requirements: correctly interpret apple cert requirements #39
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- certs signed with a "developer id application" CA add a requirement for a signature by such a CA, a requirement for the leaf cert to have a "developer id application" extension (which we only add if the leaf cert in use does indeed have that extension), and bind the OU found the leaf cert - certs signed with a "worldwide developer relations" CA (i.e., developer certificates) add a requirement for that CA extension, and bind the CN rather than the OU from the leaf cert
jkt-signal
force-pushed
the
requirements
branch
from
509ba56 to
f7ad9ce
Compare
|
I thought I remember seeing that apple is not using requirements anymore in favor or launch constraints ? Have you looked into that at all? |
|
I am only vaguely aware of launch constraints, but designated requirements definitely exist in the applications we're signing with the official tooling today (and they don't have launch constraints). |
|
No worries, just thought I might get another great PR out of you for them if I asked ;) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change makes the inference of Designated Requirements from an Apple code-signing certificate chain more closely match the official Apple
codesigntool:certs signed with a "developer id application" CA add a requirement for a signature by such a CA, a requirement for the leaf cert to have a "developer id application" extension (which we only add if the leaf cert in use does indeed have that extension), and bind the OU found the leaf cert
certs signed with a "worldwide developer relations" CA (i.e., developer certificates) add a requirement for that CA extension, and bind the CN rather than the OU from the leaf cert
This is important because two binaries must have identical Designated Requirements in order to be considered the same application by macOS.