我很难找到协同设计问题的答案。
我们有一个在 Cocoa 下编写的 Mac OS 应用程序。最后 - 我们进行了协同设计,但我想在可执行文件本身内添加额外的安全检查。
我的想法是验证当前可执行文件启动时所签名的证书的指纹。如果它丢失或无效(根据应用程序内的硬编码哈希进行检查) - 我们将其关闭。
到目前为止,我无法获取用于以编程方式共同设计可执行文件并检查其数据的证书。
有人知道如何做到这一点吗?
非常感谢!
马丁·K.
I am having a tough time finding an answer to my codesigning issues.
We have an application for Mac OS written under Cocoa. Finally - we did our codesigning, but i would like to add an extra security check - within the executable itself.
My idea is to validate the fingerprint of the certificate with which the current executable is signed when it is started. If it is missing or invalid (checked against a hardcoded hash within the application) - we shut it down.
So far, i haven't been able how to obtain the certificate used to codesign the executable programatically and check its data.
Does anyone have a clue on how to do this?
Thank you veery much!
Martin K.
发布评论
评论(2)
谢谢朋友!
我设法在 10.6 上使用新功能做到这一点,但问题是我的目标是 10.5 和 10.6,至少在一段时间过去之前是这样。
我必须尽快在 libsecurity_codesigning 上投入更多时间,以便 10.5 也能完成此任务。
但是,对于在这里寻找现成解决方案的人来说,这就是我最终得到的结果:
Thanks friend!
I managed to do it for 10.6 with the new functionality but the problem is i am targeting 10.5 and 10.6, at least until some time passes.
I have to throw some more time into libsecurity_codesigning soon so this can be completed for 10.5 also.
But, for people who are looking for ready solutions around here, here is what i ended up with:
如果您的目标版本是 10.6+,则可以使用安全框架中的代码签名功能 (文档),特别是 SecCodeCheckValidity。否则,代码签名系统的源代码位于 libsecurity_codesigning 中。
由于您使用代码签名来验证代码,因此您还应该使用 SecCodeCopyDesignatedRequirement 验证指定的要求。
If you're targeting 10.6+ you can use the code signing functions in the Security framework (documentation), in particular SecCodeCheckValidity. Otherwise, the source code to the code signing system is in libsecurity_codesigning.
Since you're using the code signature to authenticate your code you should also validate the designated requirement with SecCodeCopyDesignatedRequirement.