Geek Answers Handbook

Mac OS X Code Signature and Confirmation

I am working on Mac apps in a vertical market that use a USB dongle to make sure users pay for it. It is quite expensive and demanded enough that the "black hats" tried to crack the key scheme, so the application checks the executable and key resource files at run time, and if something was tampered with, the program will not start.

As PKI (Public Key Infrastructure) -based code signing is becoming more and more common in the Mac world, I am considering switching to using it to perform this runtime check, which will have a nice side effect of making gatekeeper happy.

However, Apple’s interest is very different from mine. Their focus is on making the user happy, so if the application has the wrong signature, Mac OS X will simply ask the user if they want to run it anyway. My focus is on stopping crackers, so if my application has an incorrect signature, I just don’t want it to do anything useful for the end user.

So, I want my application to be able to verify its own executable and resources using Apple signatures at runtime.

In addition, from what I read about the libraries Mac OS X offers for verification, they simply give a yes or no answer to requests to check the executable. It seems to me that this is susceptible to black hat attacks in several ways - for example, you can simply replace Apple tools with those that always say “yes, it really is,” either in system directories or by changing the search path for these tools. Therefore, I think it would be nice to create a complete set of signature verification code in my application.

So, I have a few questions:

  • What PKI / API libraries are available so that the application can verify its own executable file and resources that were signed using the Apple codeign system?
  • Do these libraries have source code?
  • Are there security issues in using the PKI libraries that Apple sends with Mac OS X, or are they safer to use than I think?
  • Does anyone have experience with these kinds of things that they would like to share with? Are there any other gotchas or tips?

Thanks in advance for your help.

+8
xcode code-signing macos pki
source share
1 answer

To answer to # 1 and # 2 above, Apple has open source code for creating and verifying digital signatures like libsecurity_codesigning. Therefore, the developer could create this in his application so that he can verify his own signature.

Alternatively, the MacOS version of this library can be used by the application, but the API is private, so getcha. There is a brief discussion here .

+1
source share

More articles:


All Articles