search

sassoftware / relic

Relic is a service and a tool for adding digital signatures to operating system packages for Linux and Windows
Apache License 2.0
151 stars 41 forks source link

Mach-O signing problem with pkcs12 #40

Open turalf opened 5 months ago

turalf commented 5 months ago

The signing configuration I used is this:

keys:
  devid:
    token: file
    keyfile: <path to p12 file>
    timestamp: true
    ispkcs12: true

tokens:
  file:
    type: file
timestamp:
  urls:
    - http://timestamp.apple.com/ts01

And this is the command:

relic sign -k devid -f <Mach-O binary> --hardened-runtime --config ./relic.yml

Signing succeeds, but when I verify with relic I get this:

> relic verify ./<Mach-O binary>
./<Mach-O binary> ERROR: validating timestamp: x509: “Timestamp Signer NWK1” certificate is not permitted for this usage
ERROR: 1 or more files did not validate

Verifying with codesign also fails:

> codesign -vvv ./macnotary
./<Mach-O binary>: CSSMERR_TP_NOT_TRUSTED
In architecture: x86_64

The relic version I have used:

relic version v7.6.2 (h1:rS44Lbv9G9eXsukknS4mSjIAuuX+lMq/FnStgmZlUv4=)

The host I ran this is: 14.2.1 (23C71) - MacOS Sonoma

Is this a bug, or there is a problem in the process I followed?