#81 Code sign the Radmind tools for Mac OS X

closed
nobody
UNIX (32)
5
2008-07-22
2008-06-27
Jaharmi
No

- Summary
Provide a descriptive summary of the issue.
- Sign the Radmind tools for use with Mac OS X Leopard's code
signing facility.
- Steps to reproduce
In numbered format, detail the exact steps taken to produce the
bug.
- n/a
- Expected results
Describe what you expected to happen when you executed the steps
above.
- The Radmind command line tools are signed. Especially in light of
their potential use as a security tool, they should be so that
their signatures can be verified against some code signing CA
that administrators can choose to trust (or not).
- Actual results
Please explain what actually occurred when steps above are
executed.
- The current tools, as of 1.11.0, at least, are not signed.
- $ fsdiff -V
1.11.0
sha1
sha
md5
md2
dss1
mdc2
ripemd160
- $ codesign -v /usr/local/bin/{fsdiff,ktcheck,lapply}
/usr/local/bin/fsdiff: code object is not signed
/usr/local/bin/ktcheck: code object is not signed
/usr/local/bin/lapply: code object is not signed
- $ codesign -v /usr/local/sbin/radmind
/usr/local/sbin/radmind: code object is not signed
- Regression
Describe circumstances where the problem occurs or does not
occur, such as software versions and/or hardware configurations.
- n/a
- Notes
Provide additional information, such as references to related
problems, workarounds and relevant attachments.
- Code signing is a new facility in Leopard. It can reportedly be
used with both command line tools and with bundled GUI
applications. Assuming that is true, both the command line tools
and Mac OS X-specific GUI applications should be signed.
- As far as I'm concerned, as long as the signing authority can be
trusted, the applications can be signed by a self-signed CA. This
is allowed by Apple's code signing tools and infrastructure.
- If the code signing CA is an intermediate one that can be traced
back to a root CA (even another self-signed one) in larger use,
that's fine, too.
- System configuration
Include the current system configuration of each computer that
experienced the problem.
- n/a

Discussion

  • Patrick McNeal
    Patrick McNeal
    2008-07-07

    • labels: --> UNIX
    • status: open --> pending
     
  • Patrick McNeal
    Patrick McNeal
    2008-07-07

    Logged In: YES
    user_id=1296576
    Originator: NO

    Do you know of any other open source projects that are signing their code?

     
    • status: pending --> closed
     
  • Logged In: YES
    user_id=1312539
    Originator: NO

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).

     
  • Jaharmi
    Jaharmi
    2009-05-15

    I recently came across an open source Twitter client that does. It's called Canary, and it's at:

    <http://www.canaryapp.com/>

    Note that code signing can be done with a self-signed identity; it does not require chaining to a commercial authority. I believe we would just want to make the public identity public.