Post

Replies

Boosts

Views

Activity

Reply to What is the proper way to export a certificate sing the commandline tool 'security'?
I have figured out what my problem was here. The reason for the error from:security set-key-partition-list was that the certificate did not include a private key. As for how to use security to export a certificate: in my case the answer is don't. Use openssl to generate the .p12 certificate file: openssl pkcs12 -export -out afile.p12 -inkey privte.key -in certificate.pem
Feb ’22
Reply to Why is the url passed in in NSFileProviderExtension:itemChangedAtURL different from NSFileProviderExtension:startProvidingItemAtURL?
To answer my own question it looks like the solution is to always use NSString stringByResolvingSymlinksInPath to resolve any symbolic links before trying to compare paths. My '_myRoot' contained a symbolic link because the path to the shared group folder returned by [[NSFileManager defaultManager] containerURLForSecurityApplicationGroupIdentifier: group_id] contains symbolic links.
Sep ’21
Reply to Can I update a resouce in a signed app and then just resign the updated resource?
Thanks for your reply but I think I have found out how to get this to work.(If the app were small I would not bother with this but it contains a lot of resources and code signing can take a bit of time.)The trick is that you need to reseal the app after updating and signing the resource. From my experiments the app seems to be sealed and the "_CodeSignature/CodeResources" file created when the bundles exactable is signed.So the following works after updating the file "myapp.app/Contents/Resources/CustomFile":codesign -f --s "Developer ID Application: MY Company" --options runtime --keychain "Buildsystem" "myapp.app/Contents/Resources/CustomFile"codesign -f -s "Developer ID Application: MY Company" --options runtime --keychain "Buildsystem" "myapp.app/Contents/MacOS/myapp"Note the '-f' option to force the resigning.If there is a better way to reseal the app maybe someone can tell me I couldn't find any documentation saying what triggers the sealing of the app.If what I am doing is 'bad' then maybe someone can tell me why I shouldn't do this.
Feb ’20
Reply to Is it required to notarize the package being installed by an installer on a dmg?
Thanks for the explanation.Doesn't that mean that so long as the user installs our app using the notarized installer then the app itself doesn't need to be notarized since it will not be marked as quarantined? (Assuming they do not try to distribute the unpacked app itself over the network.)This kind of points to a hole in the security provided by notarization and the gatekeeper. An evil person can wrap their virus infected app in an installer which hides the virus and have the installer notarized so that the actual virus is installed undetected.The only way to protect against this would be to mark anything created by a quarantined app as quarantined.
Feb ’20
Reply to Is it required to notarize the package being installed by an installer on a dmg?
Thanks for the reply,What you suggest is what I thought I may need to do which requires our automated build process to upload 2 separate packages to Apple and wait on each of them to be notarized before completing the build. Depending on how fast the network is and how long the notarization takes it will add a significant amount of time to the build process. Our build process builds a lot of different apps so this is painful.We may consider using a standard installer.The thing that still puzzles me is why the gatekeeper doesn't complain about the un notarized app when it starts. Any ideas as to why that may be?
Feb ’20