Index: /trunk/include/VBox/sup.h =================================================================== --- /trunk/include/VBox/sup.h (revision 74766) +++ /trunk/include/VBox/sup.h (revision 74767) @@ -2433,4 +2433,9 @@ extern unsigned const g_cSUPTimestampTAs; +/** Root certificates trusted by Apple code signing. */ +extern SUPTAENTRY const g_aSUPAppleRootTAs[]; +/** Number of entries in g_cSUPAppleRootTAs. */ +extern unsigned const g_cSUPAppleRootTAs; + /** TAs we trust (the build certificate, Oracle VirtualBox). */ extern SUPTAENTRY const g_aSUPTrustedTAs[]; Index: /trunk/src/VBox/HostDrivers/Support/Makefile.kmk =================================================================== --- /trunk/src/VBox/HostDrivers/Support/Makefile.kmk (revision 74766) +++ /trunk/src/VBox/HostDrivers/Support/Makefile.kmk (revision 74767) @@ -91,7 +91,9 @@ NtRootMicrosoft7=NtRoot-MicrosoftCodeVerificationRoot-729404101f3e0ca347837fca175a8438.taf \ TimeRootMicrosoft0=Timestamp-CopyrightC1997MicrosoftCorp-01.taf \ - TrustedCertVBox0=Trusted-OracleCorporationVirtualBox-51ca009816fdbd80f120e015ee75823e.taf + TrustedCertVBox0=Trusted-OracleCorporationVirtualBox-51ca009816fdbd80f120e015ee75823e.taf \ + AppleRoot0=AppleRoot-2bd06947947609fef46b8d2e40a6f7474d7f085e.taf \ + AppleRoot1=AppleRoot-G2-c499136c1803c27bc0a3a00d7f72807a1c77268d.taf VBOX_SUP_WIN_CERT_NAMES := $(foreach cert,$(VBOX_SUP_WIN_CERTS),$(firstword $(subst =,$(SPACE) ,$(cert)))) -VBOX_PATH_SUPR3_CERTIFICATES := $(PATH_SUB_CURRENT)/win/Certificates +VBOX_PATH_SUPR3_CERTIFICATES := $(PATH_SUB_CURRENT)/Certificates # 1=name, 2=filter, 3=buildcert?. @@ -129,9 +131,10 @@ # Generate certificate lists. $(QUIET)$(APPEND) -n "$@" '' \ - $(call VBOX_SUP_GEN_CERT_MACRO,All,%,build) \ - $(call VBOX_SUP_GEN_CERT_MACRO,SpcRoot,SpcRoot%) \ - $(call VBOX_SUP_GEN_CERT_MACRO,NtKernelRoot,NtRoot%) \ - $(call VBOX_SUP_GEN_CERT_MACRO,Timestamp,TimeRoot%) \ - $(call VBOX_SUP_GEN_CERT_MACRO,Trusted,TrustedCert%,build) + $(call VBOX_SUP_GEN_CERT_MACRO,All,%,build) \ + $(call VBOX_SUP_GEN_CERT_MACRO,SpcRoot,SpcRoot%) \ + $(call VBOX_SUP_GEN_CERT_MACRO,NtKernelRoot,NtRoot%) \ + $(call VBOX_SUP_GEN_CERT_MACRO,Timestamp,TimeRoot%) \ + $(call VBOX_SUP_GEN_CERT_MACRO,AppleRoot,AppleRoot%) \ + $(call VBOX_SUP_GEN_CERT_MACRO,Trusted,TrustedCert%,build) tst: $(VBOX_SUP_WIN_CERTS_FILE) Index: /trunk/src/VBox/Runtime/tools/RTSignTool.cpp =================================================================== --- /trunk/src/VBox/Runtime/tools/RTSignTool.cpp (revision 74766) +++ /trunk/src/VBox/Runtime/tools/RTSignTool.cpp (revision 74767) @@ -46,4 +46,5 @@ # include #endif +#include #include #include @@ -1312,9 +1313,11 @@ { /* - * If kernel signing, a valid certificate path must be anchored by the - * microsoft kernel signing root certificate. The only alternative is - * test signing. + * If windows kernel signing, a valid certificate path must be anchored + * by the microsoft kernel signing root certificate. The only + * alternative is test signing. */ - if (pState->fKernel && hCertPaths != NIL_RTCRX509CERTPATHS) + if ( pState->fKernel + && hCertPaths != NIL_RTCRX509CERTPATHS + && pState->enmSignType == VERIFYEXESTATE::kSignType_Windows) { uint32_t cFound = 0; @@ -1362,4 +1365,36 @@ RTMsgWarning("%u valid paths, expected 2", cValid); } + /* + * For Mac OS X signing, check for special developer ID attributes. + */ + else if (pState->enmSignType == VERIFYEXESTATE::kSignType_OSX) + { + uint32_t cDevIdApp = 0; + uint32_t cDevIdKext = 0; + for (uint32_t i = 0; i < pCert->TbsCertificate.T3.Extensions.cItems; i++) + { + PCRTCRX509EXTENSION pExt = pCert->TbsCertificate.T3.Extensions.papItems[i]; + if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_APPLICATION_OID) == 0) + { + cDevIdApp++; + if (!pExt->Critical.fValue) + rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, + "Dev ID Application certificate extension is not flagged critical"); + } + else if (RTAsn1ObjId_CompareWithString(&pExt->ExtnId, RTCR_APPLE_CS_DEVID_KEXT_OID) == 0) + { + cDevIdKext++; + if (!pExt->Critical.fValue) + rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, + "Dev ID kext certificate extension is not flagged critical"); + } + } + if (cDevIdApp == 0) + rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, + "Certificate is missing the 'Dev ID Application' extension"); + if (cDevIdKext == 0 && pState->fKernel) + rc = RTErrInfoSetF(pErrInfo, VERR_GENERAL_FAILURE, + "Certificate is missing the 'Dev ID kext' extension"); + } } @@ -1418,5 +1453,7 @@ } -/** Worker for HandleVerifyExe. */ +/** + * Worker for HandleVerifyExe. + */ static RTEXITCODE HandleVerifyExeWorker(VERIFYEXESTATE *pState, const char *pszFilename, PRTERRINFOSTATIC pStaticErrInfo) { @@ -1546,13 +1583,10 @@ * Populate the certificate stores according to the signing type. */ -#ifdef VBOX +# ifdef VBOX unsigned cSets = 0; struct STSTORESET aSets[6]; -#endif - switch (State.enmSignType) { case VERIFYEXESTATE::kSignType_Windows: -#ifdef VBOX aSets[cSets].hStore = State.hRootStore; aSets[cSets].paTAs = g_aSUPTimestampTAs; @@ -1571,12 +1605,13 @@ aSets[cSets].cTAs = g_cSUPNtKernelRootTAs; cSets++; -#endif break; case VERIFYEXESTATE::kSignType_OSX: - return RTMsgErrorExit(RTEXITCODE_FAILURE, "Mac OS X executable signing is not implemented."); - } - -#ifdef VBOX + aSets[cSets].hStore = State.hRootStore; + aSets[cSets].paTAs = g_aSUPAppleRootTAs; + aSets[cSets].cTAs = g_cSUPAppleRootTAs; + cSets++; + break; + } for (unsigned i = 0; i < cSets; i++) for (unsigned j = 0; j < aSets[i].cTAs; j++) @@ -1588,5 +1623,5 @@ i, j, StaticErrInfo.szMsg); } -#endif +# endif /* VBOX */ /*