On Thursday September 01 2016 10:55:50 Jim Ingham wrote:
>You don't have to reboot after every attempt to sign an executable. You only
>have to reboot after making the code signing identity and, doing the little
>command line trick to get the system to accept it. That still seems
>necessary, but then once you've done that you can keep using that identity
>either till it expires or you reinstall your OS.
Restarting the taskgated also seems to do that trick. If my understanding of
the code signing doc is correct, the kernel doesn't cache new certificates
until they're used for signing, or something of the sort, and if that's correct
it doesn't seem required to reboot after creating a certificate.
>Apple goes to pretty great lengths to limit the harm a debugger can do as an
>attack vector. With SIP on, being root gives you many fewer permissions
>w.r.t. debugging than you might think, so I don't actually think this would
>help much. Suggesting people turn SIP off to use your debugger build seems
>like a bad idea to me.
Yes, that wasn't my intention. I'm still running 10.9, so turning off SIP or
not is somewhat of a nobrainer for me ^^
>> And a bonus question: has it ever been tried to sign the debugserver file
>> with the ad hoc identity ("-")?
>
>I doubt that would work.
It's a pity that there is so little information about what is and what isn't
possible with ad-hoc signing.
Anyway, why does codesign or possibly even the Security framework underlying
Keychain functionality use the HOME env. variable to determine a user's home
directory instead of using one of the available APIs to get this information?
R.
_______________________________________________
lldb-dev mailing list
lldb-dev@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/lldb-dev
