Comments on: Developer ID Gotcha http://www.red-sweater.com/blog/2390/developer-id-gotcha Mac & Technology Writings by Daniel Jalkut Sat, 11 Oct 2014 01:25:38 +0000 hourly 1 http://wordpress.org/?v=4.0 By: Chris Suter http://www.red-sweater.com/blog/2390/developer-id-gotcha/comment-page-1#comment-271264 Tue, 20 Mar 2012 06:23:59 +0000 http://www.red-sweater.com/blog/?p=2390#comment-271264 I should have mentioned that I actually checked the source code; it’s all open source.

]]>
By: Daniel Jalkut http://www.red-sweater.com/blog/2390/developer-id-gotcha/comment-page-1#comment-271260 Tue, 20 Mar 2012 03:18:03 +0000 http://www.red-sweater.com/blog/?p=2390#comment-271260 Evan – oh, that’s very interesting! And makes tons of things fall into place. The fact that the default DR is just like a placeholder for whatever the host system feels like it should be makes me understand this a lot better. Thanks!

]]>
By: Evan Schoenberg http://www.red-sweater.com/blog/2390/developer-id-gotcha/comment-page-1#comment-271259 Tue, 20 Mar 2012 03:13:26 +0000 http://www.red-sweater.com/blog/?p=2390#comment-271259 I radr://10895590 last month on the failure of validation when building with xcode < 4.3. The engineering reply was:

"Your test app was not given an explicit Designated Requirement when it was signed. Are you using the latest, greatest version of Xcode to build it?

Your "remote" system [on which it does not validate] is using an older version of the system that does not know about Developer ID signatures, and thus can't produce the correct default DR. But that shouldn't really matter because Xcode is *supposed* to specify an explicit DR at signing time."

This reply has a couple great implicit statements which support both Chris's explanation and your solution:
– Xcode 4.3 specifies an explicit DR
– The DR, if not explicit, is "produced" by the verifying system, not the signing system

]]>
By: Daniel Jalkut http://www.red-sweater.com/blog/2390/developer-id-gotcha/comment-page-1#comment-271258 Tue, 20 Mar 2012 01:29:37 +0000 http://www.red-sweater.com/blog/?p=2390#comment-271258 Thanks, Chris. I was a little perplexed by this, actually, because I know the certificate chain is stored in the app, but unless I’m misremembering or screwed something up during testing, I am pretty sure that removing the Developer ID CA from the keychain changed the codesign -v from DOES satisfy its designated requirement to not satisfying it.

Your explanation does make some sense though, because one of the weird things I noticed but glossed over was that on 10.6, examining the DR *only* showed anchor apple, and didn’t show the other goodies like the specific certificate requirements.

So many the SystemPolicy rules on 10.7 do something to automatically infer from the certificates, a default designated requirement? Because something was causing the “anchor apple generic” stuff to show up in the codesign examination on 10.7, when apparently (I guess), they were never properly inserted in the actual binary.

]]>
By: Chris Suter http://www.red-sweater.com/blog/2390/developer-id-gotcha/comment-page-1#comment-271257 Tue, 20 Mar 2012 01:01:36 +0000 http://www.red-sweater.com/blog/?p=2390#comment-271257 http://sutes.co.uk/2012/03/code-signing-using-new-apple-d.html

]]>
By: Chris Suter http://www.red-sweater.com/blog/2390/developer-id-gotcha/comment-page-1#comment-271256 Tue, 20 Mar 2012 01:00:50 +0000 http://www.red-sweater.com/blog/?p=2390#comment-271256 Not quite right. Entire chain is embedded in signature. It’s not a trust problem.

See .

]]>
By: Cody Krieger http://www.red-sweater.com/blog/2390/developer-id-gotcha/comment-page-1#comment-271255 Mon, 19 Mar 2012 23:24:17 +0000 http://www.red-sweater.com/blog/?p=2390#comment-271255 Thanks for the post, that’s extremely helpful info.

]]>
By: Clark http://www.red-sweater.com/blog/2390/developer-id-gotcha/comment-page-1#comment-271254 Mon, 19 Mar 2012 22:29:56 +0000 http://www.red-sweater.com/blog/?p=2390#comment-271254

he kindly went into more detail over Twitter

I didn’t even know it was possible to go into more detail on Twitter.

]]>