[Vm-dev] MacOS Code Signing bundle parts

Ben Coman btc at openinworld.com
Fri Apr 19 01:06:57 UTC 2019


I just bumped into the following article...
https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-TNTAG201

and the section "Ensuring Proper Code Signatures for Nested Code"
made me remember some reports of corrupted signatures when installing
Pharo/Squeak.

Particularly interesting were...
* "Starting in macOS 10.9, the code signing tool records nested code."
* "Store ...shell... script files and other non-Mach-O executables in
your app's Contents/Resources directory. While it's possible to sign
such executables and store them in Contents/MacOS, this is not
recommended. This is because code signing uses extended attributes to
store signatures in non-Mach-O executables such as script files. If
the extended attributes are lost, the program's signature will be
broken. Many file transfer techniques do not preserve extended
attributes, nor are they preserved when uploading to the Mac App
Store."

I'm not familiar with the bundle arrangement and don't have a Mac
running to check this,
so pinging those more intimate with the MacOS bundle to advise whether
the article may impacts us.

cheers -ben


More information about the Vm-dev mailing list