On 07.03.2010, at 22:11, Jon Steinmetz wrote: > I believe signing with a self-signed cert would allow you to show that the > app has not been modified since you signed it. However, that does not prevent > someone from stripping your signature, modifying the app, and then signing it > with their own self-signed cert. The user would be able to tell it was not > signed with your cert if they looked but my guess is that most would not know > the difference.
Keychain, Firewall and other services look at the signature. If an app's signature is different, they consider it a different app. So if a hacker injects a re-signed app into your Sparkle feed, the OS will notice and will ask the user to confirm access to the keychain again. Right now, unsigned apps can still run, so this panel isn't unusual, but once the OS requires signed executables, it will be rare that an app changes signatures, so it'll creep out users (and in the ideal case warn them of tampering). However, immediate benefit of signed code is that, even after an update, Keychain and Firewall will not ask again, and will just recognize your app as being the same, just updated. Depending on your app and your demands regarding user-friendliness, that may already be worth it. -- Uli Kusterer Sole Janitor http://www.the-void-software.com
