Hi, On Wed, 25 Mar 2026 at 12:48, Neil C Smith <[email protected]> wrote: > On macOS, extraction of the installer archive for verification is > easier. However, I am not sure that removing the signature is a > viable process. The information I've read seems currently a bit hazy > on what changes applying the hardened runtime does, and whether that > is fully reversible. I'll do some checking next time I fire up the > mac to see if I can reliably remove a signature and end up with the > input file.
Just to follow up on this after a quick test. The short answer is it doesn't seem to be feasible to remove the signatures and verify. The longer answer is that it's more complicated than I initially thought. It is feasible with some of our dependencies with native binaries, but not all. Generally, there is already some sort of signature in the binary added during the build by the third-party. IIRC this is a hard requirement on Apple Silicon, even if it's an adhoc certificate. As part of the NBPackage installer build, it forcibly resigns these binaries with the required certificate and entitlements for the application as a whole. So, we need to remove the signature on both sides to compare - installed file and the file from the original zip. However, even then it seems this is not bit-for-bit identical for all files, and depends on how those files in the zip were originally signed. Best wishes, Neil --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
