I'm building a developer ID notarized app which relies on a file within my resource folder for licensing, in such a way that I don't need to obfuscate it, but I would like to block casual users from altering it.
This seems like a perfect job for code signing. I tried running the following code to check my currently running executable's signing status, but it passes immediately after notarizing, but also after I alter files in my resource folder or the info.plist.
pid_t pid = getpid();
SecCodeRef code = nil;
CFNumberRef pidnumber = CFNumberCreate(kCFAllocatorDefault, kCFNumberSInt32Type, &pid);
CFDictionaryRef piddict = CFDictionaryCreate(kCFAllocatorDefault, (const void**)&kSecGuestAttributePid, (const void**)&pidnumber, 1, nil, nil);
if(!SecCodeCopyGuestWithAttributes(nil, piddict, kSecCSDefaultFlags, &code)) {
is_valid = SecCodeCheckValidity(code, kSecCSDefaultFlags, 0);
}
However, from the command line I get the following:
% codesign --verify /Users/mike/Desktop/Test.app
/Users/mike/Desktop/Test.app: a sealed resource is missing or invalid
How can I configure things to get a fail state from SecCodeCheckValidity?
Thanks, mike
