Mac - Developer ID - Code Signing - What gets signed?

3
votes

I'm using Xcode 4.6, 10.8.2.

When I codesign my Cocoa app from within Xcode, as part of the Exporting process, what actually gets codesigned? Is it just the executable?

After signing, can I safely modify files within the bundle's Resources folder?

Thanks.

[edit]

OK, thanks to the advice below, this is what I'm doing...

Add a ResourceRules.plist to the project (one for each Target if necessary)

Populate the ResourceRules.plist with a list of "Omit" key-value pairs, one for each file or directory that you don't want to code-sign. Copy the plist structure from somewhere online.

In the Target's Build Settings, under "Code Signing Resource Rules Path", add the string "ResourceRules.plist" (without quotes)

Select "Product" -> "Archive"

In the Organizer window, press "Distribute"

Choose "Export Developer ID-signed application"

Do the codesigning with your Developer ID

Open the resulting app bundle in the Finder, modify files as required

Test the app in Terminal:

codesign -vv myApp

(This will tell you if any codesigned files are missing, or have been added.)

1
xcodebundlecode-signing

1 Answers

4
votes

Is it just the executable?

The executable is actually modified to contain the codesigning information (hashes and potentially the entitlements file), but a code signature directory (_CodeSignature) is also added to the app bundle which contains hashes of all the files in your app.

After signing, can I safely modify files within the bundle's Resources folder?

No. (Well, yes, if you codesign it again afterwards.)

Or, actually, if you use a Resources file that describes which files are to be used for creating the code signature, then you can exclude certain files and then you can modify them later on and still have a valid code signature.