Sparkle

Adopt standard code signing in favor of DSA signing

Bug #243850 reported by Andy Matuschak on 2008-06-29

Affects		Status	Importance	Assigned to	Milestone
	Sparkle	Confirmed	Low	Unassigned

Bug Description

We should use code signing for 10.5+ applications; it's in the system, and this way, devs who already sign their apps won't have to do double duty.

Andy Matuschak (andymatuschak) on 2008-06-29

Changed in sparkle:
importance:	Undecided → Low
status:	New → Confirmed

Revision history for this message

Andy Matuschak (andymatuschak) wrote on 2008-08-17:

We should investigate the use of CDSA for 10.4 compatibility: http://developer.apple.com/security/cdsaopenssl.html

Revision history for this message

James W. Walker (jw-jwwalker) wrote on 2008-08-17:

When I looked at the code signing stuff, I didn't see any public API to verify a signature, only a command line tool. That might be less convenient for Sparkle.

Revision history for this message

Hofman (cmhofman) wrote on 2008-09-15:

I don't think a command line tool would be a problem, it's easy to run it using NSTask.

The initial reason that code signers don't have to do double work is not true, because what should be signed is the downloaded archive/disk image/package, not the bundle (an installer can be just as malicious, if not more so, than an app).

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.