Struct apple_codesign::SignedMachOInfo

pub struct SignedMachOInfo {
    pub code_directory_blob: Vec<u8>,
    pub designated_code_requirement: Option<String>,
}

Metadata about a signed Mach-O file or bundle.

If referring to a bundle, the metadata refers to the 1st Mach-O in the bundle’s main executable.

This contains enough metadata to construct references to the file/bundle in crate::code_resources::CodeResources files.

Fields

code_directory_blob: Vec<u8>

Raw data constituting the code directory blob.

Is typically digested to construct a .

designated_code_requirement: Option<String>

Designated code requirements string.

Typically occupies a <key>requirement</key> in a crate::code_resources::CodeResources file.

Implementations

impl SignedMachOInfo

pub fn parse_data(data: &[u8]) -> Result<Self, AppleCodesignError>

Parse Mach-O data to obtain an instance.

Examples found in repository

src/stapling.rs (line 57)

pub fn record_name_from_executable_bundle(
    bundle: &DirectoryBundle,
) -> Result<String, AppleCodesignError> {
    let main_exe = bundle
        .files(false)
        .map_err(AppleCodesignError::DirectoryBundle)?
        .into_iter()
        .find(|file| matches!(file.is_main_executable(), Ok(true)))
        .ok_or(AppleCodesignError::StapleMainExecutableNotFound)?;

    // Now extract the code signature so we can resolve the code directory.
    info!(
        "resolving bundle's record name from {}",
        main_exe.absolute_path().display()
    );
    let macho_data = std::fs::read(main_exe.absolute_path())?;

    let signed = SignedMachOInfo::parse_data(&macho_data)?;

    let record_name = signed.notarization_ticket_record_name()?;

    Ok(record_name)
}

src/bundle_signing.rs (line 374)

    fn sign_and_install_macho(
        &self,
        file: &DirectoryBundleFile,
    ) -> Result<SignedMachOInfo, AppleCodesignError> {
        info!("signing Mach-O file {}", file.relative_path().display());

        let macho_data = std::fs::read(file.absolute_path())?;
        let signer = MachOSigner::new(&macho_data)?;

        let mut settings = self
            .settings
            .as_bundle_macho_settings(file.relative_path().to_string_lossy().as_ref());

        settings.import_settings_from_macho(&macho_data)?;

        // If there isn't a defined binary identifier, derive one from the file name so one is set
        // and we avoid a signing error due to missing identifier.
        // TODO do we need to check the nested Mach-O settings?
        if settings.binary_identifier(SettingsScope::Main).is_none() {
            let identifier = file
                .relative_path()
                .file_name()
                .expect("failure to extract filename (this should never happen)")
                .to_string_lossy();

            let identifier = identifier
                .strip_suffix(".dylib")
                .unwrap_or_else(|| identifier.as_ref());

            info!(
                "Mach-O is missing binary identifier; setting to {} based on file name",
                identifier
            );
            settings.set_binary_identifier(SettingsScope::Main, identifier);
        }

        let mut new_data = Vec::<u8>::with_capacity(macho_data.len() + 2_usize.pow(17));
        signer.write_signed_binary(&settings, &mut new_data)?;

        let dest_path = self.dest_dir.join(file.relative_path());

        info!("writing Mach-O to {}", dest_path.display());
        write_macho_file(file.absolute_path(), &dest_path, &new_data)?;

        SignedMachOInfo::parse_data(&new_data)
    }

src/code_resources.rs (line 1338)

    pub fn process_nested_bundle(
        &mut self,
        relative_path: &str,
        bundle: &DirectoryBundle,
    ) -> Result<(), AppleCodesignError> {
        let main_exe = match bundle
            .files(false)
            .map_err(AppleCodesignError::DirectoryBundle)?
            .into_iter()
            .find(|file| matches!(file.is_main_executable(), Ok(true)))
        {
            Some(path) => path,
            None => {
                warn!(
                    "nested bundle at {} does not have main executable; nothing to seal",
                    relative_path
                );
                return Ok(());
            }
        };

        let (relative_path, optional) =
            match Self::evaluate_rules(&self.rules2, relative_path, None)? {
                RulesEvaluation::SealRegularFile(relative_path, optional) => {
                    (relative_path, optional)
                }
                RulesEvaluation::SealNested(relative_path, optional) => (relative_path, optional),
                RulesEvaluation::Exclude => {
                    info!(
                        "excluding signing nested bundle {} because of matched resources rule",
                        relative_path
                    );
                    return Ok(());
                }
                res => {
                    warn!(
                        "unexpected resource rules evaluation result for nested bundle {}: {:?}",
                        relative_path, res
                    );
                    return Err(AppleCodesignError::BundleUnexpectedResourceRuleResult);
                }
            };

        let macho_data = std::fs::read(main_exe.absolute_path())?;
        let macho_info = SignedMachOInfo::parse_data(&macho_data)?;

        info!("sealing nested bundle at {}", relative_path);
        self.resources
            .seal_macho(relative_path, &macho_info, optional)?;

        Ok(())
    }

pub fn code_directory(
    &self
) -> Result<Box<CodeDirectoryBlob<'_>>, AppleCodesignError>

Resolve the parsed code directory from stored data.

Examples found in repository

src/bundle_signing.rs (line 247)

    pub fn notarization_ticket_record_name(&self) -> Result<String, AppleCodesignError> {
        let cd = self.code_directory()?;

        let digest_type: u8 = cd.digest_type.into();

        let mut digest = cd.digest_with(cd.digest_type)?;

        // Digests appear to be truncated at 20 bytes / 40 characters.
        digest.truncate(20);

        let digest = hex::encode(digest);

        // Unsure what the leading `2/` means.
        Ok(format!("2/{digest_type}/{digest}"))
    }

pub fn notarization_ticket_record_name(
    &self
) -> Result<String, AppleCodesignError>

Resolve the notarization ticket record name for this Mach-O file.

Examples found in repository

src/stapling.rs (line 59)

pub fn record_name_from_executable_bundle(
    bundle: &DirectoryBundle,
) -> Result<String, AppleCodesignError> {
    let main_exe = bundle
        .files(false)
        .map_err(AppleCodesignError::DirectoryBundle)?
        .into_iter()
        .find(|file| matches!(file.is_main_executable(), Ok(true)))
        .ok_or(AppleCodesignError::StapleMainExecutableNotFound)?;

    // Now extract the code signature so we can resolve the code directory.
    info!(
        "resolving bundle's record name from {}",
        main_exe.absolute_path().display()
    );
    let macho_data = std::fs::read(main_exe.absolute_path())?;

    let signed = SignedMachOInfo::parse_data(&macho_data)?;

    let record_name = signed.notarization_ticket_record_name()?;

    Ok(record_name)
}