xcode-install icon indicating copy to clipboard operation
xcode-install copied to clipboard

Published 20 hours ago verified publisher icon xcpretty

Verify Xcode.app and component packages signature or developer

Open kenchan0130 opened this issue 5 years ago • 3 comments

Currently, this tool does not verify Xcode.app and component packages signature.

The install subcommand can use the --url option.

I think that it is better to consider the possibility that the specified dmg is an application that mimics Xcode. Especially in the case of pkg it may be a virus.

Fortunately Apple has signed them all.

kenchan0130 avatar Aug 11 '18 15:08 kenchan0130

This is great, we already verify if there is a signature with https://github.com/KrauseFx/xcode-install/blob/0f9636d8f718302dc86271c1fff395df34db4bd3/lib/xcode/install.rb#L452, but doing more is a great idea 👍

KrauseFx avatar Aug 16 '18 18:08 KrauseFx

Thank you for your response. I'll try to look into implementing them!

kenchan0130 avatar Aug 18 '18 13:08 kenchan0130

I added a patch (https://github.com/KrauseFx/xcode-install/pull/312). And I will try to check signature of component packages too.

kenchan0130 avatar Oct 28 '18 10:10 kenchan0130