在 Mac App Store 应用程序中签署库

发布于 2024-12-13 04:37:15 字数 294 浏览 0 评论 0原文

我刚刚向 Mac App Store 提交了一个使用一些外部动态库的应用程序。

我收到一封来自 Apple 的电子邮件,内容如下:

签名无效 - 可执行文件 some.app/Contents/Frameworks/some.dylib 未签名、签名无效或未使用 Apple 提交证书签名。有关详细信息,请参阅代码签名和应用程序沙盒指南。

问题当然是由我只签署“我的”可执行文件而不是库引起的。

即使它们不是我写的,也对库进行签名是常见/良好的做法吗?

I've just submitted an app to the Mac App Store that uses some external dynamic libraries.

I got an email from Apple saying that:

Invalid Signature - the executable something.app/Contents/Frameworks/some.dylib is not signed, the signature is invalid, or it is not signed with an Apple submission certificate. Refer to the Code Signing and Application Sandboxing Guide for more information.

The problem is of course caused by the fact that I only signed "my" executable, not the libraries.

Is it common/good practice to also sign the libraries, even though they're not written by me?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

木落 2024-12-20 04:37:15

将文件数字签名视为:

  1. 一种验证该文件完整性的方法,从而可以检测它是否已被修改;

  2. 一种验证谁发布该文件的方法,这与编写相应的源代码不同。您正在证明确实是您发送了该文件。

由于动态库包含可执行代码,因此最好对它们进行数字签名(在某些情况下,例如 MAS,是强制性的),其原因与对主可执行文件进行签名的原因相同:保证您的应用程序与您(并且只有您)完全一致。 )已从您的构建机器发货,没有任何更改。正在运行的程序包括主可执行文件和所有加载的库。如果您仅对主可执行文件进行签名,而使动态库未签名,则可以更改动态库(甚至替换它们),从而更改程序的功能。

Think of digitally signing a file as:

  1. A means of verifying the integrity of that file, thus making it possible to detect whether it’s been modified;

  2. A means of verifying who published that file, which is not the same as writing the corresponding source code. You’re attesting that it was really you who’s shipped that file.

Since dynamic libraries contain executable code, it’s good practice (and in some cases, such as the MAS, mandatory) to digitally sign them for the same reason you sign the main executable file: guaranteeing that your application is exactly what you (and only you) have shipped from your build machine, no changes whatsoever. A running program includes the main executable file and all loaded libraries. If you sign the main executable file only, leaving the dynamic libraries unsigned, it would be possible to alter the dynamic libraries (or even replace them), thus changing what your program does.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文