Re: Code Signing for Mac application
Re: Code Signing for Mac application
- Subject: Re: Code Signing for Mac application
- From: "Paul Sanders" <email@hidden>
- Date: Wed, 17 Feb 2010 16:19:15 -0000
Well, after all the kerfuffle, and Graham's kind (and
valuable) asistance, I decided to revisit this after all. This is what I
decided to do:
1. I now tell codesign to 'seal' only those files in my Resources folder that I care about.
Doing this, I have determined, means that if a file gets added to your Resources
folder after you sign / ship your app the signature remains valid. To me,
this, given the experiences I've had, is vital.
I do this by passing:
--resource-rules=codesign.plist
to codesign as per the technote Graham refers to (I do my
signing via a shell script, not through Xcode). Codesign.plist is a file created by me, which in my case,
contains the following:
<?xml version="1.0"
encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC
"-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>rules</key>
<dict>
<key>^Resources/WCL_dylib.dylib</key>
<true/>
<key>^Resources/hpslib.res</key>
<true/>
<key>^Resources/hpslib.stt</key>
<true/>
<key>^Resources/oemres.res</key>
<true/>
<key>^Resources/VinylStudio.res</key>
<true/>
<key>^Resources/VinylStudio.stt</key>
<true/>
</dict>
</dict>
</plist>
i.e. I sign 6 files in my Resources folder. Note
that you don't need to specify your binary in here (i.e. the file in
MacOS). This is included by default.
With this scheme in place, some simple experiments reveal
that:
- if a sealed resource is modified, codesign
-v -v reports 'resource modified'
- if a sealed resource is deleted,
codesign reports 'resource deleted'
- if any other resource is modified or
deleted, codesign continues to report 'valid on disk'
- if the binary is modified, codesign reports
'code object is not signed'
- if the binary is deleted, codesign reports
'object file format invalid or
unsuitable'
- you can also add files to your MacOS folder
without breaking the signature
2. It was trivial to sign my mpkg so I now do so,
not that it has any visible effect. What Safari should do of course, when
it downloads and runs a DMG containing an mpkg, is to tell the user whether
the package is signed, and if so, who by. I don't know whether changing
the contents of the mpkg breaks the sigature (obviously, it should) - there
seems to be no way to verify that a package is signed.
3. If, like me, you roll your own tamper-checking,
beware of the following little gem from the Technote:
"The Parental Controls, MCX, and Application Firewall
subsystems in Leopard, when encountering an unsigned program, will ad hoc sign
the program in order to track its identity from launch to launch. This will
usually modify the program on disk, and can happen without apparent user input,
e.g., when the Application Firewall first notices that your program is trying to
accept an inbound network connection. If your program can be damaged by signing,
it is imperative that you ship a signed version as soon as practical. Programs
signed by their manufacturer are not modified in this way."
I'm sure glad I spotted that one. So, if that
affects you, you'd better sign your code. I believe you can do this with a
self-signed identity, although I use a 'proper' authenticode certificate
obtained at modest cost from Comodo.
That's all folks. Thanks again for the
help, Graham.
Paul Sanders
----- Original Message -----
Sent: Tuesday, February 16, 2010 8:58 PM
Subject: Re: Code Signing for Mac
application
Thank you. When the bruises have healed I will take
a look.
I might have got into less of a tangle with all this if Package
Maker had fewer bugs. As I say, it was relocating my installs on Snow
Leopard without me realising it, see recent thread to which I contributed on
cocoa-dev (yes, I know, also off topic :) for details. But whether that's
the whole story, I'm far from convinced.
Paul Sanders.
-----
Original Message -----
From: "Graham Lee" <email@hidden>
To: "Paul
Sanders" <email@hidden>
Cc:
"Chris Espinosa" <email@hidden>; "XCode Users"
<email@hidden>
Sent:
Tuesday, February 16, 2010 8:37 PM
Subject: Re: Code Signing for Mac
application
On 16 Feb 2010, at 20:13, Paul Sanders wrote:
>
It's too late, for me. I had a miserable time and I have had enough.
Where is all this documented?
Hmm, I couldn't find docs for the
packagemaker GUI that describe this, but it's just a pull-down in the project
window that works in the same way as the Xcode pull-down. It's described in the
packagemaker CLI man page:
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden