使用自签名证书对OS X应用程序进行代码签名的含义是什么? [英] What are the implications of codesigning an OS X application with a self-signed certificate?
问题描述
Apple似乎将某些OS X API(例如沙箱)限制为由受信任的证书(例如,受信任的证书)进行代码签名的应用程序.一份发给付费Mac Developer计划的成员.
Apple seems to restrict some OS X APIs (e.g. sandboxing) to applications that are codesigned by a trusted certificate, e.g. one issued to members of the paid Mac Developer program.
OS X如何处理使用自签名(或开发)证书进行代码签名的应用程序?
How does OS X treat applications that are codesigned with a self-signed (or a development) certificate?
- 这些功能/API是否可用,唯一的区别是具有默认Gatekeeper设置的用户不能(轻松)启动这样的应用程序吗?
- 是否会在所有方面将它们像未签名的应用一样对待(禁用权利和沙箱,向Gatekeeper用户发出警告)?
- 还是将自签名证书视为错误,并且无论用户的Gatekeeper设置如何,该应用程序都将无法启动?
推荐答案
AFAIK,未使用Gatekeeper接受的证书进行代码签名的应用程序,将被视为未签名.我不知道如何访问特定功能和API.
AFAIK, apps that aren't code-signed with a certificate that Gatekeeper accepts, would be treated as unsigned. I don't know about access to specific features and API.
但是您可以使关守接受您的自签名证书.如果您使用非Apple发行的证书对代码进行签名,则每台要以签名方式运行该代码的计算机都必须(a)安装证书,并且(b)通过
But you can make your self-signed cert acceptable to the Gatekeeper. If you sign your code using certificates that weren't issued by Apple, every machine you want to run that code as signed, would have to (a) have your certificate installed, and (b) have policies set via spctl command that tell the Gatekeeper to allow executing and/or installing code signed by that cert. This part has been tested and verified on Mavericks.
使用内核扩展更加困难.我还在努力. :-)
It is more difficult with kernel extensions. I'm still working on that. :-)
这篇关于使用自签名证书对OS X应用程序进行代码签名的含义是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
