pub fn plist_to_executable_segment_flags(
value: &Value
) -> ExecutableSegmentFlagsExpand description
Convert an entitlements plist to ExecutableSegmentFlags.
Some entitlements plist values imply features in executable segment flags. This function resolves those implied features.
Examples found in repository?
src/macho_signing.rs (line 474)
409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588
pub fn create_code_directory(
&self,
settings: &SigningSettings,
macho: &MachOBinary,
) -> Result<CodeDirectoryBlob<'static>, AppleCodesignError> {
// TODO support defining or filling in proper values for fields with
// static values.
let target = macho.find_targeting()?;
if let Some(target) = &target {
info!(
"binary targets {} >= {} with SDK {}",
target.platform, target.minimum_os_version, target.sdk_version,
);
}
let mut flags = CodeSignatureFlags::empty();
if let Some(additional) = settings.code_signature_flags(SettingsScope::Main) {
info!(
"adding code signature flags from signing settings: {:?}",
additional
);
flags |= additional;
}
// The adhoc flag is set when there is no CMS signature.
if settings.signing_key().is_none() {
info!("creating ad-hoc signature");
flags |= CodeSignatureFlags::ADHOC;
} else if flags.contains(CodeSignatureFlags::ADHOC) {
info!("removing ad-hoc code signature flag");
flags -= CodeSignatureFlags::ADHOC;
}
// Remove linker signed flag because we're not a linker.
if flags.contains(CodeSignatureFlags::LINKER_SIGNED) {
info!("removing linker signed flag from code signature (we're not a linker)");
flags -= CodeSignatureFlags::LINKER_SIGNED;
}
// Code limit fields hold the file offset at which code digests stop. This
// is the file offset in the `__LINKEDIT` segment when the embedded signature
// SuperBlob begins.
let (code_limit, code_limit_64) = match macho.code_limit_binary_offset()? {
x if x > u32::MAX as u64 => (0, Some(x)),
x => (x as u32, None),
};
let platform = 0;
let page_size = 4096u32;
let (exec_seg_base, exec_seg_limit) = macho.executable_segment_boundary()?;
let (exec_seg_base, exec_seg_limit) = (Some(exec_seg_base), Some(exec_seg_limit));
// Executable segment flags are wonky.
//
// Foremost, these flags are only present if the Mach-O binary is an executable. So not
// matter what the settings say, we don't set these flags unless the Mach-O file type
// is proper.
//
// Executable segment flags are also derived from an associated entitlements plist.
let exec_seg_flags = if macho.is_executable() {
if let Some(entitlements) = settings.entitlements_plist(SettingsScope::Main) {
let flags = plist_to_executable_segment_flags(entitlements);
if !flags.is_empty() {
info!("entitlements imply executable segment flags: {:?}", flags);
}
Some(flags | ExecutableSegmentFlags::MAIN_BINARY)
} else {
Some(ExecutableSegmentFlags::MAIN_BINARY)
}
} else {
None
};
// The runtime version is the SDK version from the targeting loader commands. Same
// u32 with nibbles encoding the version.
//
// If the runtime code signature flag is set, we also need to set the runtime version
// or else the activation of the hardened runtime is incomplete.
// If the settings defines a runtime version override, use it.
let runtime = match settings.runtime_version(SettingsScope::Main) {
Some(version) => {
info!(
"using hardened runtime version {} from signing settings",
version
);
Some(semver_to_macho_target_version(version))
}
None => None,
};
// If we still don't have a runtime but need one, derive from the target SDK.
let runtime = if runtime.is_none() && flags.contains(CodeSignatureFlags::RUNTIME) {
if let Some(target) = &target {
info!(
"using hardened runtime version {} derived from SDK version",
target.sdk_version
);
Some(semver_to_macho_target_version(&target.sdk_version))
} else {
warn!("hardened runtime version required but unable to derive suitable version; signature will likely fail Apple checks");
None
}
} else {
runtime
};
let code_hashes = macho
.code_digests(*settings.digest_type(), page_size as _)?
.into_iter()
.map(|v| Digest { data: v.into() })
.collect::<Vec<_>>();
let mut special_hashes = HashMap::new();
// There is no corresponding blob for the info plist data since it is provided
// externally to the embedded signature.
if let Some(data) = settings.info_plist_data(SettingsScope::Main) {
special_hashes.insert(
CodeSigningSlot::Info,
Digest {
data: settings.digest_type().digest_data(data)?.into(),
},
);
}
// There is no corresponding blob for resources data since it is provided
// externally to the embedded signature.
if let Some(data) = settings.code_resources_data(SettingsScope::Main) {
special_hashes.insert(
CodeSigningSlot::ResourceDir,
Digest {
data: settings.digest_type().digest_data(data)?.into(),
}
.to_owned(),
);
}
let ident = Cow::Owned(
settings
.binary_identifier(SettingsScope::Main)
.ok_or(AppleCodesignError::NoIdentifier)?
.to_string(),
);
let team_name = settings.team_id().map(|x| Cow::Owned(x.to_string()));
let mut cd = CodeDirectoryBlob {
flags,
code_limit,
digest_size: settings.digest_type().hash_len()? as u8,
digest_type: *settings.digest_type(),
platform,
page_size,
code_limit_64,
exec_seg_base,
exec_seg_limit,
exec_seg_flags,
runtime,
ident,
team_name,
code_digests: code_hashes,
..Default::default()
};
for (slot, digest) in special_hashes {
cd.set_slot_digest(slot, digest)?;
}
cd.adjust_version(target);
cd.clear_newer_fields();
Ok(cd)
}