Comments on: Developer ID Gotcha

By: Chris Suter

Chris Suter — Tue, 20 Mar 2012 06:23:59 +0000

I should have mentioned that I actually checked the source code; it’s all open source.

By: Daniel Jalkut

Daniel Jalkut — Tue, 20 Mar 2012 03:18:03 +0000

Evan – oh, that’s very interesting! And makes tons of things fall into place. The fact that the default DR is just like a placeholder for whatever the host system feels like it should be makes me understand this a lot better. Thanks!

By: Evan Schoenberg

Evan Schoenberg — Tue, 20 Mar 2012 03:13:26 +0000

I radr://10895590 last month on the failure of validation when building with xcode < 4.3. The engineering reply was:
—
"Your test app was not given an explicit Designated Requirement when it was signed. Are you using the latest, greatest version of Xcode to build it?

Your "remote" system [on which it does not validate] is using an older version of the system that does not know about Developer ID signatures, and thus can't produce the correct default DR. But that shouldn't really matter because Xcode is *supposed* to specify an explicit DR at signing time."
—
This reply has a couple great implicit statements which support both Chris's explanation and your solution:
– Xcode 4.3 specifies an explicit DR
– The DR, if not explicit, is "produced" by the verifying system, not the signing system

By: Daniel Jalkut

Daniel Jalkut — Tue, 20 Mar 2012 01:29:37 +0000

Thanks, Chris. I was a little perplexed by this, actually, because I know the certificate chain is stored in the app, but unless I’m misremembering or screwed something up during testing, I am pretty sure that removing the Developer ID CA from the keychain changed the codesign -v from DOES satisfy its designated requirement to not satisfying it.

Your explanation does make some sense though, because one of the weird things I noticed but glossed over was that on 10.6, examining the DR *only* showed anchor apple, and didn’t show the other goodies like the specific certificate requirements.

So many the SystemPolicy rules on 10.7 do something to automatically infer from the certificates, a default designated requirement? Because something was causing the “anchor apple generic” stuff to show up in the codesign examination on 10.7, when apparently (I guess), they were never properly inserted in the actual binary.

By: Chris Suter

Chris Suter — Tue, 20 Mar 2012 01:01:36 +0000

http://sutes.co.uk/2012/03/code-signing-using-new-apple-d.html

By: Chris Suter

Chris Suter — Tue, 20 Mar 2012 01:00:50 +0000

Not quite right. Entire chain is embedded in signature. It’s not a trust problem.

See .

By: Cody Krieger

Cody Krieger — Mon, 19 Mar 2012 23:24:17 +0000

Thanks for the post, that’s extremely helpful info.

By: Clark

Clark — Mon, 19 Mar 2012 22:29:56 +0000

he kindly went into more detail over Twitter

I didn’t even know it was possible to go into more detail on Twitter.