Struct apple_codesign::MachOSigner
source · pub struct MachOSigner<'data> { /* private fields */ }Expand description
Mach-O binary signer.
This type provides a high-level interface for signing Mach-O binaries. It handles parsing and rewriting Mach-O binaries and contains most of the functionality for producing signatures for individual Mach-O binaries.
Signing of both single architecture and fat/universal binaries is supported.
Circular Dependency
There is a circular dependency between the generation of the Code Directory present in the embedded signature and the Mach-O binary. See the note in crate::specification for the gory details. The tl;dr is the Mach-O data up to the signature data needs to be digested. But that digested data contains load commands that reference the signature data and its size, which can’t be known until the Code Directory, CMS blob, and SuperBlob are all created.
Our solution to this problem is to estimate the size of the embedded signature data and then pad the unused data will 0s.
Implementations§
source§impl<'data> MachOSigner<'data>
impl<'data> MachOSigner<'data>
sourcepub fn new(macho_data: &'data [u8]) -> Result<Self, AppleCodesignError>
pub fn new(macho_data: &'data [u8]) -> Result<Self, AppleCodesignError>
Construct a new instance from unparsed data representing a Mach-O binary.
The data will be parsed as a Mach-O binary (either single arch or fat/universal) and validated that we are capable of signing it.
Examples found in repository?
src/signing.rs (line 90)
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
pub fn sign_macho(
&self,
input_path: impl AsRef<Path>,
output_path: impl AsRef<Path>,
) -> Result<(), AppleCodesignError> {
let input_path = input_path.as_ref();
let output_path = output_path.as_ref();
warn!("signing {} as a Mach-O binary", input_path.display());
let macho_data = std::fs::read(input_path)?;
let mut settings = self.settings.clone();
settings.import_settings_from_macho(&macho_data)?;
if settings.binary_identifier(SettingsScope::Main).is_none() {
let identifier = input_path
.file_name()
.ok_or_else(|| {
AppleCodesignError::CliGeneralError(
"unable to resolve file name of binary".into(),
)
})?
.to_string_lossy();
warn!("setting binary identifier to {}", identifier);
settings.set_binary_identifier(SettingsScope::Main, identifier);
}
warn!("parsing Mach-O");
let signer = MachOSigner::new(&macho_data)?;
let mut macho_data = vec![];
signer.write_signed_binary(&settings, &mut macho_data)?;
warn!("writing Mach-O to {}", output_path.display());
write_macho_file(input_path, output_path, &macho_data)?;
Ok(())
}More examples
src/bundle_signing.rs (line 337)
330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633
fn sign_and_install_macho(
&self,
file: &DirectoryBundleFile,
) -> Result<SignedMachOInfo, AppleCodesignError> {
info!("signing Mach-O file {}", file.relative_path().display());
let macho_data = std::fs::read(file.absolute_path())?;
let signer = MachOSigner::new(&macho_data)?;
let mut settings = self
.settings
.as_bundle_macho_settings(file.relative_path().to_string_lossy().as_ref());
settings.import_settings_from_macho(&macho_data)?;
// If there isn't a defined binary identifier, derive one from the file name so one is set
// and we avoid a signing error due to missing identifier.
// TODO do we need to check the nested Mach-O settings?
if settings.binary_identifier(SettingsScope::Main).is_none() {
let identifier = file
.relative_path()
.file_name()
.expect("failure to extract filename (this should never happen)")
.to_string_lossy();
let identifier = identifier
.strip_suffix(".dylib")
.unwrap_or_else(|| identifier.as_ref());
info!(
"Mach-O is missing binary identifier; setting to {} based on file name",
identifier
);
settings.set_binary_identifier(SettingsScope::Main, identifier);
}
let mut new_data = Vec::<u8>::with_capacity(macho_data.len() + 2_usize.pow(17));
signer.write_signed_binary(&settings, &mut new_data)?;
let dest_path = self.dest_dir.join(file.relative_path());
info!("writing Mach-O to {}", dest_path.display());
write_macho_file(file.absolute_path(), &dest_path, &new_data)?;
SignedMachOInfo::parse_data(&new_data)
}
}
/// A primitive for signing a single Apple bundle.
///
/// Unlike [BundleSigner], this type only signs a single bundle and is ignorant
/// about nested bundles. You probably want to use [BundleSigner] as the interface
/// for signing bundles, as failure to account for nested bundles can result in
/// signature verification errors.
pub struct SingleBundleSigner {
/// The bundle being signed.
bundle: DirectoryBundle,
}
impl SingleBundleSigner {
/// Construct a new instance.
pub fn new(bundle: DirectoryBundle) -> Self {
Self { bundle }
}
/// Write a signed bundle to the given directory.
pub fn write_signed_bundle(
&self,
dest_dir: impl AsRef<Path>,
settings: &SigningSettings,
) -> Result<DirectoryBundle, AppleCodesignError> {
let dest_dir = dest_dir.as_ref();
warn!(
"signing bundle at {} into {}",
self.bundle.root_dir().display(),
dest_dir.display()
);
// Frameworks are a bit special.
//
// Modern frameworks typically have a `Versions/` directory containing directories
// with the actual frameworks. These are the actual directories that are signed - not
// the top-most directory. In fact, the top-most `.framework` directory doesn't have any
// code signature elements at all and can effectively be ignored as far as signing
// is concerned.
//
// But even if there is a `Versions/` directory with nested bundles to sign, the top-level
// directory may have some symlinks. And those need to be preserved. In addition, there
// may be symlinks in `Versions/`. `Versions/Current` is common.
//
// Of course, if there is no `Versions/` directory, the top-level directory could be
// a valid framework warranting signing.
if self.bundle.package_type() == BundlePackageType::Framework {
if self.bundle.root_dir().join("Versions").is_dir() {
warn!("found a versioned framework; each version will be signed as its own bundle");
// But we still need to preserve files (hopefully just symlinks) outside the
// nested bundles under `Versions/`. Since we don't nest into child bundles
// here, it should be safe to handle each encountered file.
let handler = SingleBundleHandler {
dest_dir: dest_dir.to_path_buf(),
settings,
};
for file in self
.bundle
.files(false)
.map_err(AppleCodesignError::DirectoryBundle)?
{
handler.install_file(&file)?;
}
return DirectoryBundle::new_from_path(dest_dir)
.map_err(AppleCodesignError::DirectoryBundle);
} else {
warn!("found an unversioned framework; signing like normal");
}
}
let dest_dir_root = dest_dir.to_path_buf();
let dest_dir = if self.bundle.shallow() {
dest_dir_root.clone()
} else {
dest_dir.join("Contents")
};
self.bundle
.identifier()
.map_err(AppleCodesignError::DirectoryBundle)?
.ok_or_else(|| AppleCodesignError::BundleNoIdentifier(self.bundle.info_plist_path()))?;
let mut resources_digests = settings.all_digests(SettingsScope::Main);
// State in the main executable can influence signing settings of the bundle. So examine
// it first.
let main_exe = self
.bundle
.files(false)
.map_err(AppleCodesignError::DirectoryBundle)?
.into_iter()
.find(|f| matches!(f.is_main_executable(), Ok(true)));
if let Some(exe) = &main_exe {
let macho_data = std::fs::read(exe.absolute_path())?;
let mach = MachFile::parse(&macho_data)?;
for macho in mach.iter_macho() {
if let Some(targeting) = macho.find_targeting()? {
let sha256_version = targeting.platform.sha256_digest_support()?;
if !sha256_version.matches(&targeting.minimum_os_version)
&& resources_digests != vec![DigestType::Sha1, DigestType::Sha256]
{
info!("main executable targets OS requiring SHA-1 signatures; activating SHA-1 + SHA-256 signing");
resources_digests = vec![DigestType::Sha1, DigestType::Sha256];
break;
}
}
}
}
warn!("collecting code resources files");
// The set of rules to use is determined by whether the bundle *can* have a
// `Resources/`, not whether it necessarily does. The exact rules for this are not
// known. Essentially we want to test for the result of CFBundleCopyResourcesDirectoryURL().
// We assume that we can use the resources rules when there is a `Resources` directory
// (this seems obvious!) or when the bundle isn't shallow, as a non-shallow bundle should
// be an app bundle and app bundles can always have resources (we think).
let mut resources_builder =
if self.bundle.resolve_path("Resources").is_dir() || !self.bundle.shallow() {
CodeResourcesBuilder::default_resources_rules()?
} else {
CodeResourcesBuilder::default_no_resources_rules()?
};
// Ensure emitted digests match what we're configured to emit.
resources_builder.set_digests(resources_digests.into_iter());
// Exclude code signature files we'll write.
resources_builder.add_exclusion_rule(CodeResourcesRule::new("^_CodeSignature/")?.exclude());
// Ignore notarization ticket.
resources_builder.add_exclusion_rule(CodeResourcesRule::new("^CodeResources$")?.exclude());
let handler = SingleBundleHandler {
dest_dir: dest_dir_root.clone(),
settings,
};
let mut info_plist_data = None;
// Iterate files in this bundle and register as code resources.
//
// Traversing into nested bundles seems wrong but it is correct. The resources builder
// has rules to determine whether to process a path and assuming the rules and evaluation
// of them is correct, it is able to decide for itself how to handle a path.
//
// Furthermore, this behavior is needed as bundles can encapsulate signatures for nested
// bundles. For example, you could have a framework bundle with an embedded app bundle in
// `Resources/MyApp.app`! In this case, the framework's CodeResources encapsulates the
// content of `Resources/My.app` per the processing rules.
for file in self
.bundle
.files(true)
.map_err(AppleCodesignError::DirectoryBundle)?
{
// The main executable is special and handled below.
if file
.is_main_executable()
.map_err(AppleCodesignError::DirectoryBundle)?
{
continue;
} else if file.is_info_plist() {
// The Info.plist is digested specially. But it may also be handled by
// the resources handler. So always feed it through.
info!(
"{} is the Info.plist file; handling specially",
file.relative_path().display()
);
resources_builder.process_file(&file, &handler)?;
info_plist_data = Some(std::fs::read(file.absolute_path())?);
} else {
resources_builder.process_file(&file, &handler)?;
}
}
// Seal code directory digests of any nested bundles.
//
// Apple's tooling seems to only do this for some bundle type combinations. I'm
// not yet sure what the complete heuristic is. But we observed that frameworks
// don't appear to include digests of any nested app bundles. So we add that
// exclusion. iOS bundles don't seem to include digests for nested bundles either.
// We should figure out what the actual rules here...
if !self.bundle.shallow() {
let dest_bundle = DirectoryBundle::new_from_path(&dest_dir)
.map_err(AppleCodesignError::DirectoryBundle)?;
for (rel_path, nested_bundle) in dest_bundle
.nested_bundles(false)
.map_err(AppleCodesignError::DirectoryBundle)?
{
resources_builder.process_nested_bundle(&rel_path, &nested_bundle)?;
}
}
// The resources are now sealed. Write out that XML file.
let code_resources_path = dest_dir.join("_CodeSignature").join("CodeResources");
warn!(
"writing sealed resources to {}",
code_resources_path.display()
);
std::fs::create_dir_all(code_resources_path.parent().unwrap())?;
let mut resources_data = Vec::<u8>::new();
resources_builder.write_code_resources(&mut resources_data)?;
{
let mut fh = std::fs::File::create(&code_resources_path)?;
fh.write_all(&resources_data)?;
}
// Seal the main executable.
if let Some(exe) = main_exe {
warn!("signing main executable {}", exe.relative_path().display());
let macho_data = std::fs::read(exe.absolute_path())?;
let signer = MachOSigner::new(&macho_data)?;
let mut settings = settings.clone();
// The identifier for the main executable is defined in the bundle's Info.plist.
if let Some(ident) = self
.bundle
.identifier()
.map_err(AppleCodesignError::DirectoryBundle)?
{
info!("setting main executable binary identifier to {} (derived from CFBundleIdentifier in Info.plist)", ident);
settings.set_binary_identifier(SettingsScope::Main, ident);
} else {
info!("unable to determine binary identifier from bundle's Info.plist (CFBundleIdentifier not set?)");
}
settings.import_settings_from_macho(&macho_data)?;
settings.set_code_resources_data(SettingsScope::Main, resources_data);
if let Some(info_plist_data) = info_plist_data {
settings.set_info_plist_data(SettingsScope::Main, info_plist_data);
}
let mut new_data = Vec::<u8>::with_capacity(macho_data.len() + 2_usize.pow(17));
signer.write_signed_binary(&settings, &mut new_data)?;
let dest_path = dest_dir_root.join(exe.relative_path());
info!("writing signed main executable to {}", dest_path.display());
write_macho_file(exe.absolute_path(), &dest_path, &new_data)?;
} else {
warn!("bundle has no main executable to sign specially");
}
DirectoryBundle::new_from_path(&dest_dir_root).map_err(AppleCodesignError::DirectoryBundle)
}sourcepub fn write_signed_binary(
&self,
settings: &SigningSettings<'_>,
writer: &mut impl Write
) -> Result<(), AppleCodesignError>
pub fn write_signed_binary(
&self,
settings: &SigningSettings<'_>,
writer: &mut impl Write
) -> Result<(), AppleCodesignError>
Write signed Mach-O data to the given writer using signing settings.
Examples found in repository?
src/signing.rs (line 93)
60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98
pub fn sign_macho(
&self,
input_path: impl AsRef<Path>,
output_path: impl AsRef<Path>,
) -> Result<(), AppleCodesignError> {
let input_path = input_path.as_ref();
let output_path = output_path.as_ref();
warn!("signing {} as a Mach-O binary", input_path.display());
let macho_data = std::fs::read(input_path)?;
let mut settings = self.settings.clone();
settings.import_settings_from_macho(&macho_data)?;
if settings.binary_identifier(SettingsScope::Main).is_none() {
let identifier = input_path
.file_name()
.ok_or_else(|| {
AppleCodesignError::CliGeneralError(
"unable to resolve file name of binary".into(),
)
})?
.to_string_lossy();
warn!("setting binary identifier to {}", identifier);
settings.set_binary_identifier(SettingsScope::Main, identifier);
}
warn!("parsing Mach-O");
let signer = MachOSigner::new(&macho_data)?;
let mut macho_data = vec![];
signer.write_signed_binary(&settings, &mut macho_data)?;
warn!("writing Mach-O to {}", output_path.display());
write_macho_file(input_path, output_path, &macho_data)?;
Ok(())
}More examples
src/bundle_signing.rs (line 367)
330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633
fn sign_and_install_macho(
&self,
file: &DirectoryBundleFile,
) -> Result<SignedMachOInfo, AppleCodesignError> {
info!("signing Mach-O file {}", file.relative_path().display());
let macho_data = std::fs::read(file.absolute_path())?;
let signer = MachOSigner::new(&macho_data)?;
let mut settings = self
.settings
.as_bundle_macho_settings(file.relative_path().to_string_lossy().as_ref());
settings.import_settings_from_macho(&macho_data)?;
// If there isn't a defined binary identifier, derive one from the file name so one is set
// and we avoid a signing error due to missing identifier.
// TODO do we need to check the nested Mach-O settings?
if settings.binary_identifier(SettingsScope::Main).is_none() {
let identifier = file
.relative_path()
.file_name()
.expect("failure to extract filename (this should never happen)")
.to_string_lossy();
let identifier = identifier
.strip_suffix(".dylib")
.unwrap_or_else(|| identifier.as_ref());
info!(
"Mach-O is missing binary identifier; setting to {} based on file name",
identifier
);
settings.set_binary_identifier(SettingsScope::Main, identifier);
}
let mut new_data = Vec::<u8>::with_capacity(macho_data.len() + 2_usize.pow(17));
signer.write_signed_binary(&settings, &mut new_data)?;
let dest_path = self.dest_dir.join(file.relative_path());
info!("writing Mach-O to {}", dest_path.display());
write_macho_file(file.absolute_path(), &dest_path, &new_data)?;
SignedMachOInfo::parse_data(&new_data)
}
}
/// A primitive for signing a single Apple bundle.
///
/// Unlike [BundleSigner], this type only signs a single bundle and is ignorant
/// about nested bundles. You probably want to use [BundleSigner] as the interface
/// for signing bundles, as failure to account for nested bundles can result in
/// signature verification errors.
pub struct SingleBundleSigner {
/// The bundle being signed.
bundle: DirectoryBundle,
}
impl SingleBundleSigner {
/// Construct a new instance.
pub fn new(bundle: DirectoryBundle) -> Self {
Self { bundle }
}
/// Write a signed bundle to the given directory.
pub fn write_signed_bundle(
&self,
dest_dir: impl AsRef<Path>,
settings: &SigningSettings,
) -> Result<DirectoryBundle, AppleCodesignError> {
let dest_dir = dest_dir.as_ref();
warn!(
"signing bundle at {} into {}",
self.bundle.root_dir().display(),
dest_dir.display()
);
// Frameworks are a bit special.
//
// Modern frameworks typically have a `Versions/` directory containing directories
// with the actual frameworks. These are the actual directories that are signed - not
// the top-most directory. In fact, the top-most `.framework` directory doesn't have any
// code signature elements at all and can effectively be ignored as far as signing
// is concerned.
//
// But even if there is a `Versions/` directory with nested bundles to sign, the top-level
// directory may have some symlinks. And those need to be preserved. In addition, there
// may be symlinks in `Versions/`. `Versions/Current` is common.
//
// Of course, if there is no `Versions/` directory, the top-level directory could be
// a valid framework warranting signing.
if self.bundle.package_type() == BundlePackageType::Framework {
if self.bundle.root_dir().join("Versions").is_dir() {
warn!("found a versioned framework; each version will be signed as its own bundle");
// But we still need to preserve files (hopefully just symlinks) outside the
// nested bundles under `Versions/`. Since we don't nest into child bundles
// here, it should be safe to handle each encountered file.
let handler = SingleBundleHandler {
dest_dir: dest_dir.to_path_buf(),
settings,
};
for file in self
.bundle
.files(false)
.map_err(AppleCodesignError::DirectoryBundle)?
{
handler.install_file(&file)?;
}
return DirectoryBundle::new_from_path(dest_dir)
.map_err(AppleCodesignError::DirectoryBundle);
} else {
warn!("found an unversioned framework; signing like normal");
}
}
let dest_dir_root = dest_dir.to_path_buf();
let dest_dir = if self.bundle.shallow() {
dest_dir_root.clone()
} else {
dest_dir.join("Contents")
};
self.bundle
.identifier()
.map_err(AppleCodesignError::DirectoryBundle)?
.ok_or_else(|| AppleCodesignError::BundleNoIdentifier(self.bundle.info_plist_path()))?;
let mut resources_digests = settings.all_digests(SettingsScope::Main);
// State in the main executable can influence signing settings of the bundle. So examine
// it first.
let main_exe = self
.bundle
.files(false)
.map_err(AppleCodesignError::DirectoryBundle)?
.into_iter()
.find(|f| matches!(f.is_main_executable(), Ok(true)));
if let Some(exe) = &main_exe {
let macho_data = std::fs::read(exe.absolute_path())?;
let mach = MachFile::parse(&macho_data)?;
for macho in mach.iter_macho() {
if let Some(targeting) = macho.find_targeting()? {
let sha256_version = targeting.platform.sha256_digest_support()?;
if !sha256_version.matches(&targeting.minimum_os_version)
&& resources_digests != vec![DigestType::Sha1, DigestType::Sha256]
{
info!("main executable targets OS requiring SHA-1 signatures; activating SHA-1 + SHA-256 signing");
resources_digests = vec![DigestType::Sha1, DigestType::Sha256];
break;
}
}
}
}
warn!("collecting code resources files");
// The set of rules to use is determined by whether the bundle *can* have a
// `Resources/`, not whether it necessarily does. The exact rules for this are not
// known. Essentially we want to test for the result of CFBundleCopyResourcesDirectoryURL().
// We assume that we can use the resources rules when there is a `Resources` directory
// (this seems obvious!) or when the bundle isn't shallow, as a non-shallow bundle should
// be an app bundle and app bundles can always have resources (we think).
let mut resources_builder =
if self.bundle.resolve_path("Resources").is_dir() || !self.bundle.shallow() {
CodeResourcesBuilder::default_resources_rules()?
} else {
CodeResourcesBuilder::default_no_resources_rules()?
};
// Ensure emitted digests match what we're configured to emit.
resources_builder.set_digests(resources_digests.into_iter());
// Exclude code signature files we'll write.
resources_builder.add_exclusion_rule(CodeResourcesRule::new("^_CodeSignature/")?.exclude());
// Ignore notarization ticket.
resources_builder.add_exclusion_rule(CodeResourcesRule::new("^CodeResources$")?.exclude());
let handler = SingleBundleHandler {
dest_dir: dest_dir_root.clone(),
settings,
};
let mut info_plist_data = None;
// Iterate files in this bundle and register as code resources.
//
// Traversing into nested bundles seems wrong but it is correct. The resources builder
// has rules to determine whether to process a path and assuming the rules and evaluation
// of them is correct, it is able to decide for itself how to handle a path.
//
// Furthermore, this behavior is needed as bundles can encapsulate signatures for nested
// bundles. For example, you could have a framework bundle with an embedded app bundle in
// `Resources/MyApp.app`! In this case, the framework's CodeResources encapsulates the
// content of `Resources/My.app` per the processing rules.
for file in self
.bundle
.files(true)
.map_err(AppleCodesignError::DirectoryBundle)?
{
// The main executable is special and handled below.
if file
.is_main_executable()
.map_err(AppleCodesignError::DirectoryBundle)?
{
continue;
} else if file.is_info_plist() {
// The Info.plist is digested specially. But it may also be handled by
// the resources handler. So always feed it through.
info!(
"{} is the Info.plist file; handling specially",
file.relative_path().display()
);
resources_builder.process_file(&file, &handler)?;
info_plist_data = Some(std::fs::read(file.absolute_path())?);
} else {
resources_builder.process_file(&file, &handler)?;
}
}
// Seal code directory digests of any nested bundles.
//
// Apple's tooling seems to only do this for some bundle type combinations. I'm
// not yet sure what the complete heuristic is. But we observed that frameworks
// don't appear to include digests of any nested app bundles. So we add that
// exclusion. iOS bundles don't seem to include digests for nested bundles either.
// We should figure out what the actual rules here...
if !self.bundle.shallow() {
let dest_bundle = DirectoryBundle::new_from_path(&dest_dir)
.map_err(AppleCodesignError::DirectoryBundle)?;
for (rel_path, nested_bundle) in dest_bundle
.nested_bundles(false)
.map_err(AppleCodesignError::DirectoryBundle)?
{
resources_builder.process_nested_bundle(&rel_path, &nested_bundle)?;
}
}
// The resources are now sealed. Write out that XML file.
let code_resources_path = dest_dir.join("_CodeSignature").join("CodeResources");
warn!(
"writing sealed resources to {}",
code_resources_path.display()
);
std::fs::create_dir_all(code_resources_path.parent().unwrap())?;
let mut resources_data = Vec::<u8>::new();
resources_builder.write_code_resources(&mut resources_data)?;
{
let mut fh = std::fs::File::create(&code_resources_path)?;
fh.write_all(&resources_data)?;
}
// Seal the main executable.
if let Some(exe) = main_exe {
warn!("signing main executable {}", exe.relative_path().display());
let macho_data = std::fs::read(exe.absolute_path())?;
let signer = MachOSigner::new(&macho_data)?;
let mut settings = settings.clone();
// The identifier for the main executable is defined in the bundle's Info.plist.
if let Some(ident) = self
.bundle
.identifier()
.map_err(AppleCodesignError::DirectoryBundle)?
{
info!("setting main executable binary identifier to {} (derived from CFBundleIdentifier in Info.plist)", ident);
settings.set_binary_identifier(SettingsScope::Main, ident);
} else {
info!("unable to determine binary identifier from bundle's Info.plist (CFBundleIdentifier not set?)");
}
settings.import_settings_from_macho(&macho_data)?;
settings.set_code_resources_data(SettingsScope::Main, resources_data);
if let Some(info_plist_data) = info_plist_data {
settings.set_info_plist_data(SettingsScope::Main, info_plist_data);
}
let mut new_data = Vec::<u8>::with_capacity(macho_data.len() + 2_usize.pow(17));
signer.write_signed_binary(&settings, &mut new_data)?;
let dest_path = dest_dir_root.join(exe.relative_path());
info!("writing signed main executable to {}", dest_path.display());
write_macho_file(exe.absolute_path(), &dest_path, &new_data)?;
} else {
warn!("bundle has no main executable to sign specially");
}
DirectoryBundle::new_from_path(&dest_dir_root).map_err(AppleCodesignError::DirectoryBundle)
}sourcepub fn create_superblob(
&self,
settings: &SigningSettings<'_>,
macho: &MachOBinary<'_>
) -> Result<Vec<u8>, AppleCodesignError>
pub fn create_superblob(
&self,
settings: &SigningSettings<'_>,
macho: &MachOBinary<'_>
) -> Result<Vec<u8>, AppleCodesignError>
Create data constituting the SuperBlob to be embedded in the __LINKEDIT segment.
The superblob contains the code directory, any extra blobs, and an optional CMS structure containing a cryptographic signature.
This takes an explicit Mach-O to operate on due to a circular dependency between writing out the Mach-O and digesting its content. See the note in MachOSigner for details.
Examples found in repository?
src/macho_signing.rs (line 321)
291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349
pub fn write_signed_binary(
&self,
settings: &SigningSettings,
writer: &mut impl Write,
) -> Result<(), AppleCodesignError> {
// Implementing a true streaming writer requires calculating final sizes
// of all binaries so fat header offsets and sizes can be written first. We take
// the easy road and buffer individual Mach-O binaries internally.
let binaries = self
.machos
.iter()
.enumerate()
.map(|(index, original_macho)| {
info!("signing Mach-O binary at index {}", index);
let settings =
settings.as_nested_macho_settings(index, original_macho.macho.header.cputype());
let signature_len = original_macho.estimate_embedded_signature_size(&settings)?;
// Derive an intermediate Mach-O with placeholder NULLs for signature
// data so Code Directory digests over the load commands are correct.
let placeholder_signature_data = b"\0".repeat(signature_len);
let intermediate_macho_data =
create_macho_with_signature(original_macho, &placeholder_signature_data)?;
// A nice side-effect of this is that it catches bugs if we write malformed Mach-O!
let intermediate_macho = MachOBinary::parse(&intermediate_macho_data)?;
let mut signature_data = self.create_superblob(&settings, &intermediate_macho)?;
info!("total signature size: {} bytes", signature_data.len());
// The Mach-O writer adjusts load commands based on the signature length. So pad
// with NULLs to get to our placeholder length.
match signature_data.len().cmp(&placeholder_signature_data.len()) {
Ordering::Greater => {
return Err(AppleCodesignError::SignatureDataTooLarge);
}
Ordering::Equal => {}
Ordering::Less => {
signature_data.extend_from_slice(
&b"\0".repeat(placeholder_signature_data.len() - signature_data.len()),
);
}
}
create_macho_with_signature(&intermediate_macho, &signature_data)
})
.collect::<Result<Vec<_>, AppleCodesignError>>()?;
if binaries.len() > 1 {
create_universal_macho(writer, binaries.iter().map(|x| x.as_slice()))?;
} else {
writer.write_all(&binaries[0])?;
}
Ok(())
}sourcepub fn create_code_directory(
&self,
settings: &SigningSettings<'_>,
macho: &MachOBinary<'_>
) -> Result<CodeDirectoryBlob<'static>, AppleCodesignError>
pub fn create_code_directory(
&self,
settings: &SigningSettings<'_>,
macho: &MachOBinary<'_>
) -> Result<CodeDirectoryBlob<'static>, AppleCodesignError>
Create the CodeDirectory for the current configuration.
This takes an explicit Mach-O to operate on due to a circular dependency between writing out the Mach-O and digesting its content. See the note in MachOSigner for details.
Examples found in repository?
src/macho_signing.rs (line 370)
359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402
pub fn create_superblob(
&self,
settings: &SigningSettings,
macho: &MachOBinary,
) -> Result<Vec<u8>, AppleCodesignError> {
let mut builder = EmbeddedSignatureBuilder::default();
for (slot, blob) in self.create_special_blobs(settings, macho.is_executable())? {
builder.add_blob(slot, blob)?;
}
let code_directory = self.create_code_directory(settings, macho)?;
info!("code directory version: {}", code_directory.version);
builder.add_code_directory(CodeSigningSlot::CodeDirectory, code_directory)?;
if let Some(digests) = settings.extra_digests(SettingsScope::Main) {
for digest_type in digests {
// Since everything consults settings for the digest to use, just make a new settings
// with a different digest.
let mut alt_settings = settings.clone();
alt_settings.set_digest_type(*digest_type);
info!(
"adding alternative code directory using digest {:?}",
digest_type
);
let cd = self.create_code_directory(&alt_settings, macho)?;
builder.add_alternative_code_directory(cd)?;
}
}
if let Some((signing_key, signing_cert)) = settings.signing_key() {
builder.create_cms_signature(
signing_key,
signing_cert,
settings.time_stamp_url(),
settings.certificate_chain().iter().cloned(),
)?;
}
builder.create_superblob()
}sourcepub fn create_special_blobs(
&self,
settings: &SigningSettings<'_>,
is_executable: bool
) -> Result<Vec<(CodeSigningSlot, BlobData<'static>)>, AppleCodesignError>
pub fn create_special_blobs(
&self,
settings: &SigningSettings<'_>,
is_executable: bool
) -> Result<Vec<(CodeSigningSlot, BlobData<'static>)>, AppleCodesignError>
Create blobs that need to be written given the current configuration.
This emits all blobs except CodeDirectory and Signature, which are
special since they are derived from the blobs emitted here.
The goal of this function is to emit data to facilitate the creation of
a CodeDirectory, which requires hashing blobs.
Examples found in repository?
src/macho_signing.rs (line 366)
359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402
pub fn create_superblob(
&self,
settings: &SigningSettings,
macho: &MachOBinary,
) -> Result<Vec<u8>, AppleCodesignError> {
let mut builder = EmbeddedSignatureBuilder::default();
for (slot, blob) in self.create_special_blobs(settings, macho.is_executable())? {
builder.add_blob(slot, blob)?;
}
let code_directory = self.create_code_directory(settings, macho)?;
info!("code directory version: {}", code_directory.version);
builder.add_code_directory(CodeSigningSlot::CodeDirectory, code_directory)?;
if let Some(digests) = settings.extra_digests(SettingsScope::Main) {
for digest_type in digests {
// Since everything consults settings for the digest to use, just make a new settings
// with a different digest.
let mut alt_settings = settings.clone();
alt_settings.set_digest_type(*digest_type);
info!(
"adding alternative code directory using digest {:?}",
digest_type
);
let cd = self.create_code_directory(&alt_settings, macho)?;
builder.add_alternative_code_directory(cd)?;
}
}
if let Some((signing_key, signing_cert)) = settings.signing_key() {
builder.create_cms_signature(
signing_key,
signing_cert,
settings.time_stamp_url(),
settings.certificate_chain().iter().cloned(),
)?;
}
builder.create_superblob()
}Auto Trait Implementations§
impl<'data> RefUnwindSafe for MachOSigner<'data>
impl<'data> Send for MachOSigner<'data>
impl<'data> Sync for MachOSigner<'data>
impl<'data> Unpin for MachOSigner<'data>
impl<'data> UnwindSafe for MachOSigner<'data>
Blanket Implementations§
§impl<'a, T, E> AsTaggedExplicit<'a, E> for Twhere
T: 'a,
impl<'a, T, E> AsTaggedExplicit<'a, E> for Twhere
T: 'a,
§impl<'a, T, E> AsTaggedImplicit<'a, E> for Twhere
T: 'a,
impl<'a, T, E> AsTaggedImplicit<'a, E> for Twhere
T: 'a,
§impl<T> Conv for T
impl<T> Conv for T
§impl<T> FmtForward for T
impl<T> FmtForward for T
§fn fmt_binary(self) -> FmtBinary<Self>where
Self: Binary,
fn fmt_binary(self) -> FmtBinary<Self>where
Self: Binary,
Causes
self to use its Binary implementation when Debug-formatted.§fn fmt_display(self) -> FmtDisplay<Self>where
Self: Display,
fn fmt_display(self) -> FmtDisplay<Self>where
Self: Display,
Causes
self to use its Display implementation when
Debug-formatted.§fn fmt_lower_exp(self) -> FmtLowerExp<Self>where
Self: LowerExp,
fn fmt_lower_exp(self) -> FmtLowerExp<Self>where
Self: LowerExp,
Causes
self to use its LowerExp implementation when
Debug-formatted.§fn fmt_lower_hex(self) -> FmtLowerHex<Self>where
Self: LowerHex,
fn fmt_lower_hex(self) -> FmtLowerHex<Self>where
Self: LowerHex,
Causes
self to use its LowerHex implementation when
Debug-formatted.§fn fmt_octal(self) -> FmtOctal<Self>where
Self: Octal,
fn fmt_octal(self) -> FmtOctal<Self>where
Self: Octal,
Causes
self to use its Octal implementation when Debug-formatted.§fn fmt_pointer(self) -> FmtPointer<Self>where
Self: Pointer,
fn fmt_pointer(self) -> FmtPointer<Self>where
Self: Pointer,
Causes
self to use its Pointer implementation when
Debug-formatted.§fn fmt_upper_exp(self) -> FmtUpperExp<Self>where
Self: UpperExp,
fn fmt_upper_exp(self) -> FmtUpperExp<Self>where
Self: UpperExp,
Causes
self to use its UpperExp implementation when
Debug-formatted.§fn fmt_upper_hex(self) -> FmtUpperHex<Self>where
Self: UpperHex,
fn fmt_upper_hex(self) -> FmtUpperHex<Self>where
Self: UpperHex,
Causes
self to use its UpperHex implementation when
Debug-formatted.§fn fmt_list(self) -> FmtList<Self>where
&'a Self: for<'a> IntoIterator,
fn fmt_list(self) -> FmtList<Self>where
&'a Self: for<'a> IntoIterator,
Formats each item in a sequence. Read more
source§impl<T> Instrument for T
impl<T> Instrument for T
source§fn instrument(self, span: Span) -> Instrumented<Self>
fn instrument(self, span: Span) -> Instrumented<Self>
source§fn in_current_span(self) -> Instrumented<Self>
fn in_current_span(self) -> Instrumented<Self>
§impl<T> Pipe for Twhere
T: ?Sized,
impl<T> Pipe for Twhere
T: ?Sized,
§fn pipe<R>(self, func: impl FnOnce(Self) -> R) -> Rwhere
Self: Sized,
fn pipe<R>(self, func: impl FnOnce(Self) -> R) -> Rwhere
Self: Sized,
Pipes by value. This is generally the method you want to use. Read more
§fn pipe_ref<'a, R>(&'a self, func: impl FnOnce(&'a Self) -> R) -> Rwhere
R: 'a,
fn pipe_ref<'a, R>(&'a self, func: impl FnOnce(&'a Self) -> R) -> Rwhere
R: 'a,
Borrows
self and passes that borrow into the pipe function. Read more§fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> Rwhere
R: 'a,
fn pipe_ref_mut<'a, R>(&'a mut self, func: impl FnOnce(&'a mut Self) -> R) -> Rwhere
R: 'a,
Mutably borrows
self and passes that borrow into the pipe function. Read more§fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> Rwhere
Self: Borrow<B>,
B: 'a + ?Sized,
R: 'a,
fn pipe_borrow<'a, B, R>(&'a self, func: impl FnOnce(&'a B) -> R) -> Rwhere
Self: Borrow<B>,
B: 'a + ?Sized,
R: 'a,
§fn pipe_borrow_mut<'a, B, R>(
&'a mut self,
func: impl FnOnce(&'a mut B) -> R
) -> Rwhere
Self: BorrowMut<B>,
B: 'a + ?Sized,
R: 'a,
fn pipe_borrow_mut<'a, B, R>(
&'a mut self,
func: impl FnOnce(&'a mut B) -> R
) -> Rwhere
Self: BorrowMut<B>,
B: 'a + ?Sized,
R: 'a,
§fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> Rwhere
Self: AsRef<U>,
U: 'a + ?Sized,
R: 'a,
fn pipe_as_ref<'a, U, R>(&'a self, func: impl FnOnce(&'a U) -> R) -> Rwhere
Self: AsRef<U>,
U: 'a + ?Sized,
R: 'a,
Borrows
self, then passes self.as_ref() into the pipe function.§fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> Rwhere
Self: AsMut<U>,
U: 'a + ?Sized,
R: 'a,
fn pipe_as_mut<'a, U, R>(&'a mut self, func: impl FnOnce(&'a mut U) -> R) -> Rwhere
Self: AsMut<U>,
U: 'a + ?Sized,
R: 'a,
Mutably borrows
self, then passes self.as_mut() into the pipe
function.§impl<T> Pointable for T
impl<T> Pointable for T
§impl<T> Tap for T
impl<T> Tap for T
§fn tap_borrow<B>(self, func: impl FnOnce(&B)) -> Selfwhere
Self: Borrow<B>,
B: ?Sized,
fn tap_borrow<B>(self, func: impl FnOnce(&B)) -> Selfwhere
Self: Borrow<B>,
B: ?Sized,
Immutable access to the
Borrow<B> of a value. Read more§fn tap_borrow_mut<B>(self, func: impl FnOnce(&mut B)) -> Selfwhere
Self: BorrowMut<B>,
B: ?Sized,
fn tap_borrow_mut<B>(self, func: impl FnOnce(&mut B)) -> Selfwhere
Self: BorrowMut<B>,
B: ?Sized,
Mutable access to the
BorrowMut<B> of a value. Read more§fn tap_ref<R>(self, func: impl FnOnce(&R)) -> Selfwhere
Self: AsRef<R>,
R: ?Sized,
fn tap_ref<R>(self, func: impl FnOnce(&R)) -> Selfwhere
Self: AsRef<R>,
R: ?Sized,
Immutable access to the
AsRef<R> view of a value. Read more§fn tap_ref_mut<R>(self, func: impl FnOnce(&mut R)) -> Selfwhere
Self: AsMut<R>,
R: ?Sized,
fn tap_ref_mut<R>(self, func: impl FnOnce(&mut R)) -> Selfwhere
Self: AsMut<R>,
R: ?Sized,
Mutable access to the
AsMut<R> view of a value. Read more§fn tap_deref<T>(self, func: impl FnOnce(&T)) -> Selfwhere
Self: Deref<Target = T>,
T: ?Sized,
fn tap_deref<T>(self, func: impl FnOnce(&T)) -> Selfwhere
Self: Deref<Target = T>,
T: ?Sized,
Immutable access to the
Deref::Target of a value. Read more§fn tap_deref_mut<T>(self, func: impl FnOnce(&mut T)) -> Selfwhere
Self: DerefMut<Target = T> + Deref,
T: ?Sized,
fn tap_deref_mut<T>(self, func: impl FnOnce(&mut T)) -> Selfwhere
Self: DerefMut<Target = T> + Deref,
T: ?Sized,
Mutable access to the
Deref::Target of a value. Read more§fn tap_dbg(self, func: impl FnOnce(&Self)) -> Self
fn tap_dbg(self, func: impl FnOnce(&Self)) -> Self
Calls
.tap() only in debug builds, and is erased in release builds.§fn tap_mut_dbg(self, func: impl FnOnce(&mut Self)) -> Self
fn tap_mut_dbg(self, func: impl FnOnce(&mut Self)) -> Self
Calls
.tap_mut() only in debug builds, and is erased in release
builds.§fn tap_borrow_dbg<B>(self, func: impl FnOnce(&B)) -> Selfwhere
Self: Borrow<B>,
B: ?Sized,
fn tap_borrow_dbg<B>(self, func: impl FnOnce(&B)) -> Selfwhere
Self: Borrow<B>,
B: ?Sized,
Calls
.tap_borrow() only in debug builds, and is erased in release
builds.§fn tap_borrow_mut_dbg<B>(self, func: impl FnOnce(&mut B)) -> Selfwhere
Self: BorrowMut<B>,
B: ?Sized,
fn tap_borrow_mut_dbg<B>(self, func: impl FnOnce(&mut B)) -> Selfwhere
Self: BorrowMut<B>,
B: ?Sized,
Calls
.tap_borrow_mut() only in debug builds, and is erased in release
builds.§fn tap_ref_dbg<R>(self, func: impl FnOnce(&R)) -> Selfwhere
Self: AsRef<R>,
R: ?Sized,
fn tap_ref_dbg<R>(self, func: impl FnOnce(&R)) -> Selfwhere
Self: AsRef<R>,
R: ?Sized,
Calls
.tap_ref() only in debug builds, and is erased in release
builds.§fn tap_ref_mut_dbg<R>(self, func: impl FnOnce(&mut R)) -> Selfwhere
Self: AsMut<R>,
R: ?Sized,
fn tap_ref_mut_dbg<R>(self, func: impl FnOnce(&mut R)) -> Selfwhere
Self: AsMut<R>,
R: ?Sized,
Calls
.tap_ref_mut() only in debug builds, and is erased in release
builds.