Post

Replies

Boosts

Views

Activity

Reply to Check revocation of certificates
code sign tool gives below as type of certificate we used for app, executable. Authority=Apple Development:XXXXX Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA pkgutil tool gives below as type of certificate we used for pkg. Status: signed by a developer certificate issued by Apple (Development)   Certificate Chain:   1. 3rd Party Mac Developer Installer:XXXXX I think we have used 'Apple Development' certificate for signing process which can be revoked from developer account Question: Does revocation check API (SecPolicyCreateRevocation) need app/pkg/executable signed with 'Developer ID Application' certificates only ?
Aug ’22
Reply to Check revocation of certificates
@eskimo I want to do below actions: I extract certificate chain of app file. I create revocation policy using API SecPolicyCreateRevocation(….) I create trust object with above policy and certificate chain. Then Evaluate certificate chain from step 1 using trust object created in step 3 using API SecTrustEvaluate(…) To test above process, I have created binaries and signed them by ‘Apple Development’ certificate created via apple developer site. I revoked the certificate and expecting SecTrustEvaluate to give failure result but I am getting ‘kSecTrustResultUnspecified’. So want your help in case I am missing anything and what should be proper way of checking revocation of certificates.
Aug ’22
Reply to Check revocation of certificates
It is Endpoint Security Product where admin controls end user systems. One control is "Reporting files whose certificates are revoked by owner". Steps I am trying to achieve above mentioned objective is given in the before reply. So please help me to understand how should I test the revoked binaries using SecTrustEvaluate API.
Sep ’22
Reply to Check revocation of certificates
Thanks for detailed explanation. It is correct that, Development signed code [signed with Apple Development: TTT] is already restricted, but as a developer, I have access to only 'Apple Development' certificate available at Apple Developer account. So to just validate/test my application, is there any way to check revocation status of file signed by 'Apple Development' certificate.
Sep ’22