Check code signature of another APP bundle

Question

Created Mar ’21

Replies 2

Boosts 0

Views 1.3k

Participants 2

Is it possible to check a code signature of another application bundle on Objective C?

Our app has Auto Update function. We need to check the downloaded APP bundle from a ZIP to make sure that it's our application (valid signature and our name in the signature) before run it.

Boost

Answer 1

wnsoft OP

Mar ’21

Well, I found a workaround. I'll use my own signature + hash of the file, this info will be encoded in the filename and then checked after downloading. So nobody will not able to replace the file, even Apple.

0

Answer 2

DTS Engineer OP

Apple

Mar ’21

We need to check the downloaded APP bundle from a ZIP to make sure
that it's our application (valid signature and our name in the
signature) before run it.

Use the code signing API for this, and specifically SecStaticCodeCheckValidityWithErrors. That API lets you pass in a code signing requirement that it’ll check as part of its operation. If you pass in your app’s designated requirement, you can be sure that this app is both validly signed and is actually your app.

I'll use my own signature + hash of the file, this info will be
encoded in the filename and then checked after downloading.

Honestly, I think you’re better of using code signing your this. You’re already taking steps to protect your Developer ID’s private key, so there’s no point adding to that burden.

So nobody will not able to replace the file, even Apple.

You’ve misunderstood how this works. When you set up your Developer ID you create a private/public key pair and send the public key (as part of a certificate signing request) to Apple. Apple never has your private key and thus can’t sign code as you.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0