Use OS X code signing for update verification

[rowanj]

• need to verify that the code signing is performed properly (incl. frameworks & command-line tool)
• need to verify upgrade trust chain via Sparkle
• also needs validation with "current" versions' upgrade paths.

[dak180]

@rowanj ViennaRSS/vienna-rss#94 (and the related pull requests) likely have all the info that you would need to ensure that code signing will satisfy it's designated requirements (necessary to both work with passwords and be trusted bt Sparkle).

[rowanj]

@dak180 Thanks for the link!

[dak180]

@rowanj let me know if you have any questions that I can answer.

[rowanj]

GitX.app 0.14.74 seems to be validly signed to me...

• Using 3rd-party key
• Using production provisioning profile
• Satisfies codesign DR

$ codesign -vvv -d -r- GitX.app
Executable=/Users/rowanj/Applications/GitX.app/Contents/MacOS/GitX
Identifier=net.phere.GitX
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=4243 flags=0x0(none) hashes=204+5 location=embedded
Hash type=sha1 size=20
CDHash=9ad94bfc9315037ba4782a89efd0ffc1a4241623
Signature size=4334
Authority=3rd Party Mac Developer Application: Rowan James
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=22/01/2013 11:56:39 PM
Info.plist entries=28
Sealed Resources rules=4 files=160
designated => identifier "net.phere.GitX" and anchor apple generic and certificate leaf[subject.CN] = "3rd Party Mac Developer Application: Rowan James" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */

Anybody still getting the unidentified developer warning from Gatekeeper on Mountain Lion?

[dak180]

@rowanj seems valid to me on 10.6.

[pipelineoptika]

Claims to be invalid for me, on 10.8.2, producing the aforementioned "unidentified developer" warning.

[rowanj]

@pipelineoptika can you attach the output of codesign -vvv -d -r- GitX.app?

[pipelineoptika]

@rowanj Certainly can:

Executable=/Users/pipeline/Documents/GitX.app/Contents/MacOS/GitX
Identifier=net.phere.GitX
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=4243 flags=0x0(none) hashes=204+5 location=embedded
Hash type=sha1 size=20
CDHash=9ad94bfc9315037ba4782a89efd0ffc1a4241623
Signature size=4334
Authority=3rd Party Mac Developer Application: Rowan James
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=22/01/2013 11:56:39 PM
Info.plist entries=28
Sealed Resources rules=4 files=160
designated => identifier "net.phere.GitX" and anchor apple generic and certificate leaf[subject.CN] = "3rd Party Mac Developer Application: Rowan James" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */

[pipelineoptika]

@rowanj …which looks totally valid.

[rowanj]

I expect that it's the bundled frameworks.

[dak180]

@rowanj actually, I expect that it is because you do not appear to be using a recent apple dev cert, since it does not follow the same form as codesignrequirement.rqset.

[rowanj]

Six builds later, it seems that it was the wrong identity (the build server was missing the private key for the right one), and also the frameworks (MGScopeBar, Objective-Git, and Sparkle).

GitX-dev 0.14.80 seems to test okay with default Gatekeeper configuration on OS X 10.8.

Dantes:GitX-dev rowanj$ codesign -d -vvv -r- GitX.app/
Executable=/Volumes/GitX-dev/GitX.app/Contents/MacOS/GitX
Identifier=net.phere.GitX
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=4203 flags=0x0(none) hashes=204+3 location=embedded
Hash type=sha1 size=20
CDHash=396b7939eaea228fe874c2311c447355d42f4cc4
Signature size=8508
Authority=Developer ID Application: Rowan James
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=23/01/2013 11:38:49 PM
Info.plist entries=28
Sealed Resources rules=4 files=160
designated => anchor apple generic and identifier "net.phere.GitX" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "5SP3ZG7GCU")

[rowanj]

I'm going to keep the RSA signature in the Sparkle updates for a while yet; for anybody that's still using a build from not-that-long-ago that doesn't have a new enough version of Sparkle for it to validate updates with the code signature.