On 4 Aug 2012, at 08:08 PM, James Merkel <jmerk...@me.com> wrote:
> On Sat, 04 Aug 2012 15:08:54 +0100 Mike Abdullah wrote: > >> A) Your customers aren't going to be very happy about that >> B) You can still codesign with a self-signed certificate, and really should >> have been doing so since the 10.5 days > > Except that the Code Signing Guide says the following: > > "Do not ship applications signed by self-signed certificates. A self-signed > certificate created with the Certificate Assistant is not recognized by > users’ operating systems as a valid certificate for any purpose other than > validating the designated requirement of your signed code. Because a > self-signed certificate has not been signed by a recognized root certificate > authority, the user can only verify that two versions of your application > came from the same source; they cannot verify that your company is the true > source of the code. For more information about root authorities, see > “Security Concepts”." > > So I take it from this statement that if you allow downloads from Identified > Developers in your ML Security preferences, the download still wont' be > allowed if it's a self-signed certificate. Correct. Self-signing purely guarantees that a new version of an app came from the same developer as the previous version. Pre-Developer ID, the benefits were: - keychain prompts only appear the once, rather than once per version - firewall didn't prompt about your app in some configs There may be others I've forgotten These days you need to be code signed to use security-scoped bookmarks or notification centre. Self-signing is really just a stopgap now to give you those features before applying for a Developer ID. _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
