Bundle was signed with this leaf certificate:
certificate leaf[subject.CN] = "Developer ID Application: Gen Kiyooka"

NUMBER COMMON NAME
0 Developer ID Application: Gen Kiyooka
1 Developer ID Certification Authority
2 Apple Root CA
designated requirements = anchor apple generic
and identifier "com.genkiyooka.developerid"
and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */
or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */
and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = MQK467HD9A)


Presumably for changes coming with Gatekeeper, Xcode 4.3 generates more elaborate designated requirements for codesigned Mac applications, depending on whether the signing certificate is a DeveloperID (internet distribution), MacDeveloper, or 3rd Party Mac Developer certificate (App Store submission).

I'm no x509 expert, but it appears that Apple has defined some certificate extensions for use in it's code signing certificates and the new designated requirements are referencing fields within the certificate extensions.

In particular, field.1.2.840.113635.100.6.1 is the prefix for constant kSecOIDAPPLE_EXTENSION_CODE_SIGNING and field.1.2.840.113635.100.6.2 is the prefix for extension constant kSecOIDAPPLE_EXTENSION_INTERMEDIATE_MARKER.

While these new designated requirements are certainly fancy, they are by no means required for DeveloperID codesigned applications to run under Gatekeeper. At least not the Gatekeeper simulation available under Lion.

REFERENCES:
x509 certificate extensions at stackoverflow.com
libsecurity_keychain/CertificateValues.cpp at opensource.apple.com

Labels: codesigning, developerid, gatekeeper