On 27 Oct 2015, at 21:13, Lunar lunar@torproject.org wrote:
Mike Perry:
We want to do this for MacOSX as well. Does anyone happen to know if we can use otool in some way to remove these LC_CODE_SIGNATURE sections easily, and get the same exact binary as before signing?
I don't know if it helps in the case but problem can also be approached the other way around: if Tor distributes the signatures, is there I way to stick them in the binaries I just built so that the signature is valid and the bytes are the same as the ones distributed by Tor.
codesign has a -D option that produces and verifies a detached signature:
-D, --detached filename When signing, designates that a detached signature should be written to the specified file. The code being signed is not modi- fied and need not be writable. When verifying, designates a file containing a detached signature to be used for verification. Any embedded signature in the code is ignored.
But do the GateKeeper checks use detached signatures for code with no LC_CODE_SIGNATURE? And what filename is required for the detached signature to be used to verify an executable?
Normally, I could use spctl to work out how GateKeeper might behave. But I don't have an App Store / Identified Developers signing certificate, so spctl is pretty useless. It rejects anything that doesn't have an App Store signature, so it's not reporting what GateKeeper will actually do on my system (I have App Store + Identified Developers set).
In short, we could distribute a detached signature that could be manually verified, but I can't see how to get GateKeeper to verify it automatically. So that reduces us to the current state, where we distribute detached PGP signatures next to downloads.
Tim
Tim Wilson-Brown (teor)
teor2345 at gmail dot com PGP 968F094B
teor at blah dot im OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F