Jump to content

CyBrian

CyBrian

Member Since 21 Jun 2006
Offline Last Active Jan 23 2018 06:01 PM
-----

Topics I've Started

Is it possible to add another public key to SIP? Or an Exception?

04 August 2017 - 03:32 AM

So I’m sure this is the wrong place to post this — I’m using a real Mac (just with some non-Apple hardware), I have a valid ID for signing packages, and it seems to be more of a development related thing in general, but I don’t know where else to put this.

Anyway, it doesn’t feel great to disable System Integrity Protection for good just because I’m using an ExpressCard USB 3 adapter on my MacBook Pro, or even just for kexts, so I was wondering if this is just the wrong approach entirely: SIP and GateKeeper work by verifying the code signature of a bundle. If the code signature is signed or cross-signed by Apple and otherwise is valid (or if there is no signature), the system doesn’t {censored}. If the signature is there, but isn’t signed by Apple it {censored} but not very loudly. And if there is an invalid signature, the system {censored} VERY loudly.

So my thought is that instead of whitelisting or disabling signature verification, why can’t I whitelist my own certificate and sign things I install? This is how I sideload open source apps to my iOS device, but it works because a developer can sideload apps they sign. But can’t I add a different key to the valid list? Where is it? Surely someone else thought of this a while ago, so why isn’t it a thing?
© 2017 InsanelyMac  |   News  |   Forum  |   Downloads  |   OSx86 Wiki  |   Designed by Ed Gain  |   Logo by irfan  |   Privacy Policy