apple-codesign 0.29.0

Pure Rust interface to code signing on Apple platforms
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301

# We can force the use of specific digests.

```
$ rcodesign debug-create-macho exe
assuming default minimum version 11.0.0
writing Mach-O to exe

$ rcodesign sign --digest sha1 exe exe.signed
signing exe to exe.signed
signing exe as a Mach-O binary
setting binary identifier to exe
parsing Mach-O
writing Mach-O to exe.signed

$ rcodesign print-signature-info exe.signed
- path: exe.signed
  file_size: 22544
  file_sha256: cdc8997042da0032519411d23d678ca453932182c9544393268da381e0205246
  entity:
    mach_o:
      macho_linkedit_start_offset: 16384 / 0x4000
      macho_signature_start_offset: 16400 / 0x4010
      macho_signature_end_offset: 16688 / 0x4130
      macho_linkedit_end_offset: 22544 / 0x5810
      macho_end_offset: 22544 / 0x5810
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 304 / 0x130
      linkedit_bytes_after_signature: 5856 / 0x16e0
      signature:
        superblob_length: 288 / 0x120
        blob_count: 3
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 232
          sha1: 29a1f2cbaf1a20e9326d3a6ebffb436d6531c98f
          sha256: 908cc01763cfb3f0479a270998b2b7e349d15d0ef6cf88dfbdf8c7b6f8f61bba
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: exe
          digest_type: sha1
          platform: 0
          signed_entity_size: 16400
          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
          code_digests_count: 5
          slot_digests:
          - 'Info (1): 0000000000000000000000000000000000000000'
          - 'RequirementSet (2): 3a75f6db058529148e14dd7ea1b4729cc09ec973'
        cms: null

```

```
$ rcodesign debug-create-macho exe
assuming default minimum version 11.0.0
writing Mach-O to exe

$ rcodesign sign --digest sha1 --digest sha256 exe exe.signed
signing exe to exe.signed
signing exe as a Mach-O binary
setting binary identifier to exe
parsing Mach-O
writing Mach-O to exe.signed

$ rcodesign print-signature-info exe.signed
- path: exe.signed
  file_size: 23568
  file_sha256: 3e0e54e0e236947019d851382ebb65c3c4b7939e1c601dc981b8e88fa0e49ef7
  entity:
    mach_o:
      macho_linkedit_start_offset: 16384 / 0x4000
      macho_signature_start_offset: 16400 / 0x4010
      macho_signature_end_offset: 17012 / 0x4274
      macho_linkedit_end_offset: 23568 / 0x5c10
      macho_end_offset: 23568 / 0x5c10
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 628 / 0x274
      linkedit_bytes_after_signature: 6556 / 0x199c
      signature:
        superblob_length: 612 / 0x264
        blob_count: 4
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 232
          sha1: 4f4a745ee8a3dfe4f9de996f2aa1d6e71f8ad5e6
          sha256: 518625e9dc0e38bf4f9be3dfb17070091a091e3643dc89215ae17feeac66069b
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: 'CodeDirectory Alternate #0 (4096)'
          magic: fade0c02
          length: 316
          sha1: a222eac2fc2818e7d09eadcfef8800940f50ea4e
          sha256: 226de56fa11db31547a694be8ec4ff1e592b3e554949865689fa444924f6a5d4
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: exe
          digest_type: sha1
          platform: 0
          signed_entity_size: 16400
          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
          code_digests_count: 5
          slot_digests:
          - 'Info (1): 0000000000000000000000000000000000000000'
          - 'RequirementSet (2): 3a75f6db058529148e14dd7ea1b4729cc09ec973'
        alternative_code_directories:
        - - 'CodeDirectory Alternate #0 (4096)'
          - version: '0x20400'
            flags: CodeSignatureFlags(ADHOC)
            identifier: exe
            digest_type: sha256
            platform: 0
            signed_entity_size: 16400
            executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
            code_digests_count: 5
            slot_digests:
            - 'Info (1): 0000000000000000000000000000000000000000000000000000000000000000'
            - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
        cms: null

```

# Signing a binary supporting old macOS automatically adds SHA-1 digests.

```
$ rcodesign debug-create-macho --minimum-os-version 10.11.3 exe
writing Mach-O to exe

$ rcodesign sign exe exe.signed
signing exe to exe.signed
signing exe as a Mach-O binary
setting binary identifier to exe
parsing Mach-O
writing Mach-O to exe.signed

$ rcodesign print-signature-info exe.signed
- path: exe.signed
  file_size: 23568
  file_sha256: 55c1916f7737031457bd6cf921e72de7a6060e6a5416cb398de373a429df35cd
  entity:
    mach_o:
      macho_linkedit_start_offset: 16384 / 0x4000
      macho_signature_start_offset: 16400 / 0x4010
      macho_signature_end_offset: 17012 / 0x4274
      macho_linkedit_end_offset: 23568 / 0x5c10
      macho_end_offset: 23568 / 0x5c10
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 628 / 0x274
      linkedit_bytes_after_signature: 6556 / 0x199c
      signature:
        superblob_length: 612 / 0x264
        blob_count: 4
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 232
          sha1: 924ad4febb532fcc1768161281b840747b312bd5
          sha256: 0e4ae94cde8c28c6d0e1c156618602d99ad13661de603df665262a126987eaf2
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: 'CodeDirectory Alternate #0 (4096)'
          magic: fade0c02
          length: 316
          sha1: 3541576a4eb2b0474bc59c614d2e3fe2459aae0b
          sha256: aaafdd1ab8ef8ae97c11f8501a5cd923899657424f065be1b4e91941c4b803ba
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: exe
          digest_type: sha1
          platform: 0
          signed_entity_size: 16400
          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
          code_digests_count: 5
          slot_digests:
          - 'Info (1): 0000000000000000000000000000000000000000'
          - 'RequirementSet (2): 3a75f6db058529148e14dd7ea1b4729cc09ec973'
        alternative_code_directories:
        - - 'CodeDirectory Alternate #0 (4096)'
          - version: '0x20400'
            flags: CodeSignatureFlags(ADHOC)
            identifier: exe
            digest_type: sha256
            platform: 0
            signed_entity_size: 16400
            executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
            code_digests_count: 5
            slot_digests:
            - 'Info (1): 0000000000000000000000000000000000000000000000000000000000000000'
            - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
        cms: null

```

Signing a binary without Mach-O targeting adds SHA-1 digests

```
$ rcodesign debug-create-macho --no-targeting exe
writing Mach-O to exe

$ rcodesign sign exe exe.signed
signing exe to exe.signed
signing exe as a Mach-O binary
setting binary identifier to exe
parsing Mach-O
writing Mach-O to exe.signed

$ rcodesign print-signature-info exe.signed
- path: exe.signed
  file_size: 23568
  file_sha256: 188bcc6537912c2fa3b7db65d6ccec0053d0d680b35a0a3a18c7cfe0bee56687
  entity:
    mach_o:
      macho_linkedit_start_offset: 16384 / 0x4000
      macho_signature_start_offset: 16400 / 0x4010
      macho_signature_end_offset: 17012 / 0x4274
      macho_linkedit_end_offset: 23568 / 0x5c10
      macho_end_offset: 23568 / 0x5c10
      linkedit_signature_start_offset: 16 / 0x10
      linkedit_signature_end_offset: 628 / 0x274
      linkedit_bytes_after_signature: 6556 / 0x199c
      signature:
        superblob_length: 612 / 0x264
        blob_count: 4
        blobs:
        - slot: CodeDirectory (0)
          magic: fade0c02
          length: 232
          sha1: 065debcf801fabfb5915636fd16f4a7018da2f40
          sha256: fa9a4ab20228af9d52544f9f021e8d3bd02b9a8bc38ebcd3787b167d41189ffc
        - slot: RequirementSet (2)
          magic: fade0c01
          length: 12
          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
        - slot: 'CodeDirectory Alternate #0 (4096)'
          magic: fade0c02
          length: 316
          sha1: 7fb8e0032e6368d4456cd1c0fc148a02f030b610
          sha256: 6b30a1e0f8780390d0ca3276cac2e0b3ae498d3b8986cc127cd4565314b07750
        - slot: CMS Signature (65536)
          magic: fade0b01
          length: 8
          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
        code_directory:
          version: '0x20400'
          flags: CodeSignatureFlags(ADHOC)
          identifier: exe
          digest_type: sha1
          platform: 0
          signed_entity_size: 16400
          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
          code_digests_count: 5
          slot_digests:
          - 'Info (1): 0000000000000000000000000000000000000000'
          - 'RequirementSet (2): 3a75f6db058529148e14dd7ea1b4729cc09ec973'
        alternative_code_directories:
        - - 'CodeDirectory Alternate #0 (4096)'
          - version: '0x20400'
            flags: CodeSignatureFlags(ADHOC)
            identifier: exe
            digest_type: sha256
            platform: 0
            signed_entity_size: 16400
            executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
            code_digests_count: 5
            slot_digests:
            - 'Info (1): 0000000000000000000000000000000000000000000000000000000000000000'
            - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
        cms: null

```