Post

Replies

Boosts

Views

Activity

Reply to codesign/produtsign 3rd paty TSAs
Thanks Etresoft for quick response. You mean other than Apple? Trusted by whom? The codesign command does support a timestamp server parameter. If you trust the server, then you can supply a parameter. I have no idea if it works or not. Yes, I mean trusted by Apple. What I have seen with experimentation is that when I sign with some TSA other than that of Apple - http://timestamp.apple.com/ts01's then Authority=(unavailable) is shown in signature, that’s the reason I'm not sure it will work. Basically, I'm exploring the option of signing artifacts with other TSA in case Apple's TSA is down. Please find the output of codesign verify command on artifact signed with and without Apple's TSA. Also, can there be any unforeseen issues after signing? Some minor operating system update causes your app to stop working? Your app stops working on its own on some random date in the future and no one know why? Your customer band together and file a class-action lawsuit? This is exactly what I am worried about, the unforeseen issues. Basically if there is slight possibility of any of the above issues then it becomes no-go for me but then it makes me wonder why is there an option to specify TSA in codesign command. I see no timestamp server option in the productsign command. productsign command man page only describes --timestamp or --timestamp=none options, does that mean we cannot pass custom TSA? ➜	TestAppfe336ce1-1a24-4ef7-9540-5b2e67d5ef95 codesign -fs C33F74F52338E990231916C20C3D57E09E8A1D38 TestApp.app --timestamp=http://timestamp.apple.com/ts01 TestApp.app: replacing existing signature ➜	TestAppfe336ce1-1a24-4ef7-9540-5b2e67d5ef95 codesign --verify --deep --verbose=4 --display TestApp.app Executable=${pathToApp}/TestApp.app/Contents/MacOS/TestApp Identifier=com.zyx.test.TestApp Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=636 flags=0x0(none) hashes=14+3 location=embedded VersionPlatform=1 VersionMin=659200 VersionSDK=721152 Hash type=sha256 size=32 CandidateCDHash sha256=a17687c5eb3457a758d758ef9a6a2e100676ecb7 CandidateCDHashFull sha256=a17687c5eb3457a758d758ef9a6a2e100676ecb7b6a384c0fc870a7591b9bd38 Hash choices=sha256 CMSDigest=a17687c5eb3457a758d758ef9a6a2e100676ecb7b6a384c0fc870a7591b9bd38 CMSDigestType=2 Page size=4096 CDHash=a17687c5eb3457a758d758ef9a6a2e100676ecb7 Signature size=9053 Authority=Apple Development: abc@zyx.com (${TeamID}) Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA Timestamp=Jan 31, 2021 at 10:21:03 PM Info.plist entries=21 TeamIdentifier=78LUKHP485 Sealed Resources version=2 rules=13 files=4 Internal requirements count=1 size=192 ➜	TestAppfe336ce1-1a24-4ef7-9540-5b2e67d5ef95 codesign -fs C33F74F52338E990231916C20C3D57E09E8A1D38 TestApp.app --timestamp=http://timestamp.entrust.net/TSS/RFC3161sha2TS TestApp.app: replacing existing signature ➜	TestAppfe336ce1-1a24-4ef7-9540-5b2e67d5ef95 codesign --verify --deep --verbose=4 --display TestApp.app Executable=${pathToApp}/TestAppfe336ce1-1a24-4ef7-9540-5b2e67d5ef95/TestApp.app/Contents/MacOS/TestApp Identifier=com.zyx.test.TestApp Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=636 flags=0x0(none) hashes=14+3 location=embedded VersionPlatform=1 VersionMin=659200 VersionSDK=721152 Hash type=sha256 size=32 CandidateCDHash sha256=a17687c5eb3457a758d758ef9a6a2e100676ecb7 CandidateCDHashFull sha256=a17687c5eb3457a758d758ef9a6a2e100676ecb7b6a384c0fc870a7591b9bd38 Hash choices=sha256 CMSDigest=a17687c5eb3457a758d758ef9a6a2e100676ecb7b6a384c0fc870a7591b9bd38 CMSDigestType=2 Page size=4096 CDHash=a17687c5eb3457a758d758ef9a6a2e100676ecb7 Signature size=10051 Authority=(unavailable) Info.plist=not bound TeamIdentifier=78LUKHP485 Sealed Resources version=2 rules=13 files=4 Internal requirements count=1 size=192
Code Signing General
Feb ’21