I changed the info.plist file in Boot Camp package to make it support making USB installing drives on my Mac, but on Mac OS X Mavericks the app crashed before I signed the new file. I use the following code in terminal to sign it.
sudo codesign -fs - /Applications/Utilities/Boot\ Camp\ Assistant.app
After signing the code, the app ran successfully. The whole tutorial is here: Enable Bootcamp to install from usb for OSX 10.9
BUT I am wondering why I can sign the code so easily, without any formal certificate. I think code signature is a security feature. Only developers with certificates can sign their codes and distribute them, and Apple only allow these signed programs to run: About Code Signing I am a beginner on this topic; can someone explain the process a little bit? Does this means that hackers can sign whatever codes they want (maybe malicious ones) and run them AS LONG AS they get the password for root account?
Then I changed back to the original info.plist and wanted to remove the signature for the file that I created. How do I do this?
Thanks!
The reason is because you are signing the package with a local certificate. When Apple sign the package, it will run on any Mac, as their root certificate is trusted in the base OS.
If you transferred your locally signed package to another mac, you would find that it crashes, because it was signed with a certificate from another machine.
Hope this clears it up.
Related
I'm developing C++ program. I generate a certificate from our PKI Solution configured in our company(Microsoft). I sign my .exe using the certificate(generated). But when I make my file on the server (internet) and download it, I have the problem of displaying SmartScreen.What should I do to make my .exe works well in all computer of our company? Should I buy a certificate to sign my code? Sign my code with root certificate?
I think problem is your application has downloaded a few users and the reputation is unknown to Microsoft
P.S. And you can distribute your program in Microsoft Store
Since nokia doesn't sign symbian apps any more,is there any alternative to sign app for symbian?
may be some behind the scene hack or bypass?
symbiansigned.com and cer.opda.cn are dead, don't even mind getting developer certificates - just hack your phone, no way to do this otherwise nowadays:
https://shahbazalam781.blogspot.com/2013/04/hack-all-symbian-phones-s60v3-s60v5-s3.html
This works great, just try setting your phone Date & Time to somewhere about 2010-2012 when installing apps until it clicks. After hacking phone you won't need to do this anymore.
In case link dies:
SIMPLEST PROCEDURE: First Download 3 Files
DOWNLOAD-Norton-Symbian-Hack http://gallery.mobile9.com/f/3177996/
DOWNLOAD-Rom-Patcher-Plus-v31 http://gallery.mobile9.com/f/3178010/
DOWNLOAD-Xplore V1.58 http://gallery.mobile9.com/f/3175430/
Install “NortonSymbianHack.sisx”.
Launch it.
Go Options – Anti-Virus – Quarantine list.
Go Options – Restore. Accept prompt.
Exit application. Delete Norton from Application Manager (Symantec Symbian Hack). Also delete “C:\shared\” folder.
Install “RomPatcherPlus_3.1.sisx”.
Launch and apply patches:
Open4all for full access to file system.
Installserver for installing any unsigned applications.
(If “Installserver” has red cross, follow steps 8 to 15.) (If checked,
reboot now your phone.)
Note: Set patches to auto if needed. (Options – Add to auto)
Install X-Plore.
Open it.
Press (Menu – Tools – Configuration).
Check all (Show Hidden Files, etc.).
Open “installservers_pack.zip”.
Choose what Symbian OS you have. (List below)
Copy “installserver.exe” from the folder of your OS to “C:/sys/bin”. (No need to apply patch on RomPatcher.)
Reboot phone. Phone is now hacked.
Officially, you could of course continue using the developer certificates you might have, and if they are expired, the device time might be needed to be adjusted for the installation time.
Then also the self-signing works just as it used to. For any new certificates or signings, unfortunately there are no official help available.
You can use this app to sign Symbian apps.
The signing process is fail-able but the self-signing works perfectly.
Here's the link
I was unable to find a way how to install certificates on my iPad to a keychain using iTunes (or other tool that runs on mac os x).
I need to be able to set the group (kSecAttrAccessGroup, eg. "XKFABCDEFGH.com.mycompany.myapp") to store the certificate under. Since there is a chain of certificates, I'll be installing all of them up to the root one. Also, the last (leaf) certificate will have private part (don't know if that makes any difference).
The alternative to this is to write a small app and compile the certificates as its resources. Then I can use SecItemAdd / SecItemUpdate to write those certificates. Downside to this is that I want to install different certificate on every device, so I'll have to compile the app several different times.
Note: The app is to be a B2B, eg. not an application for public iTunes market!
Edit: I want to use the certificates ASIHTTPRequest, I do not require that those certificates are recognized by the iOS itself (unless it will collide with the ASIHTTPRequest library).
I'm working on an iOS enterprise app that relies on an Configuration Profile being put on the phone. Unfortunately, the user can "cancel" this profile, which really screws with our app.
So I was wondering if a) is it possible to prevent a configuration profile from being deleted OR
b) is there a way to check to see if a configuration profile is installed already (say, at runtime, then we can just install it again if it's not there)?
If you want the configuration profile not to be tampered with / disabled by the user, this is possible! If you're using Apple Configurator to build your .mobileconfig file in the generals tab select security as never. Be aware: once the profile is installed on the device it cannot be reverted unless you restore the device
The long story short is there is no current documented way to even programmatically call / install a configuration profile (.mobileconfig) file onto the device: so if you're thinking about checking whether the profile exists and if not to install it, it's impossible (as for available documentation thus far) - if you do find a way let me know
Note:
.mobileconfig files can only run through Safari / Mail.
This similar SO discussion may help: Installing a configuration profile on iPhone - programmatically
It is possible to check is .mobileconfig is installed.
What you need to do is:
Create CA (certificate authority) and export it as .cer.
Issue certificate using created CA and export is as well as .cer.
Using Apple Configurator app add CA .cer in the certificates area.
Mobile configuration profile will have CA .cer.
Issued certificate (on step two) add to app bundle.
Using Security framework evaluate (SecTrustEvaluate) issued
certificate on step 2.
I am developing a proof-of-concept tool for an internal research project.
We have specific needs which can only be met by running our application as a system app, like the Settings or Phone app.
Am I right in thinking that the only way to run an application under the system user (uid=1000) is by setting the following in the manifest:
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.frogdesign.desktop"
android:sharedUserId="android.uid.system" >
and signing my application with the platform certificate?
If so, for a given phone, e.g. Galaxy S, this would require us to sign using Samsung's certificate. Not going to happen, right.
So if we root the phone and stick something like cyanogenmod on it, would the required certificate be cyanogenmod's platform certificate?
Is this generally made available?
I am fairly confident that you would not be using the manufacturer's key. On my Galaxy S, the Gmail app is a system app, and you can update it from the Android Market (i.e. it's signed, if it is at all, by Google and not by Samsung).
If the phone is deodexed, you should be able to just move the app to /system/app/ (or /system/priv-app/ on newer OS versions). This requires a rooted phone, so that you can mount the system partition as writeable. This is in conjunction with your manifest settings, of course. I'm not sure if that's sufficient, since I haven't done this myself, but it's something to try.