02-13-2011 01:01 AM
I have recently read this helpful article, which explains how to sign an application using a private key, and using that signature to control access to the private data in the persistent store via wrapping the data in ControlledAccess instance, specific to the key used. (Like many of the development docs here - it was very helpful but took forever to find; I only stumbled across it by following a trail of forum links...)
From what I understand, the data is protected by the public/private key pair. Of these, the public key is included in the project as a .key file. The name provided to CodesigningKey.get(module, "ACME") in lieu of "ACME" is simply used to identify this file/resource. For the data to be accessed successfully, the module that provides the module handle at run time must have been signed with the "ACME" private key that corresponds to public .key file that is included in the project.
The docs above state to sign the COD separately from the build using the code signing authority tool. Currenltly, my build is completely automated - in order to accomodate different platforms, it will create 6 different deployments of my app. Each deployment contains from 1 to 6 COD files depending on the target version. It will then run the signature tool on all cod files; and use the jad tool to split them into smaller cod files for OTA install, and package up the original signed COD files and an ALX for destkop installation.
One of those COD files is the module that will be accessing the data; it will contain the public .key file; and that module handle will be used to store/retrieve the protected data.
What I think that this means is that I need to sign that one COD file in each of the six deployments -- after it's created, but before it has been automatically split into smaller CODs for JAD deployment.
So my two questions are ultimately this:
1) is there an automated way to run this signing tool? The standard code signing tool itself can be executed from the command line, but I've no docs that indicate one way or the other.
2) what determines whether a module handle changes between builds? If I deploy a new version of my app and update all of the modules, am I guaranteed that the module handle for that single module will be identical to the previous build?
Anyone with experience w/ this who can weigh in?