Re: Code Signing Examples

[Chris Suter]

Hi Tom,

(Sorry Tom for the duplicate—I meant to send this to the list earlier.
Also, cross posting is generally frowned upon and the best list for
code signing questions is the apple-cdsa list.)

On Sat, Feb 21, 2009 at 1:47 AM, Tom Fortmann
 wrote:
> Can anyone point me to sample code on how to verify an application or
> process is signed?  My application executes a couple other processes and I
> would like to validate their signatures before I blindly execute them.  I've
> found a ton of Apple documentation on the theory but not a lot on practical
> application within my code.  I've also looked at simply running the codesign
> utility and parsing its XML output, but this seems like a weak design.  What
> is codesign gets replaced?

That's what you're supposed to do; you run codesign. They might expose
different APIs with Snow Leopard and later releases but at this time,
codesign is the only one you can rely on.

If codesign gets replaced it means someone has root privileges which
means it's game over anyway so don't worry about that. You do realise
that if you're worried about others tampering with your binaries, it's
a difficult problem to solve. You'd need to make sure that the system
wasn't compromised at time of installation (otherwise a hacker can
just modify your installation and remove the codesign checks) and make
sure that all your files are installed somewhere with restricted
permisions (otherwise your codesign checks can be removed), but if
you've done that you don't need to run codesign since your files have
restricted permissions and the only way to modify them would be if you
had root permissions (which is game over).

So, if I were you, I wouldn't bother. That's not what code signing is
for at this point in time although that may change with future OS
updates.

Kind regards,

Chris
___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

RE: Code Signing Examples

[Tom Fortmann]

That is a good point.  Someone else also pointed out that once a hacker gets
root authority all bets are off.  Ideally this level of authentication
belongs in the OS.  Once a signed application or process is installed the OS
should enforce the signature before executing the process.  Not sure if this
can be done with 10.5 or 10.6.  And I'm not sure how you prevent someone
from replacing the module with a corrupt unsigned version.  For now we are
just looking for a reasonable approach to validate the authenticity of our
application components.

___

Thomas Fortmann
Director of Development 
Xcape Solutions, Inc. 
207 Crystal Grove Blvd. 
Lutz, FL 33548
 
TEL 847 228 9831
www.xcapesolutions.net
tfortm...@xcapesolutions.net 



-Original Message-
From: Damien Sorresso [mailto:dsorre...@apple.com] 
Sent: Friday, February 20, 2009 2:40 PM
To: Tom Fortmann
Cc: cocoa-dev@lists.apple.com; darwin-...@lists.apple.com
Subject: Re: Code Signing Examples

On Feb 20, 2009, at 6:47 AM, Tom Fortmann wrote:
> Can anyone point me to sample code on how to verify an application  
> or process is signed?  My application executes a couple other  
> processes and I would like to validate their signatures before I  
> blindly execute them.  I've found a ton of Apple documentation on  
> the theory but not a lot on practical application within my code.   
> I've also looked at simply running the codesign utility and parsing  
> its XML output, but this seems like a weak design.  What is codesign  
> gets replaced?


Keep in mind that you'll be subject to a "time of check versus time of  
use" race condition. Even if you verify that the binaries on-disk are  
valid, someone could swap out the binary for an evil one just after  
the check and just before the exec(2).
-- 
Damien Sorresso
BSD Engineering
Apple Inc.




___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Re: Code Signing Examples

[Olivier Palliere]

Hi Tom,

Maybe you can have a look at what Mike Bombich did a few years ago,  
really great stuff on Authenticated Application, and proven to be VERY  
useful.


https://source.bombich.com/websvn/listing.php?repname=Authenticated_Application&path=%2F&sc=1

Oli./.


On Feb 20, 2009, at 3:47 PM, Tom Fortmann wrote:


Can anyone point me to sample code on how to verify an application or
process is signed?  My application executes a couple other processes  
and I
would like to validate their signatures before I blindly execute  
them.  I've
found a ton of Apple documentation on the theory but not a lot on  
practical
application within my code.  I've also looked at simply running the  
codesign
utility and parsing its XML output, but this seems like a weak  
design.  What

is codesign gets replaced?



Tom



___



THOMAS FORTMANN
Director of Development


XCAPE SOLUTIONS, INC.
207 Crystal Grove Blvd.
Lutz, FL 33548


TEL 847 228 9831

 www.xcapesolutions.net
 tfortm...@xcapesolutions.net





___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/olivier%40sunprotectingfactory.com

This email sent to oliv...@sunprotectingfactory.com


___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com

Code Signing Examples

[Tom Fortmann]

Can anyone point me to sample code on how to verify an application or
process is signed?  My application executes a couple other processes and I
would like to validate their signatures before I blindly execute them.  I've
found a ton of Apple documentation on the theory but not a lot on practical
application within my code.  I've also looked at simply running the codesign
utility and parsing its XML output, but this seems like a weak design.  What
is codesign gets replaced?

 

Tom  

 

___



THOMAS FORTMANN
Director of Development


XCAPE SOLUTIONS, INC. 
207 Crystal Grove Blvd. 
Lutz, FL 33548

 
TEL 847 228 9831

  www.xcapesolutions.net
  tfortm...@xcapesolutions.net 



 

___

Cocoa-dev mailing list (Cocoa-dev@lists.apple.com)

Please do not post admin requests or moderator comments to the list.
Contact the moderators at cocoa-dev-admins(at)lists.apple.com

Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com

This email sent to arch...@mail-archive.com