On Mar 7, 2010, at 3:12 PM, Dave Carlton wrote: > I don't understand, what would be the point of a self-signed cert? And what > happens when a cert expires down the road self-signed or not? I have not > really looked at the subject so I may be showing my total ignorance.
As other people have pointed out, a self-signed cert still proves that subsequent versions of an app were all signed by the same individual. This is still useful if you want to allow version 1.0.1 access to the same Keychain items that version 1.0 did. Two things I learned from Graham Lee while at NSConference: If your app uses a privileged helper tool (runs as root), you can sign the app and the tool and inform launch services that they can only be used by each other: so nobody can swap in a new tool and run arbitrary code as root. Regarding certificate expiration: currently, Apple simply ignores the expiration date. Not a great solution, but at least you won't be locked out of your software. -- Ben
