The following simple code will validate the code-signing of any Mac executable file, or App-bundle, or any code-bundle etc.
However, if handed a path to an executable which happens to be the main executable of an App bundle (example `/Applications/Mail.app/Contents/MacOS/Mail`) The SecStaticCodeRef will automatically encompass the whole wrapping bundle. Such bundle could be huge and the verification process can be both CPU and memory intensive. The documentation of SecStaticCodeCreateWithPath, (see https://developer.apple.com/library/mac/documentation/Security/Reference/CodeSigningRef/#//apple_ref/c/func/SecStaticCodeCreateWithPath <https://developer.apple.com/library/mac/documentation/Security/Reference/CodeSigningRef/#//apple_ref/c/func/SecStaticCodeCreateWithPath>) states that "If you pass a URL to the main executable of a bundle, the bundle as a whole is generally recognized." My Question: How to 'persuade' either the `SecStaticCodeCreateWithPath` or the `SecStaticCodeCheckValidityWithErrors` to NOT do that - i.e. represent only that main-executable alone, without its bundle. I could not find any flags or attributes to do that, but I’m pretty novice with the Security Framework, and I can’t yet fully grasp the “SecStaticCode” object’s role and use. Ideas anyone? void checkFileValidity(CFIndex idx, const char *filePath) { OSStatus result = noErr; printf ("Validating %ld: ", idx); CFURLRef fileRef = CFURLCreateAbsoluteURLWithBytes(kCFAllocatorDefault, (UInt8 *)filePath, strlen(filePath), kCFStringEncodingUTF8, NULL , false); if (fileRef == NULL) return; SecStaticCodeRef staticCode; result = SecStaticCodeCreateWithPath(fileRef, kSecCSDefaultFlags, &staticCode); CFRelease(fileRef); if (result != noErr) return; SecCSFlags staticVerifyOptions = kSecCSDefaultFlags; // kSecCSCheckAllArchitectures | kSecCSStrictValidate; CFErrorRef error = NULL; result = SecStaticCodeCheckValidityWithErrors(staticCode, staticVerifyOptions, NULL, &error); // Following call leaks memory. CFRelease(staticCode); switch (result) { case errSecSuccess: printf ("Good. "); break; default: printf ("Failed with code:%d for %s\n", result, filePath); CFShow(error); CFRelease(error); break; } } Motti Shneor --- Ceterum censeo Microsoftinem delendam esse _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
