Signing an app and adjust its content afterwards (signature should remain unbroken)

Developer Tools & Services Developer Forums
LsiDev OP
Created Sep ’17
Replies 1
Boosts 0
Views 4.5k
Participants 2

Currently we are signing our application with the following way:


codesign --force --verify --verbose --sign "certificate's name" application.app/Contents/MacOS/appBinary


We are using Mac OS X 10.8 for signing since on newer systems this usage of codesign is not working anymore.

When checking the signature of the application bundle with


codesign -vvv


on OS X 10.9 or later it says: "resource envelope is obsolete (version 1 signature)". So obviously it is version 1 signed. But even if it appears to have a deprecated signature it does not cause any harm when running the app on OS X 10.9 (or later).


Now we've also tested signing on OS X 10.9 by using:


codesign --deep application.app -s "certificate's name"


When checking the signature it returns: "valid on disk" and "satisfies its Designated Requirement". And it validated all files within the bundle. So obviously this is a valid version 2 signature.


Now there is one reason we currently stick to the version 1 signing: When signing the application it inherits a certain number of frameworks. But the number of frameworks we actually deploy varies from user to user. Since only the binary within the folder "Contents/MacOS" is signed, the signature is not broken - even if frameworks will be removed or added to the application bundle.

On the other hand "deep signed" version 2 bundle will have a broken signature as soon as the content of the bundle (frameworks for example) changes. Thus this kind of signature does not fit our way of software deployment.


Now there are two big questions for us:


1. Even though our way of signing the app seems to be deprecated it does not cause any harm. How likely is it that this will change within one of the upcoming versions of Mac OS X? I mean, could it be that someday Gatekeeper will refuse to accept our kind of signing?


2. Is there a way to apply a valid version 2 signing which remains unbroken also after removing or adding frameworks to the bundle afterwards? I have to admit that I don't have much hope that this will work since Apple's "Version 2 Code signature FAQ" [https://developer.apple.com/library/content/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG300] say:

"I exclude files so I can fix my bundle after I build it.

This is no longer allowed. If you must modify your bundle, do it before signing. If you modify a signed bundle, you must re-sign it afterwards."

Replies  1
Boosts  0
Views  4.5k
Participants  2
guw OP
Mar ’19

Where you ever able to figure out a solution to this issue?


We are facing a similar issue with Eclipse.

https://bugs.eclipse.org/391455


Eclipse is modifying itself at runtime. There is some initialization being performed as well as its own update mechanism. It seems that "installing" it first and modifying it afterwards is somewhat ok. However, we loose the ability to integrate wie OSX keychain.

0
Signing an app and adjust its content afterwards (signature should remain unbroken)
First post date Last post date
 
 
Q