Configuring a Root Certificate in a Device
To include their own root certificate in a device image, a manufacturer embeds the root in OEMCodeSigConfig.c.
To include another signing authority's root certificates, the device manufacturer must create another code signature configuration (e.g.MNOCodeSigConfig.c or SACodeSigConfig.c) and create an entry for the new configuration in OEMCodeSigConfigFactory.c.
Detailed instructions for how to modify or add a code signature configuration can be found inICodeSigConfig.h and ICodeSigConfigFactory.h.
To quickly enable a device manufacturer to run dynamic code in a development environment, the Brew MP Code Signing Kit includes a Non-Commercial Sample Root configuration that may be easily dropped into a device image.
When including a root certificate in a Brew MP device build, there are several configurations that may be made.
Configuring root certificate privileges and TCGs
To configure which privileges and TCGs a root certificate may authorize, you must explicitly list the privileges, individually or as ranges. More details can be found in ICodeSigConfig.h.