On Sun, Jan 25, 2009 at 12:54 AM, Chris Hanson <c...@me.com> wrote: > On Jan 24, 2009, at 6:29 PM, Michael Ash wrote: > >> On Sat, Jan 24, 2009 at 6:08 PM, Chris Hanson <c...@me.com> wrote: >>> >>> Among other things, to be truly secure you must use a secure installation >>> mechanism. Do not write your own install tool — it can't be made secure >>> without itself being installed via a secure installation mechanism. >>> Instead, use Installer.app for your installations since it's included >>> with >>> the operating system and not modifiable with normal user privileges. >> >> I'm afraid I don't understand this advice. Could you explain what sort >> of vulnerability would exist in a custom install tool that would not >> exist when using Installer.app to install a custom package? > > Because Installer.app is installed by the operating system you can - if > you've taken appropriate security measures to begin with - be reasonably > certain that it hasn't been tampered with. > > When writing your own install tool, you have a bootstrapping problem: You > will eventually need to have the user authorize some untrusted code to run > as root - code that could have been modified behind the user's back. > > An installer package could also have been writable by the user, but modern > packages can be signed so their integrity can be checked.
So could a custom installer. It seems to me that the problem of protecting a custom installer and the problem of protecting a custom package being used with the system installer are equivalent. Is there a way that a custom binary can be tampered with that a custom .pkg is immune to? Mike _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com