When Mac OS X updates the signature on a binary (for instance, when you configure a firewall rule for a previously unsigned binary), the actual Mach-O file will be changed -- and your digest will be incorrect.
Skype (which has notoriously complex obfuscation) had this problem for a short time when Mac OS X 10.5 was released:
You can work around this by validating only the important subset of the Mach-O contents, but it's probably not worth it. Cracked applications (rather than, say, reverse engineered serial number generators) are an annoying thing to use -- you'll have to refrain from applying updates until you get a new crack, trust the person distributing the crack, etc.
It's not something I (or, afaik, most other small Mac developers) really worry about.
Skype (which has notoriously complex obfuscation) had this problem for a short time when Mac OS X 10.5 was released:
http://securosis.com/blog/leopard-firewall-code-signing-brea...
You can work around this by validating only the important subset of the Mach-O contents, but it's probably not worth it. Cracked applications (rather than, say, reverse engineered serial number generators) are an annoying thing to use -- you'll have to refrain from applying updates until you get a new crack, trust the person distributing the crack, etc.
It's not something I (or, afaik, most other small Mac developers) really worry about.