Bundle was signed with this leaf certificate:
certificate leaf[subject.CN] = "Developer ID Application: Gen Kiyooka"
NUMBER COMMON NAME
0 Developer ID Application: Gen Kiyooka
1 Developer ID Certification Authority
2 Apple Root CA
designated requirements = anchor apple generic
and identifier "com.genkiyooka.developerid"
and (certificate leaf[field.1.2.840.1136220.127.116.11.9] /* exists */
or certificate 1[field.1.2.840.113618.104.22.168.6] /* exists */
and certificate leaf[field.1.2.840.113622.214.171.124.13] /* exists */
and certificate leaf[subject.OU] = MQK467HD9A)
Presumably for changes coming with Gatekeeper, Xcode 4.3 generates more elaborate designated requirements for codesigned Mac applications, depending on whether the signing certificate is a DeveloperID (internet distribution), MacDeveloper, or 3rd Party Mac Developer certificate (App Store submission).
I'm no x509 expert, but it appears that Apple has defined some certificate extensions for use in it's code signing certificates and the new designated requirements are referencing fields within the certificate extensions.
In particular, field.1.2.840.1136126.96.36.199
is the prefix for constant kSecOIDAPPLE_EXTENSION_CODE_SIGNING
is the prefix for extension constant kSecOIDAPPLE_EXTENSION_INTERMEDIATE_MARKER
While these new designated requirements are certainly fancy, they are by no means required
for DeveloperID codesigned applications to run under Gatekeeper. At least not the Gatekeeper simulation available under Lion.
x509 certificate extensions
Labels: codesigning, developerid, gatekeeper