开发者

Code-Signing on OS X with a Network-HSM

I've been asked to redesign our build/sign/release processes. I'm pretty happy with Windows stuff and I've identified several networked-HSM products that will do what we need. They basically integrate directly with CryptoAPI so the people doing the signing can just use signtool.exe as normal.

We currently have a separate Mac team who do their own build/sign/release. This is all working fin开发者_JAVA技巧e on a couple of Mac Minis in one of our DCs. I'd like to protect our Mac software keys as well and so I'm trying to find out how to integrate a networked-HSM into our Mac signing process.

I can't find any good information about this anywhere! So I'm hoping someone in here has done this already and can lessen my pain.

The actual questions are;

1) Can I use a HSM with the standard Mac code-signing tools? 2) Can anyone recommend a vendor/product for the above? 3) Can anyone point me towards some good documentation on Mac code signing and the inner-workings of the Mac crypto infrastructure?

Cheers

BHB


I don't believe any of the major HSM vendors (nCipher, SafeNet, etc.) have any hooks into the Mac code signing tools, nor do I believe Apple exposes any. Your best bet would be to try and determine what the code signing mechanism looks like when performed by the Mac tools and then try and duplicate it yourself manually. However, off the top of my head, I don't recall seeing that the major vendors support OSX-based HSM clients out of the box. I know that SafeNet supports Java via a custom JCE provider. If there's a PKCS#11 interface you can hook into, then you may be able to leverage OpenSSL or another similar toolkit, but it will result in some work for you.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜