Mac Developer: Developer ID and Gatekeeper - Apple Developer
You may have heard about Developer ID and Gatekeeper, new security features coming in Mountain Lion. Essentially, this is an implementation of codesigning designed to secure 3rd party applications distributed over the internet.
Using Tighten Pro, you can inspect the certificate chain of any codesigned application. Last year, on stackoverflow.com, I wrote about the differences between the codesign on your app after you sign it with Xcode vs. your app after being delivered by the Mac App Store.
To summarize, the certificate chain looks like this after you sign it with Xcode and submit it to Apple for approval:
[LEAF] 3rd Party Mac Developer Application: "ME"
[AUTH] Apple Worldwide Developer Relations Certification Authority
[ROOT] Apple Root CA
After approval and delivery to the customer from the Mac App Store, the certificate chain looks like this:
[LEAF] Apple Mac OS Application Signing
[AUTH] Apple Worldwide Developer Relations Certification Authority
[ROOT] Apple Root CA
Under Gatekeeper and Developer ID, an application developed by you and shipped directly to customers after codesigning should look something like this:
[LEAF] Developer ID Application: "ME"
[AUTH] Developer ID Certification Authority
[ROOT] Apple Root CA
We've already tested Tighten with self-signed certificate chains and it works correctly as long as the leaf signing certificate has been signed by an intermediate authority (3 levels). It is possible to create your own Root CA and issue your own codesigning certificates. It can be done with Apple's Certificate Assistant (Keychain Access.app), but it is tricky due to bugs in Certificate Assistant.
Labels: codesigning, developerid, gatekeeper, mountain lion
Post a Comment