apple-codesign 0.29.0

Pure Rust interface to code signing on Apple platforms
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352

Binary identifiers in nested Mach-O within bundles are handled correctly.

```
$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/MyApp
assuming default minimum version 11.0.0
writing Mach-O to MyApp.app/Contents/MacOS/MyApp

$ rcodesign debug-create-info-plist --bundle-name MyApp MyApp.app/Contents/Info.plist
writing MyApp.app/Contents/Info.plist

$ rcodesign debug-create-macho --architecture x86-64 exe.x86_64
assuming default minimum version 11.0.0
writing Mach-O to exe.x86_64

$ rcodesign sign --binary-identifier old-bin-x86_64 exe.x86_64
signing exe.x86_64 in place
signing exe.x86_64 as a Mach-O binary
parsing Mach-O
writing Mach-O to exe.x86_64

$ rcodesign debug-create-macho --architecture aarch64 exe.aarch64
assuming default minimum version 11.0.0
writing Mach-O to exe.aarch64

$ rcodesign macho-universal-create -o old-bin-name exe.x86_64 exe.aarch64
adding exe.x86_64
adding exe.aarch64
writing old-bin-name

$ rcodesign sign old-bin-name
signing old-bin-name in place
signing old-bin-name as a Mach-O binary
setting binary identifier to old-bin-name
parsing Mach-O
writing Mach-O to old-bin-name

$ mv old-bin-name MyApp.app/Contents/MacOS/new-bin

$ rcodesign -v sign MyApp.app MyApp.app.signed
signing MyApp.app to MyApp.app.signed
signing bundle at MyApp.app
signing bundle at MyApp.app into MyApp.app.signed
collecting code resources files
copying file MyApp.app/Contents/Info.plist -> MyApp.app.signed/Contents/Info.plist
sealing nested Mach-O binary: Contents/MacOS/new-bin
signing Mach-O file Contents/MacOS/new-bin
setting binary identifier based on path: new-bin
inferring default signing settings from Mach-O binary
using binary identifier from settings
preserving code signature flags in existing Mach-O signature (CodeSignatureFlags(ADHOC))
using binary identifier from settings
preserving code signature flags in existing Mach-O signature (CodeSignatureFlags(ADHOC))
signing Mach-O binary at index 0
binary targets macOS >= 11.0.0 with SDK 11.0.0
adding code signature flags from signing settings: CodeSignatureFlags(ADHOC)
creating ad-hoc signature
code directory version: 132096
total signature size: 280 bytes
signing Mach-O binary at index 1
binary targets macOS >= 11.0.0 with SDK 11.0.0
adding code signature flags from signing settings: CodeSignatureFlags(ADHOC)
creating ad-hoc signature
code directory version: 132096
total signature size: 376 bytes
writing Mach-O to MyApp.app.signed/Contents/MacOS/new-bin
writing sealed resources to MyApp.app.signed/Contents/_CodeSignature/CodeResources
signing main executable Contents/MacOS/MyApp
setting main executable binary identifier to com.example.mybundle (derived from CFBundleIdentifier in Info.plist)
inferring default signing settings from Mach-O binary
signing Mach-O binary at index 0
binary targets macOS >= 11.0.0 with SDK 11.0.0
creating ad-hoc signature
code directory version: 132096
total signature size: 421 bytes
writing signed main executable to MyApp.app.signed/Contents/MacOS/MyApp

$ rcodesign print-signature-info MyApp.app.signed
- path: Contents/Info.plist
  file_size: 576
  file_sha256: 0a5902dc8e47f490d03889d3593d17bddbf79e6c1f79494e20dd28f9459effa5
  entity: other
- path: Contents/MacOS/MyApp
  file_size: 22544
  file_sha256: e1dfbe5e2a27918a25ccbe0971b0b40e96c8a1a031a332e8b9fb79475fe0345a
  entity:
    mach_o:
      macho_linkedit_start_offset: 16384 / 0x4000
      macho_signature_start_offset: 16400 / 0x4010
      macho_signature_end_offset: 16821 / 0x41b5
      macho_linkedit_end_offset: 22544 / 0x5810
      macho_end_offset: 22544 / 0x5810
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 437 / 0x1b5
      linkedit_bytes_after_signature: 5723 / 0x165b
      signature:
        superblob_length: 421 / 0x1a5
        blob_count: 3
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 365
          sha1: c826994bd20c58899a48dbca7e237bcc1940096b
          sha256: ccbff6200513f074b4299064006b820d714a57ad77d06f44924e34c0a6bff910
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: com.example.mybundle
          digest_type: sha256
          platform: 0
          signed_entity_size: 16400
          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
          code_digests_count: 5
          slot_digests:
          - 'Info (1): 0a5902dc8e47f490d03889d3593d17bddbf79e6c1f79494e20dd28f9459effa5'
          - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
          - 'Resources (3): c28145c843d03ba3ddb1c7e5a2029c1e179750bd1be9bfe9ebecb6e7f51922c5'
        cms: null
- path: Contents/MacOS/new-bin
  file_size: 55312
  file_sha256: 177b1b4ff578e3803cade0b792f7ca4537bf94c7ca6844ae584819c118683011
  sub_path: macho-index:0
  entity:
    mach_o:
      macho_linkedit_start_offset: 4096 / 0x1000
      macho_signature_start_offset: 4112 / 0x1010
      macho_signature_end_offset: 4392 / 0x1128
      macho_linkedit_end_offset: 10256 / 0x2810
      macho_end_offset: 10256 / 0x2810
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 296 / 0x128
      linkedit_bytes_after_signature: 5864 / 0x16e8
      signature:
        superblob_length: 280 / 0x118
        blob_count: 3
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 224
          sha1: 95cb29468e76eefe3f75aa4a6847bdf4ca44cd30
          sha256: f677a5c4d4239ef741c96b66a5b1356d3d3d8630f4ca91593f2620f80224a549
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: new-bin
          digest_type: sha256
          platform: 0
          signed_entity_size: 4112
          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
          code_digests_count: 2
          slot_digests:
          - 'Info (1): 0000000000000000000000000000000000000000000000000000000000000000'
          - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
        cms: null
- path: Contents/MacOS/new-bin
  file_size: 55312
  file_sha256: 177b1b4ff578e3803cade0b792f7ca4537bf94c7ca6844ae584819c118683011
  sub_path: macho-index:1
  entity:
    mach_o:
      macho_linkedit_start_offset: 16384 / 0x4000
      macho_signature_start_offset: 16400 / 0x4010
      macho_signature_end_offset: 16776 / 0x4188
      macho_linkedit_end_offset: 22544 / 0x5810
      macho_end_offset: 22544 / 0x5810
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 392 / 0x188
      linkedit_bytes_after_signature: 5768 / 0x1688
      signature:
        superblob_length: 376 / 0x178
        blob_count: 3
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 320
          sha1: 6399ea612a352a77a5e69020d92ff0c3cafc89b5
          sha256: 7c122679cc9f0796e02496f20a9f428468c9fc3e74045530ed1a938745c8ee27
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: new-bin
          digest_type: sha256
          platform: 0
          signed_entity_size: 16400
          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
          code_digests_count: 5
          slot_digests:
          - 'Info (1): 0000000000000000000000000000000000000000000000000000000000000000'
          - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
        cms: null
- path: Contents/_CodeSignature/CodeResources
  file_size: 2483
  file_sha256: c28145c843d03ba3ddb1c7e5a2029c1e179750bd1be9bfe9ebecb6e7f51922c5
  entity:
    bundle_code_signature_file: !ResourcesXml
    - <?xml version="1.0" encoding="UTF-8"?>
    - <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
    - <plist version="1.0">
    - <dict>
    - '  <key>files</key>'
    - '  <dict/>'
    - '  <key>files2</key>'
    - '  <dict>'
    - '    <key>MacOS/new-bin</key>'
    - '    <dict>'
    - '      <key>cdhash</key>'
    - '      <data>'
    - '      9nelxNQjnvdByWtmpbE1bT09hjA='
    - '      </data>'
    - '      <key>requirement</key>'
    - '      <string>(cdhash H"f677a5c4d4239ef741c96b66a5b1356d3d3d8630") or (cdhash H"7c122679cc9f0796e02496f20a9f428468c9fc3e")</string>'
    - '    </dict>'
    - '  </dict>'
    - '  <key>rules</key>'
    - '  <dict>'
    - '    <key>^Resources/</key>'
    - '    <true/>'
    - '    <key>^Resources/.*/.lproj/</key>'
    - '    <dict>'
    - '      <key>optional</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>1000</real>'
    - '    </dict>'
    - '    <key>^Resources/.*/.lproj/locversion.plist$</key>'
    - '    <dict>'
    - '      <key>omit</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>1100</real>'
    - '    </dict>'
    - '    <key>^Resources/Base/.lproj/</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>1010</real>'
    - '    </dict>'
    - '    <key>^version.plist$</key>'
    - '    <true/>'
    - '  </dict>'
    - '  <key>rules2</key>'
    - '  <dict>'
    - '    <key>.*/.dSYM($|/)</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>11</real>'
    - '    </dict>'
    - '    <key>^(.*/)?/.DS_Store$</key>'
    - '    <dict>'
    - '      <key>omit</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>2000</real>'
    - '    </dict>'
    - '    <key>^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/</key>'
    - '    <dict>'
    - '      <key>nested</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>10</real>'
    - '    </dict>'
    - '    <key>^.*</key>'
    - '    <true/>'
    - '    <key>^Info/.plist$</key>'
    - '    <dict>'
    - '      <key>omit</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>20</real>'
    - '    </dict>'
    - '    <key>^PkgInfo$</key>'
    - '    <dict>'
    - '      <key>omit</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>20</real>'
    - '    </dict>'
    - '    <key>^Resources/</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>20</real>'
    - '    </dict>'
    - '    <key>^Resources/.*/.lproj/</key>'
    - '    <dict>'
    - '      <key>optional</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>1000</real>'
    - '    </dict>'
    - '    <key>^Resources/.*/.lproj/locversion.plist$</key>'
    - '    <dict>'
    - '      <key>omit</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>1100</real>'
    - '    </dict>'
    - '    <key>^Resources/Base/.lproj/</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>1010</real>'
    - '    </dict>'
    - '    <key>^[^/]+$</key>'
    - '    <dict>'
    - '      <key>nested</key>'
    - '      <true/>'
    - '      <key>weight</key>'
    - '      <real>10</real>'
    - '    </dict>'
    - '    <key>^embedded/.provisionprofile$</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>20</real>'
    - '    </dict>'
    - '    <key>^version/.plist$</key>'
    - '    <dict>'
    - '      <key>weight</key>'
    - '      <real>20</real>'
    - '    </dict>'
    - '  </dict>'
    - </dict>
    - </plist>
    - ''

```