The Omni Group
These forums are now read-only. Please visit our new forums to participate in discussion. A new account will be required to post in the new forums. For more info on the switch, see this post. Thank you!

Go Back   The Omni Group Forums > OmniWeb > OmniWeb General
FAQ Members List Calendar Search Today's Posts Mark Forums Read

 
"Use Leopard's new code signing technology to sign OmniWeb" Thread Tools Search this Thread Display Modes
As per eg http://update.omnigroup.com/releasen...-r98209-Alpha/

This feature mostly doesn't work for me ... but then, I am on Tiger still, one's expectations should remain reasonable.

I don't recall seeing any ADC commentary on how to do this. I do remember seeing a long and stringent list of stipulations to be met if you wanted your CA certificate to be distributed with MacOSX.

FileMerge.app shows some difference between signed and unsigned OmniWebs. But looking at the files, it looks to me like the CA that issued the cert used to sign OmniWeb was ... Omni CA. So what some Omniscient developer care to comment on this?

Does Omni have a code signing cert signed by some well-known authority such as Thawte?

Or did Omni use a self-signed code signing cert? It's something of a flaw in the technology if this can be made to work?

Or is Omni now an Apple-certified CA?

And, since I missed it, could someone either point me at the ADC documentation for how to sign binaries etc, or provide some pointers to how it's done? I'm building J2ME MIDlet suites with Xcode that get signed with a Thawte code signing cert; but then, a MIDlet suite is mostly just a single zipfile.
 
Here's a pointer to Leopard's code signing guide.

The quick summary is that Leopard doesn't care who signs code, it just tracks whether the application's internal code-signing requirements are met: in OmniWeb's case, the requirements are that the application identifier is com.omnigroup.OmnIWeb5 and that its anchor certificate is the Omni CA. (It tracks this certificate by its checksum, not its name.)

When validating the identity of an application, Leopard just tests whether those requirements are identical to the previous requirements, and if so it considers it the same application. (At the moment, this only affects the keychain, firewall, and parental controls.) If it changes for some reason (either because the resources no longer match the signature, or because the signature was replaced with a new signature containing different requirements) then Leopard considers it a different application. (There's nothing to stop a hacker from replacing Omni's signature with their own and distributing that app with their signature—except that Leopard will notice the change and will prompt all over again for access to secured resources.)

Hope this helps!
 
Out of interest, does this mean people won't be able to modify resources such as toolbar icons, etc. anymore? (I'm not doing that myself, but I know others do).
 
They can still change those resources, but it will invalidate our signature.

I'm thinking the best way to solve that is to add support for themes, so they don't have to modify the app itself to change its icons.
 
Quote:
Originally Posted by Ken Case View Post
...I'm thinking the best way to solve that is to add support for themes, so they don't have to modify the app itself to change its icons.
That would be fantastic. Would that mean a few new OG created themes would come with the added support or just the ability for third party themes?
 
 


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes


Similar Threads
Thread Thread Starter Forum Replies Last Post
Code sign error global667 Omni Frameworks 1 2012-11-23 11:58 AM
Leopard's "Spaces" issue Roger Barre OmniOutliner 3 for Mac 2 2008-08-16 09:58 AM
Gracefully making a "fresh install" of Omniweb. NickM OmniWeb General 2 2006-04-28 11:55 AM


All times are GMT -8. The time now is 04:11 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.