如何获取代码签名的应用证书信息 [英] How to obtain codesigned application certificate info
问题描述
我很难找到答案解决我的编码问题。
I am having a tough time finding an answer to my codesigning issues.
我们有一个在Cocoa下编写的Mac OS应用程序。最后 - 我们做了我们的代码签名,但我想在可执行文件本身添加一个额外的安全检查。
We have an application for Mac OS written under Cocoa. Finally - we did our codesigning, but i would like to add an extra security check - within the executable itself.
我的想法是验证证书的指纹当前可执行文件在启动时进行签名。如果它缺失或无效(检查应用程序中的硬编码哈希) - 我们关闭它。
My idea is to validate the fingerprint of the certificate with which the current executable is signed when it is started. If it is missing or invalid (checked against a hardcoded hash within the application) - we shut it down.
到目前为止,我还没有能够如何获得
So far, i haven't been able how to obtain the certificate used to codesign the executable programatically and check its data.
有没有人知道如何做到这一点?
Does anyone have a clue on how to do this?
非常感谢!
Martin K。
Thank you veery much! Martin K.
推荐答案
感谢好友!
我设法做到了10.6与新的功能,但问题是我的目标是10.5和10.6,至少直到一些时间过去。
I managed to do it for 10.6 with the new functionality but the problem is i am targeting 10.5 and 10.6, at least until some time passes.
我必须抛出一些时间进入libsecurity_codesigning很快,所以这也可以为10.5完成。
I have to throw some more time into libsecurity_codesigning soon so this can be completed for 10.5 also.
但是,对于那些正在寻找现成的解决方案在这里,这里是我结束了: / p>
But, for people who are looking for ready solutions around here, here is what i ended up with:
SecStaticCodeRef ref = NULL;
NSURL * url = [NSURL URLWithString:[[NSBundle mainBundle] executablePath]];
OSStatus status;
// obtain the cert info from the executable
status = SecStaticCodeCreateWithPath((CFURLRef)url, kSecCSDefaultFlags, &ref);
if (ref == NULL) exit(EXIT_STATUS_ON_BAD_CODE_SIGNATURE);
if (status != noErr) exit(EXIT_STATUS_ON_BAD_CODE_SIGNATURE);
SecRequirementRef req = NULL;
// this is the public SHA1 fingerprint of the cert match string
NSString * reqStr = [NSString stringWithFormat:@"%@ %@ = %@%@%@",
@"certificate",
@"leaf",
@"H\"66875745923F01",
@"F122B387B0F943",
@"X7D981183151\""
];
// create the requirement to check against
status = SecRequirementCreateWithString((CFStringRef)reqStr, kSecCSDefaultFlags, &req);
if (status != noErr) exit(EXIT_STATUS_ON_BAD_CODE_SIGNATURE);
if (req == NULL) exit(EXIT_STATUS_ON_BAD_CODE_SIGNATURE);
status = SecStaticCodeCheckValidity(ref, kSecCSCheckAllArchitectures, req);
if (status != noErr) exit(EXIT_STATUS_ON_BAD_CODE_SIGNATURE);
CFRelease(ref);
CFRelease(req);
LogDebug(@"Code signature was checked and it seems OK");
这篇关于如何获取代码签名的应用证书信息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!