search

indygreg / apple-platform-rs

Rust crates supporting Apple platform development
565 stars 38 forks source link

Synchronize `Info.plist` `SMPrivilegedExecutables` with designated requirements? #93

Closed indygreg closed 9 months ago

indygreg commented 10 months ago

As part of debugging signing verification failures, It looks like the Info.plist SMPrivilegedExecutables key contains a code requirements expression which matches the designated requirements in the signed binary.

e.g. on Firefox.app's Contents/MacOS/updater.app:

        <key>SMPrivilegedExecutables</key>
        <dict>
                <key>org.mozilla.updater</key>
                <string>identifier "org.mozilla.updater" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] and certificate leaf[field.1.2.840.113635.100.6.1.13] and certificate leaf[subject.OU] = "43AQ936H96"</string>
        </dict>

This matches the DR embedded in the CD of the Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater Mach-O binary.

We may need to synchronize these expressions. But more research is needed. Filing this issue to track.

indygreg commented 9 months ago

SMPrivilegedExecutables seems to be unrelated to code signing. https://developer.apple.com/documentation/servicemanagement/1431078-smjobbless?language=objc

Closing this issue as I think there's nothing to be done here.