如何获取代码签名的应用程序证书信息 [英] How to obtain codesigned application certificate info

问题描述

我很难找到我的协同设计问题的答案.

I am having a tough time finding an answer to my codesigning issues.

我们有一个用 Cocoa 编写的 Mac OS 应用程序.最后 - 我们完成了我们的代码设计，但我想添加一个额外的安全检查 - 在可执行文件本身中.

We have an application for Mac OS written under Cocoa. Finally - we did our codesigning, but i would like to add an extra security check - within the executable itself.

我的想法是验证当前可执行文件在启动时使用的证书的指纹.如果它丢失或无效(根据应用程序中的硬编码哈希检查) - 我们将其关闭.

My idea is to validate the fingerprint of the certificate with which the current executable is signed when it is started. If it is missing or invalid (checked against a hardcoded hash within the application) - we shut it down.

到目前为止，我还无法获得用于以编程方式对可执行文件进行编码并检查其数据的证书.

So far, i haven't been able how to obtain the certificate used to codesign the executable programatically and check its data.

有人知道如何做到这一点吗?

Does anyone have a clue on how to do this?

非常感谢！马丁·K.

推荐答案

谢谢朋友！

我设法使用新功能在 10.6 上做到了，但问题是我的目标是 10.5 和 10.6，至少在一段时间后.

I managed to do it for 10.6 with the new functionality but the problem is i am targeting 10.5 and 10.6, at least until some time passes.

我必须尽快在 libsecurity_codesigning 上投入更多时间，这样也可以在 10.5 中完成.

I have to throw some more time into libsecurity_codesigning soon so this can be completed for 10.5 also.

但是，对于在这里寻找现成解决方案的人来说，这就是我最终得到的:

But, for people who are looking for ready solutions around here, here is what i ended up with:

SecStaticCodeRef ref = NULL;

NSURL * url = [NSURL URLWithString:[[NSBundle mainBundle] executablePath]]; 

OSStatus status;

// obtain the cert info from the executable
status = SecStaticCodeCreateWithPath((CFURLRef)url, kSecCSDefaultFlags, &ref);

if (ref == NULL) exit(EXIT_STATUS_ON_BAD_CODE_SIGNATURE);
if (status != noErr) exit(EXIT_STATUS_ON_BAD_CODE_SIGNATURE);

SecRequirementRef req = NULL;

// this is the public SHA1 fingerprint of the cert match string
NSString * reqStr = [NSString stringWithFormat:@"%@ %@ = %@%@%@",
    @"certificate",
    @"leaf",
    @"H"66875745923F01",
    @"F122B387B0F943",
    @"X7D981183151""
    ];

// create the requirement to check against
status = SecRequirementCreateWithString((CFStringRef)reqStr, kSecCSDefaultFlags, &req);

if (status != noErr) exit(EXIT_STATUS_ON_BAD_CODE_SIGNATURE);
if (req == NULL) exit(EXIT_STATUS_ON_BAD_CODE_SIGNATURE);

status = SecStaticCodeCheckValidity(ref, kSecCSCheckAllArchitectures, req);

if (status != noErr) exit(EXIT_STATUS_ON_BAD_CODE_SIGNATURE);

CFRelease(ref);
CFRelease(req);

LogDebug(@"Code signature was checked and it seems OK");

这篇关于如何获取代码签名的应用程序证书信息的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！