apple-codesign 0.24.0

Pure Rust interface to code signing on Apple platforms
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384

Sign a bundle containing multiple Mach-O binaries.

```
$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/MyApp
assuming default minimum version 11.0.0
writing Mach-O to MyApp.app/Contents/MacOS/MyApp

$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/bin
assuming default minimum version 11.0.0
writing Mach-O to MyApp.app/Contents/MacOS/bin

$ rcodesign debug-create-macho --file-type dylib MyApp.app/Contents/MacOS/lib.dylib
assuming default minimum version 11.0.0
writing Mach-O to MyApp.app/Contents/MacOS/lib.dylib

$ rcodesign debug-create-macho MyApp.app/Contents/Resources/non-nested-bin
assuming default minimum version 11.0.0
writing Mach-O to MyApp.app/Contents/Resources/non-nested-bin

$ rcodesign debug-create-info-plist --bundle-name MyApp MyApp.app/Contents/Info.plist
writing MyApp.app/Contents/Info.plist

$ rcodesign sign MyApp.app MyApp.app.signed
signing MyApp.app to MyApp.app.signed
signing bundle at MyApp.app
signing bundle at MyApp.app into MyApp.app.signed
signing Mach-O file Contents/MacOS/bin
signing Mach-O file Contents/MacOS/lib.dylib
signing Mach-O file Contents/Resources/non-nested-bin
signing main executable Contents/MacOS/MyApp

$ rcodesign debug-file-tree MyApp.app.signed
d                      MyApp.app.signed/
d                      MyApp.app.signed/Contents
f 0a5902dc8e47f490d038 MyApp.app.signed/Contents/Info.plist
d                      MyApp.app.signed/Contents/MacOS
f f6d273743392c9487bf7 MyApp.app.signed/Contents/MacOS/MyApp
f 222272e624fadf178495 MyApp.app.signed/Contents/MacOS/bin
f f5bf39926f898f9d8b10 MyApp.app.signed/Contents/MacOS/lib.dylib
d                      MyApp.app.signed/Contents/Resources
f 17ee48591c2b454766b3 MyApp.app.signed/Contents/Resources/non-nested-bin
d                      MyApp.app.signed/Contents/_CodeSignature
f e9faf2afbb4ab5548d35 MyApp.app.signed/Contents/_CodeSignature/CodeResources

$ rcodesign print-signature-info MyApp.app.signed
- path: Contents/Info.plist
  file_size: 576
  file_sha256: 0a5902dc8e47f490d03889d3593d17bddbf79e6c1f79494e20dd28f9459effa5
  entity: other
- path: Contents/MacOS/MyApp
  file_size: 22544
  file_sha256: f6d273743392c9487bf77591283131fe141924e27108c2475ad4862393550016
  entity:
    mach_o:
      macho_linkedit_start_offset: 16384 / 0x4000
      macho_signature_start_offset: 16400 / 0x4010
      macho_signature_end_offset: 16821 / 0x41b5
      macho_linkedit_end_offset: 22544 / 0x5810
      macho_end_offset: 22544 / 0x5810
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 437 / 0x1b5
      linkedit_bytes_after_signature: 5723 / 0x165b
      signature:
        superblob_length: 421 / 0x1a5
        blob_count: 3
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 365
          sha1: 3d03d6176ef6ec74e00176b0d8a7e34a9ea24286
          sha256: b600c7c2256d898607d1bda7629ac35c046071bac8f32f6e684b014f94116f26
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: com.example.mybundle
          digest_type: sha256
          platform: 0
          signed_entity_size: 16400
          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
          code_digests_count: 5
          slot_digests:
          - 'Info (1): 0a5902dc8e47f490d03889d3593d17bddbf79e6c1f79494e20dd28f9459effa5'
          - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
          - 'Resources (3): e9faf2afbb4ab5548d3531c4b40abdfd59a2d6c2b5834e1980993957ba5bec83'
        cms: null
- path: Contents/MacOS/bin
  file_size: 22544
  file_sha256: 222272e624fadf178495f7eeabdac248a951a0fb1e49002f494dde7067e456c8
  entity:
    mach_o:
      macho_linkedit_start_offset: 16384 / 0x4000
      macho_signature_start_offset: 16400 / 0x4010
      macho_signature_end_offset: 16772 / 0x4184
      macho_linkedit_end_offset: 22544 / 0x5810
      macho_end_offset: 22544 / 0x5810
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 388 / 0x184
      linkedit_bytes_after_signature: 5772 / 0x168c
      signature:
        superblob_length: 372 / 0x174
        blob_count: 3
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 316
          sha1: c86136679b8fb8b73c260c3f5143eb4787ba7408
          sha256: 319e12d5056d6b83506f2a51858ddfd99a244ed7b1bb261d9f7a1befa55239db
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: bin
          digest_type: sha256
          platform: 0
          signed_entity_size: 16400
          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
          code_digests_count: 5
          slot_digests:
          - 'Info (1): 0000000000000000000000000000000000000000000000000000000000000000'
          - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
        cms: null
- path: Contents/MacOS/lib.dylib
  file_size: 22544
  file_sha256: f5bf39926f898f9d8b10749c2c2e02d89e6ca1ab85e5210df86a711afc35f1bd
  entity:
    mach_o:
      macho_linkedit_start_offset: 16384 / 0x4000
      macho_signature_start_offset: 16400 / 0x4010
      macho_signature_end_offset: 16772 / 0x4184
      macho_linkedit_end_offset: 22544 / 0x5810
      macho_end_offset: 22544 / 0x5810
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 388 / 0x184
      linkedit_bytes_after_signature: 5772 / 0x168c
      signature:
        superblob_length: 372 / 0x174
        blob_count: 3
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 316
          sha1: af401622e3c8ad117ef8e8048542a0f6ce3e0d7c
          sha256: df488d463c798ba6e7afbb55d1f86959aefc12753467b49d5a984611e11ec8d0
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: lib
          digest_type: sha256
          platform: 0
          signed_entity_size: 16400
          executable_segment_flags: ExecutableSegmentFlags(0x0)
          code_digests_count: 5
          slot_digests:
          - 'Info (1): 0000000000000000000000000000000000000000000000000000000000000000'
          - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
        cms: null
- path: Contents/Resources/non-nested-bin
  file_size: 22544
  file_sha256: 17ee48591c2b454766b3d38e00ba5b342b3695c635c9114aad839117f45e3b38
  entity:
    mach_o:
      macho_linkedit_start_offset: 16384 / 0x4000
      macho_signature_start_offset: 16400 / 0x4010
      macho_signature_end_offset: 16783 / 0x418f
      macho_linkedit_end_offset: 22544 / 0x5810
      macho_end_offset: 22544 / 0x5810
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 399 / 0x18f
      linkedit_bytes_after_signature: 5761 / 0x1681
      signature:
        superblob_length: 383 / 0x17f
        blob_count: 3
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 327
          sha1: c26826707603fb84e28487b5f936799d4edf6377
          sha256: 7b46bdc9c357e9a5ce1b15cd255623667b42772b0f42db78c8b630740caecc86
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: non-nested-bin
          digest_type: sha256
          platform: 0
          signed_entity_size: 16400
          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
          code_digests_count: 5
          slot_digests:
          - 'Info (1): 0000000000000000000000000000000000000000000000000000000000000000'
          - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
        cms: null
- path: Contents/_CodeSignature/CodeResources
  file_size: 2882
  file_sha256: e9faf2afbb4ab5548d3531c4b40abdfd59a2d6c2b5834e1980993957ba5bec83
  entity:
    bundle_code_signature_file: !ResourcesXml
    - <?xml version="1.0" encoding="UTF-8"?>
    - <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    - <plist version="1.0">
    - <dict>
    - '  <key>files</key>'
    - '  <dict>'
    - '    <key>Resources/non-nested-bin</key>'
    - '    <data>'
    - '    apwGEW+W2ghwpHtZD2rJ1FcX9d8='
    - '    </data>'
    - '  </dict>'
    - '  <key>files2</key>'
    - '  <dict>'
    - '    <key>MacOS/bin</key>'
    - '    <dict>'
    - '      <key>cdhash</key>'
    - '      <data>'
    - '      MZ4S1QVta4NQbypRhY3f2ZokTtc='
    - '      </data>'
    - '      <key>requirement</key>'
    - '      <string>cdhash H"319e12d5056d6b83506f2a51858ddfd99a244ed7"</string>'
    - '    </dict>'
    - '    <key>MacOS/lib.dylib</key>'
    - '    <dict>'
    - '      <key>cdhash</key>'
    - '      <data>'
    - '      30iNRjx5i6bnr7tV0fhpWa78EnU='
    - '      </data>'
    - '      <key>requirement</key>'
    - '      <string>cdhash H"df488d463c798ba6e7afbb55d1f86959aefc1275"</string>'
    - '    </dict>'
    - '    <key>Resources/non-nested-bin</key>'
    - '    <dict>'
    - '      <key>hash2</key>'
    - '      <data>'
    - '      F+5IWRwrRUdms9OOALpbNCs2lcY1yRFKrYORF/ReOzg='
    - '      </data>'
    - '    </dict>'
    - '  </dict>'
    - '  <key>rules</key>'
    - '  <dict>'
    - '    <key>^Resources/</key>'
    - '    <true/>'
    - '    <key>^Resources/.*/.lproj/</key>'
    - '    <dict>'
    - '      <key>optional</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>1000</real>'
    - '    </dict>'
    - '    <key>^Resources/.*/.lproj/locversion.plist$</key>'
    - '    <dict>'
    - '      <key>omit</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>1100</real>'
    - '    </dict>'
    - '    <key>^Resources/Base/.lproj/</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>1010</real>'
    - '    </dict>'
    - '    <key>^version.plist$</key>'
    - '    <true/>'
    - '  </dict>'
    - '  <key>rules2</key>'
    - '  <dict>'
    - '    <key>.*/.dSYM($|/)</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>11</real>'
    - '    </dict>'
    - '    <key>^(.*/)?/.DS_Store$</key>'
    - '    <dict>'
    - '      <key>omit</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>2000</real>'
    - '    </dict>'
    - '    <key>^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/</key>'
    - '    <dict>'
    - '      <key>nested</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>10</real>'
    - '    </dict>'
    - '    <key>^.*</key>'
    - '    <true/>'
    - '    <key>^Info/.plist$</key>'
    - '    <dict>'
    - '      <key>omit</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>20</real>'
    - '    </dict>'
    - '    <key>^PkgInfo$</key>'
    - '    <dict>'
    - '      <key>omit</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>20</real>'
    - '    </dict>'
    - '    <key>^Resources/</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>20</real>'
    - '    </dict>'
    - '    <key>^Resources/.*/.lproj/</key>'
    - '    <dict>'
    - '      <key>optional</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>1000</real>'
    - '    </dict>'
    - '    <key>^Resources/.*/.lproj/locversion.plist$</key>'
    - '    <dict>'
    - '      <key>omit</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>1100</real>'
    - '    </dict>'
    - '    <key>^Resources/Base/.lproj/</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>1010</real>'
    - '    </dict>'
    - '    <key>^[^/]+$</key>'
    - '    <dict>'
    - '      <key>nested</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>10</real>'
    - '    </dict>'
    - '    <key>^embedded/.provisionprofile$</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>20</real>'
    - '    </dict>'
    - '    <key>^version/.plist$</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>20</real>'
    - '    </dict>'
    - '  </dict>'
    - </dict>
    - </plist>
    - ''

```