On 27 Oct 2015, at 20:27, Nima Fatemi <nima@xxxxxxxxxx> wrote:
Ian Goldberg:
On Mon, Oct 26, 2015 at 06:06:36AM -0700, Mike Perry wrote:
Essentially, codesign only touches executable binaries in the .app (see that second link for info on how the binary's segments get moved around) and also adds an SC_Info directory for codesign/DRM metadata.
Wait; does that mean that things like configuration files, plugins, etc. are *not* signed?
There's a --deep option in `codesign` for this purpose.
From the man page:
When signing a bundle, specifies that nested code content such as helpers, frameworks, and plug-ins, should be recursively signed in turn. Beware that all signing options you specify will apply, in turn, to such nested content.
Apple recommends against signing with --deep, it's designed for verification:
(Quoting the entire entry because Apple blocks Tor Exit nodes:)
Using the codesign Tool's --deep Option Correctly
When verifying signatures, add --deep to perform recursive validation of nested code. Without --deep,
validation will be shallow: it will check the immediate nested content
but not check that fully. Note that Gatekeeper always performs --deep style validation.
Note that signing with the combination --deep --force will forcibly re-sign all code in a bundle.
Mozilla have also had issues with signing with --deep: