[Adium-devl] Out of process plugins (was: Distant objects)
Joe Ranieri
joe at sirg3.com
Fri May 4 13:52:49 UTC 2007
> Digitally sign the bundle's executable with a key held by the
> developer. Store the signature in the bundle's plist or another
> file next to the executable, or something. Have adium keep a list
> of acceptable keys. When a connection is made, authentication can
> be made by checking the signature on the bundle. If the bundle is
> not signed, or the signature fails, prompt the user.
>
> A bit of trouble, but this method is secure. Granted, one could
> change out the keys that their adium uses, but they can't do so on
> the copy of adium which we distribute.
Since there's no way to get a connection's pid/ProcessSerialNumber/
etc how would you verify that the executable passed to the
authentication method really is the one that's connecting?
-- Joe Ranieri
More information about the devel
mailing list