You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Disclosure: I work for AgileBits, the makers of 1Password. I am also not sure whether a GitHub issue is where I should be trying to make the following point. If this is not the right place, please point me to where I should be saying this.
The section on "What about Gatekeeper" is technically correct, but it misses a more basic point: Any user with the motivation and skill to verify a PGP signature would also be capable of checking the CN of an Apple Developer codesigning certificate. In particular
codesign -v -d /Applications/1Password\ 6.app
will display the Identifier and the TeamIdentifier. That, plus Gatekeeper's insistence that the signature and certificate be valid does everything that a PGP or DSS check would do.
If you want to duplicate Gatekeeper's check and check the signing identifier, you can do this:
codesign -vvv R="identifier com.agilebits.onepassword4 and anchor trusted" /Applications/1Password\ 6.app
My contention is that anyone who is ready and able to verify a PGP signature for a download is capable of running those codesign commands, and so I am not sure what providing PGP or DSS signatures adds.
The text was updated successfully, but these errors were encountered:
Disclosure: I work for AgileBits, the makers of 1Password. I am also not sure whether a GitHub issue is where I should be trying to make the following point. If this is not the right place, please point me to where I should be saying this.
The section on "What about Gatekeeper" is technically correct, but it misses a more basic point: Any user with the motivation and skill to verify a PGP signature would also be capable of checking the CN of an Apple Developer codesigning certificate. In particular
will display the Identifier and the TeamIdentifier. That, plus Gatekeeper's insistence that the signature and certificate be valid does everything that a PGP or DSS check would do.
If you want to duplicate Gatekeeper's check and check the signing identifier, you can do this:
My contention is that anyone who is ready and able to verify a PGP signature for a download is capable of running those codesign commands, and so I am not sure what providing PGP or DSS signatures adds.
The text was updated successfully, but these errors were encountered: