如何证明iOS应用程序的起源？ [英] How to prove the origin of an iOS App?

问题描述

我有一个开源的iOS项目，在github上有公共来源。我已经使用我的开发者帐户在App Store上发布了该应用程序。

I have an open source iOS project with public sources on github. I have published the app on the App Store using my developer account.

有没有办法证明用户发布的应用程序事实上已经编译github上的来源？

Is there a way for me to prove to the user that the published app in fact has been compiled from the sources on github?

EDIT

对于数学（或加密，如果你喜欢）证明应用程序二进制文件源自公开可用的源代码，而不是一种免责声明。免责声明可以声明任何东西，但不能证明任何东西。

To clarify: I am in search for a mathematical (or cryptographic, if you like) proof that the app binary originates in a publicly available source code, rather than a sort of disclaimer. A disclaimer can claim anything but does not prove anything.

例如通过代码签名的应用程序包我向苹果证明，应用程序的创建者和注册到苹果的开发人员是同一个人。我的问题是是否存在类似的机制向用户证明二进制文件的来源和公共来源是相同的。

E.g. by code signing the app package I prove to apple that the creator of the app and the developer registered with apple are one and the same person. My question is whether there exists a similar mechanism to prove to the user that the origin of the binary and the public source are identical.

推荐答案

p>对于iOS有额外的复杂性。提交应用程序的一部分是代码签名，代码签名过程涉及更改Mach-O头，加载命令和LINKEDIT段。
您可以通过在代码签名的代码目录结构中提交代码散列来增加信任（但仍然不能证明）但是AppStore中的应用程序是由Apple重新签名的，因此无论你做什么，一些代码散列都会改变。

For iOS there are additional complications. Part of submitting your app is codesigning it, and the codesigning process involves changing the Mach-O header, the load commands, and the LINKEDIT segment. You could probably increase trust (but still not prove) by submitting the code-hashes in the code-signed code-directory structure; BUT the app in AppStore is re-signed by Apple and thus some of the code-hashes will have changed no matter what you do.

这篇关于如何证明iOS应用程序的起源？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！