[vlc-devel] [PATCH] OSX codesigning - Add additional check for signed binary.
Rob Jonson
rob at hobbyistsoftware.com
Wed Nov 4 13:35:46 CET 2015
Filipe,
the current script just outputs the result from the other validation rather
than exiting.
however - if you fancy figuring out how to parse the outputs and exit
appropriately, then I'm sure nobody would object. My bash skills are not up
to the job.
this is the current output I see (success on codesign, failure on spctl)
VLC.app: valid on disk
VLC.app: satisfies its Designated Requirement
[codesign] Validating spctl
VLC.app: rejected
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "
http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>assessment:authority</key>
<dict>
<key>assessment:authority:source</key>
<string>obsolete resource envelope</string>
<key>assessment:authority:weak</key>
<true/>
</dict>
<key>assessment:cserror</key>
<integer>-67003</integer>
<key>assessment:remote</key>
<true/>
<key>assessment:verdict</key>
<false/>
</dict>
</plist>
cheers,
Rob
On 3 November 2015 at 18:00, Filipe Cabecinhas <filcab at filcab.net> wrote:
> Probably codesign.sh should exit with a non-zero exit code if spctl fails.
>
> Filipe
>
> On Tuesday, 3 November 2015, Rob Jonson <rob at hobbyistsoftware.com> wrote:
>
>> Adds a test with spctl as described here:
>>
>> https://developer.apple.com/library/mac/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-DontLinkElementID5
>> ---
>> extras/package/macosx/codesign.sh | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/extras/package/macosx/codesign.sh
>> b/extras/package/macosx/codesign.sh
>> index 74a9c9d..451d3dc 100755
>> --- a/extras/package/macosx/codesign.sh
>> +++ b/extras/package/macosx/codesign.sh
>> @@ -194,5 +194,7 @@ codesign --verify -vv
>> VLC.app/Contents/Frameworks/Sparkle.framework/Versions/Cur
>> info "Validating complete bundle"
>> codesign --verify --deep --verbose=4 VLC.app
>>
>> +info "Testing with spctl (all assessments should be true)"
>> +spctl --assess --verbose=4 --raw --type execute VLC.app
>>
>> info "Validation complete"
>> --
>> 2.4.9 (Apple Git-60)
>>
>>
>>
> _______________________________________________
> vlc-devel mailing list
> To unsubscribe or modify your subscription options:
> https://mailman.videolan.org/listinfo/vlc-devel
>
>
--
Hobbyist Software is a trading name of Hobbyist Software Limited.
Registered office 12 Fraley Rd, Bristol, BS93BS. Registered in England.
Company no:7876492
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.videolan.org/pipermail/vlc-devel/attachments/20151104/759b69b6/attachment.html>
More information about the vlc-devel
mailing list