Struct apple_codesign::SingleBundleSigner

pub struct SingleBundleSigner { /* private fields */ }

A primitive for signing a single Apple bundle.

Unlike BundleSigner, this type only signs a single bundle and is ignorant about nested bundles. You probably want to use BundleSigner as the interface for signing bundles, as failure to account for nested bundles can result in signature verification errors.

Implementations

impl SingleBundleSigner

pub fn new(bundle: DirectoryBundle) -> Self

Construct a new instance.

Examples found in repository

src/bundle_signing.rs (line 72)

    pub fn new_from_path(path: impl AsRef<Path>) -> Result<Self, AppleCodesignError> {
        let main_bundle = DirectoryBundle::new_from_path(path.as_ref())
            .map_err(AppleCodesignError::DirectoryBundle)?;

        let mut bundles = main_bundle
            .nested_bundles(true)
            .map_err(AppleCodesignError::DirectoryBundle)?
            .into_iter()
            .map(|(k, bundle)| (Some(k), SingleBundleSigner::new(bundle)))
            .collect::<BTreeMap<Option<String>, SingleBundleSigner>>();

        bundles.insert(None, SingleBundleSigner::new(main_bundle));

        Ok(Self { bundles })
    }

pub fn write_signed_bundle(
    &self,
    dest_dir: impl AsRef<Path>,
    settings: &SigningSettings<'_>
) -> Result<DirectoryBundle, AppleCodesignError>

Write a signed bundle to the given directory.

Examples found in repository

src/bundle_signing.rs (lines 128-131)

    pub fn write_signed_bundle(
        &self,
        dest_dir: impl AsRef<Path>,
        settings: &SigningSettings,
    ) -> Result<DirectoryBundle, AppleCodesignError> {
        let dest_dir = dest_dir.as_ref();

        // We need to sign the leaf-most bundles first since a parent bundle may need
        // to record information about the child in its signature.
        let mut bundles = self
            .bundles
            .iter()
            .filter_map(|(rel, bundle)| rel.as_ref().map(|rel| (rel, bundle)))
            .collect::<Vec<_>>();

        // This won't preserve alphabetical order. But since the input was stable, output
        // should be deterministic.
        bundles.sort_by(|(a, _), (b, _)| b.len().cmp(&a.len()));

        warn!(
            "signing {} nested bundles in the following order:",
            bundles.len()
        );
        for bundle in &bundles {
            warn!("{}", bundle.0);
        }

        for (rel, nested) in bundles {
            let nested_dest_dir = dest_dir.join(rel);
            info!(
                "entering nested bundle {}",
                nested.bundle.root_dir().display(),
            );

            // If we excluded this bundle from signing, just copy all the files.
            if settings
                .path_exclusion_patterns()
                .iter()
                .any(|pattern| pattern.matches(rel))
            {
                warn!("bundle is in exclusion list; it will be copied instead of signed");
                copy_bundle(&nested.bundle, &nested_dest_dir)?;
            } else {
                nested.write_signed_bundle(
                    nested_dest_dir,
                    &settings.as_nested_bundle_settings(rel),
                )?;
            }

            info!(
                "leaving nested bundle {}",
                nested.bundle.root_dir().display()
            );
        }

        let main = self
            .bundles
            .get(&None)
            .expect("main bundle should have a key");

        main.write_signed_bundle(dest_dir, settings)
    }