Links...
 
Tighten Pro
C/C++/Cocoa tool for codesign security, Developer ID, & Mac App Store Receipt Validation

Tighten Pro - in the Mac App Store

Tighten Pro is now available in the Mac App Store. Simply click on the icon to the left to purchase directly from Apple. Or choose PKCS#7Viewer.app by clicking the image to the right.

6.30.2012
Mac Developer: These Are All The Shirts Apple Sells At The Company Store In Cupertino [Gallery] | Cult of Mac

These Are All The Shirts Apple Sells At The Company Store In Cupertino [Gallery] | Cult of Mac: "The one thing you can do, though, is visit The Company Store on campus and buy a t-shirt or other souvenirs."


I'm Mac compatible. I might be __too__ Mac compatible.

Labels: ,

By : Tighten These Are All The Shirts Apple Sells At The Company Store In Cupertino [Gallery] | Cult of Mac 0 comments

 
6.28.2012
Mac Developer: Apple - OS X Mountain Lion - It's built to keep your Mac safe.

Apple - OS X Mountain Lion - It's built to keep your Mac safe.
Gatekeeper makes it safer to download apps by protecting you from inadvertently installing malicious software on your Mac. The safest place to download apps for your Mac is the Mac App Store. Apple reviews each app before it’s accepted by the store, and if there’s ever a problem with an app, Apple can quickly remove it from the store."

User friendly description of Gatekeeper and Developer ID.

Labels: , ,

By : Tighten Apple - OS X Mountain Lion - It's built to keep your Mac safe. 0 comments

 
6.20.2012
Mac Developer: Developer ID, codesigning and designated requirements

As I previously wrote (Apple codesigning Certificates), Xcode 4.3 generates a reasonably complex designated requirement when code signing your application for Developer ID and Gatekeeper.

However, independent testing with the spctl --assess command demonstrates that kinder, simpler designated requirements (even code signed with Xcode 3.2.5) will be approved by Gatekeeper.

After reviewing the WWDC2012 DeveloperID and Gatekeeper video on iTunesU, it would appear that the function of these elaborate designated requirements are as follows:

That applications distributed through the Mac App Store and applications distributed via Developer ID which have the same bundle Identifier will be treated as the same application by the system, with respect to sandboxed files, keychain access and preferences etc.


If your application uses the Keychain, or stores critical information in Prefs, you will want to sign your code with the designated requirements generated by Xcode 4.3 (or higher).

It should be possible to generate the designated requirements with Xcode 4.3 and back-port them to Xcode 3.2.5 (in my case, my DeveloperID-distributed code is a Universal binary and includes PowerPC code which cannot be generated by LLVM 3.0).

Labels: , , , ,

By : Tighten Developer ID, codesigning and designated requirements 0 comments

 
6.15.2012
Mac Developer: SandboxedFetch

SandboxedFetch

Apple supplied sandbox XPC service sample.

Labels: , ,

By : Tighten SandboxedFetch 0 comments

 
Mac Developer: XPCKit

amazingsyco/XPCKit · GitHub: "XPC simplified for Cocoa. Deal with NS* objects instead of xpc_object_t"

If you're partitioning your application for sandboxing, check out XPCKit, which greatly simplifies the creation of XPC services using Cocoa.

NOTE: Mountain Lion includes an even slicker way to do this, but it is not backwards compatible to Lion.

Labels: , ,

By : Tighten XPCKit 0 comments

 
6.13.2012
Mac Developer: Creating your own CA and Signing Certificates

Before DeveloperID was announced, I spent considerable time creating a 3-layer self-signed codesign certificate chain for my own applications. There are bugs (at least in Keychain Access for Snow Leopard) that make creating self-signed certificates painstakingly error-prone. Mostly due to the fact that the Certificate Assistant does not remember all settings when moving backward and forwards through the wizard.

In any event, it is possible to create your own root Certificate Authority (which you can publish on your web site, ala Apple's Root CA) and your own intermediate software-signing certificate and your own leaf certificates.

Someone conversant with OpenSSL can probably get it done faster and quicker than with Certificate Assistant.

My intent in creating a self-signed certificate chain was to verify that 3rd party codesigning certificates -- and binaries signed with 3rd party certificates -- would work with Tighten Pro. And they do. As long as the signing chain has 3 certificates.

Labels: , , ,

By : Tighten Creating your own CA and Signing Certificates 0 comments

 
6.10.2012
Mac Developer: Apple codesigning Certificates

Bundle was signed with this leaf certificate:
certificate leaf[subject.CN] = "Developer ID Application: Gen Kiyooka"

NUMBER COMMON NAME
0 Developer ID Application: Gen Kiyooka
1 Developer ID Certification Authority
2 Apple Root CA
designated requirements = anchor apple generic
and identifier "com.genkiyooka.developerid"
and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */
or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */
and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
and certificate leaf[subject.OU] = MQK467HD9A)

Presumably for changes coming with Gatekeeper, Xcode 4.3 generates more elaborate designated requirements for codesigned Mac applications, depending on whether the signing certificate is a DeveloperID (internet distribution), MacDeveloper, or 3rd Party Mac Developer certificate (App Store submission).

I'm no x509 expert, but it appears that Apple has defined some certificate extensions for use in it's code signing certificates and the new designated requirements are referencing fields within the certificate extensions.

In particular, field.1.2.840.113635.100.6.1 is the prefix for constant kSecOIDAPPLE_EXTENSION_CODE_SIGNING and field.1.2.840.113635.100.6.2 is the prefix for extension constant kSecOIDAPPLE_EXTENSION_INTERMEDIATE_MARKER.

While these new designated requirements are certainly fancy, they are by no means required for DeveloperID codesigned applications to run under Gatekeeper. At least not the Gatekeeper simulation available under Lion.

REFERENCES:
x509 certificate extensions at stackoverflow.com
libsecurity_keychain/CertificateValues.cpp at opensource.apple.com

Labels: , ,

By : Tighten Apple codesigning Certificates 0 comments

 
Mac Developer: Brendan's blog » Top 10 DTrace scripts for Mac OS X

Brendan's blog » Top 10 DTrace scripts for Mac OS X
Top 10 DTrace scripts for Mac OS X Since version 10.5 “Leopard”, Mac OS X has had DTrace, a tool used for performance analysis and troubleshooting. It provides data for Apple’s Instruments tool, as well as a collection of command line tools that are implemented as DTrace scripts. I’m familiar with the latter as I wrote the originals for the DTraceToolkit, which Apple then customized and enhanced for Mac OS X where they are shipped by default (great!). I use them regularly to answer this question:"

SOURCE:brendan's blog
This doesn't have anything to do with codesigning, it's just a terrific article.

Labels: ,

By : Tighten Brendan's blog » Top 10 DTrace scripts for Mac OS X 0 comments

 
6.07.2012
Mac Developer: Gatekeeper vs. Leopard: an ongoing tale — Fetch

Gatekeeper vs. Leopard: an ongoing tale — Fetch

XCode 4.3 generated designated requirements for Gatekeeper and Developer ID.

[ 1] designated => (
[ 2] anchor apple generic
[ 3] and certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */
[ 4] or
[ 5] anchor apple generic
[ 6] and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */
[ 7] and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */
[ 8] and certificate leaf[subject.OU] = some-developer-id
[ 9] ) [10] and identifier "some-bundle-id""

SOURCE: fetchsoftworks.com

Labels: , ,

By : Tighten Gatekeeper vs. Leopard: an ongoing tale — Fetch 0 comments

 
Mac Developer: Code Signing - PureDarwin

Code Signing - PureDarwin
As of Mac OS X and Darwin, a Mach-O code signature system (similar in concept to Microsoft AuthentiCode for PE binaries on Windows, and Solaris ELF signing) has been implemented. At least on Darwin, this system is not "formally" used, and no binaries are signed."

SOURCE: puredarwin.org

Labels: , ,

By : Tighten Code Signing - PureDarwin 0 comments

 
6.06.2012
Mac Developer: Fedora Linux Capitulates to Microsoft Boot Certificate CIO.com

Fedora Linux Capitulates to Microsoft Boot Certificate CIO.com
In order to get its Linux distribution to run on the next generation of secured desktop computing hardware, the Fedora Project will obtain a digital signature from Microsoft, a developer from the project announced Wednesday."
One for the Dark Lord on his dark throne. In the Land of Mordor where the Shadows lie. One Root to rule them all, One Root to find them...

Labels: ,

By : Tighten Fedora Linux Capitulates to Microsoft Boot Certificate CIO.com 0 comments

 
6.05.2012
Mac Developer: Apple’s Sandboxing Deadline Has Arrived For Mac App Store Developers | Cult of Mac

Apple’s Sandboxing Deadline Has Arrived For Mac App Store Developers | Cult of Mac: "It’s June 1st, and that means Apple’s deadline for when Mac developers need to have their apps sandboxed has come to pass. After months and months of extending the deadline to iron out technical details, all apps submitted to the Mac App Store must now obey Apple’s sandboxing requirements. All existing Mac App Store apps cannot be updated until they meet the guidelines."

Unfortunately, some of this information is just plain wrong. Apps already in the Mac App Store do not have to be sandboxed and bug fixes for them can be submitted to the store.

The sandboxing deadline applies to new application submissions.

Labels: , ,

By : Tighten Apple’s Sandboxing Deadline Has Arrived For Mac App Store Developers | Cult of Mac 0 comments

 

 

 
 
 

 Tighten    
 Generate    
 Secure    
 Inspect    
 Quarantino    
 Downloads    
 Support    
 Documentation    
 Tighten App.app    
 Tighten Pro.app    
 PKCS#7Viewer.app    
 About    
 Hire    
 Contact    
 Blogger    
 FaceBook    
 iTunes Direct Link    
 Hollywood CA    
 spctl --assess -vvv    
 spctl --master-enable    
 spctl --master-disable    
 Mac App Store Receipt Validation    
 Apple Code Signing Certificates    
 Gatekeeper Developer ID Apple    
 Xcode codesign tutorial    
 [Site Map]    
 


Copyright © 2005-2015
All Rights Reserved
Tighten Pro