On 27 Oct 2015, at 21:13, Lunar <lunar@torproject.org> wrote:

Mike Perry:
We want to do this for MacOSX as well. Does anyone happen to know if we can
use otool in some way to remove these LC_CODE_SIGNATURE sections easily,
and get the same exact binary as before signing?

I don't know if it helps in the case but problem can also be approached
the other way around: if Tor distributes the signatures, is there I way
to stick them in the binaries I just built so that the signature is
valid and the bytes are the same as the ones distributed by Tor.

codesign has a -D option that produces and verifies a detached signature:

-D, --detached filename
             When signing, designates that a detached signature should be
             written to the specified file. The code being signed is not modi-
             fied and need not be writable.  When verifying, designates a file
             containing a detached signature to be used for verification. Any
             embedded signature in the code is ignored.

But do the GateKeeper checks use detached signatures for code with no LC_CODE_SIGNATURE?
And what filename is required for the detached signature to be used to verify an executable?

Normally, I could use spctl to work out how GateKeeper might behave. But I don't have an App Store / Identified Developers signing certificate, so spctl is pretty useless. It rejects anything that doesn't have an App Store signature, so it's not reporting what GateKeeper will actually do on my system (I have App Store + Identified Developers set).

In short, we could distribute a detached signature that could be manually verified, but I can't see how to get GateKeeper to verify it automatically. So that reduces us to the current state, where we distribute detached PGP signatures next to downloads.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F