).
But this doesn’t work for me, the product gets signed just fine, and
the signature is intact, but the external requirement (that the plug-
in be signed using the certificate with the given fingerprint) appear
to not be fulfilled (output from codesign when attempting to verify
foo.plugin):
foo.plugin: valid on disk
foo.plugin: satisfies its Designated Requirement
test-requirement: failed to satisfy code requirement(s)
I tried this on 10.5.5 with Xcode 3.1
Did I get a wrong idea of how code signing can be used, or is one of
the steps faulty?
Thanks in advance for any thoughts!
– Georg _______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden