isideload-apple-codesign 0.29.2

Pure Rust interface to code signing on Apple platforms
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277

--exclude skips signing a nested bundle


```
$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/MyApp

assuming default minimum version 11.0.0

writing Mach-O to MyApp.app/Contents/MacOS/MyApp


$ rcodesign debug-create-info-plist --bundle-name MyApp MyApp.app/Contents/Info.plist

writing MyApp.app/Contents/Info.plist

$ rcodesign debug-create-macho --file-type dylib MyApp.app/Contents/Frameworks/MyFramework.framework/Versions/A/MyFramework

assuming default minimum version 11.0.0

writing Mach-O to MyApp.app/Contents/Frameworks/MyFramework.framework/Versions/A/MyFramework


$ rcodesign debug-create-info-plist --bundle-name MyFramework MyApp.app/Contents/Frameworks/MyFramework.framework/Versions/A/Resources/Info.plist

writing MyApp.app/Contents/Frameworks/MyFramework.framework/Versions/A/Resources/Info.plist

$ ln -s A MyApp.app/Contents/Frameworks/MyFramework.framework/Versions/Current

$ ln -s Versions/Current/Resources MyApp.app/Contents/Frameworks/MyFramework.framework/Resources


$ rcodesign sign --exclude 'Contents/Frameworks/MyFramework.framework' MyApp.app MyApp.app.NoMyFramework

signing MyApp.app to MyApp.app.NoMyFramework

signing bundle at MyApp.app

signing 2 nested bundles in the following order:

Contents/Frameworks/MyFramework.framework/Versions/A
Contents/Frameworks/MyFramework.framework
entering nested bundle Contents/Frameworks/MyFramework.framework/Versions/A

signing bundle at MyApp.app/Contents/Frameworks/MyFramework.framework/Versions/A into MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework/Versions/A

signing main executable MyFramework

leaving nested bundle Contents/Frameworks/MyFramework.framework/Versions/A

entering nested bundle Contents/Frameworks/MyFramework.framework

bundle is in exclusion list; it will be copied instead of signed

leaving nested bundle Contents/Frameworks/MyFramework.framework

signing bundle at MyApp.app into MyApp.app.NoMyFramework

could not find main executable of presumed nested bundle: Contents/Frameworks/MyFramework.framework

signing main executable Contents/MacOS/MyApp


$ rcodesign debug-file-tree MyApp.app.NoMyFramework

d                      MyApp.app.NoMyFramework/
d                      MyApp.app.NoMyFramework/Contents
d                      MyApp.app.NoMyFramework/Contents/Frameworks
d                      MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework
l                      MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework/Resources -> Versions/Current/Resources

d                      MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework/Versions
d                      MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework/Versions/A
f 6249a5455b5d60d322dc MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework/Versions/A/MyFramework

d                      MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework/Versions/A/Resources
f 53c337af0bf7c0762126 MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework/Versions/A/Resources/Info.plist

d                      MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework/Versions/A/_CodeSignature
f 6d524dfa68ea926bcc0e MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework/Versions/A/_CodeSignature/CodeResources

l                      MyApp.app.NoMyFramework/Contents/Frameworks/MyFramework.framework/Versions/Current -> A

f 0a5902dc8e47f490d038 MyApp.app.NoMyFramework/Contents/Info.plist

d                      MyApp.app.NoMyFramework/Contents/MacOS
f 5320635ab22c67638660 MyApp.app.NoMyFramework/Contents/MacOS/MyApp

d                      MyApp.app.NoMyFramework/Contents/_CodeSignature
f 6686de10a28a2fe11b36 MyApp.app.NoMyFramework/Contents/_CodeSignature/CodeResources


$ rcodesign sign --exclude 'Contents/Frameworks/MyFramework.framework/**' MyApp.app MyApp.app.NoMyFrameworkDoubleWild

signing MyApp.app to MyApp.app.NoMyFrameworkDoubleWild

signing bundle at MyApp.app

signing 2 nested bundles in the following order:

Contents/Frameworks/MyFramework.framework/Versions/A
Contents/Frameworks/MyFramework.framework
entering nested bundle Contents/Frameworks/MyFramework.framework/Versions/A

bundle is in exclusion list; it will be copied instead of signed

leaving nested bundle Contents/Frameworks/MyFramework.framework/Versions/A

entering nested bundle Contents/Frameworks/MyFramework.framework

signing bundle at MyApp.app/Contents/Frameworks/MyFramework.framework into MyApp.app.NoMyFrameworkDoubleWild/Contents/Frameworks/MyFramework.framework

leaving nested bundle Contents/Frameworks/MyFramework.framework

signing bundle at MyApp.app into MyApp.app.NoMyFrameworkDoubleWild

could not find main executable of presumed nested bundle: Contents/Frameworks/MyFramework.framework

signing main executable Contents/MacOS/MyApp


$ rcodesign debug-file-tree MyApp.app.NoMyFrameworkDoubleWild

d                      MyApp.app.NoMyFrameworkDoubleWild/
d                      MyApp.app.NoMyFrameworkDoubleWild/Contents
d                      MyApp.app.NoMyFrameworkDoubleWild/Contents/Frameworks
d                      MyApp.app.NoMyFrameworkDoubleWild/Contents/Frameworks/MyFramework.framework
l                      MyApp.app.NoMyFrameworkDoubleWild/Contents/Frameworks/MyFramework.framework/Resources -> Versions/Current/Resources

d                      MyApp.app.NoMyFrameworkDoubleWild/Contents/Frameworks/MyFramework.framework/Versions
d                      MyApp.app.NoMyFrameworkDoubleWild/Contents/Frameworks/MyFramework.framework/Versions/A
f 8d89209153a67993e6ee MyApp.app.NoMyFrameworkDoubleWild/Contents/Frameworks/MyFramework.framework/Versions/A/MyFramework

d                      MyApp.app.NoMyFrameworkDoubleWild/Contents/Frameworks/MyFramework.framework/Versions/A/Resources
f 53c337af0bf7c0762126 MyApp.app.NoMyFrameworkDoubleWild/Contents/Frameworks/MyFramework.framework/Versions/A/Resources/Info.plist

l                      MyApp.app.NoMyFrameworkDoubleWild/Contents/Frameworks/MyFramework.framework/Versions/Current -> A

f 0a5902dc8e47f490d038 MyApp.app.NoMyFrameworkDoubleWild/Contents/Info.plist

d                      MyApp.app.NoMyFrameworkDoubleWild/Contents/MacOS
f 5320635ab22c67638660 MyApp.app.NoMyFrameworkDoubleWild/Contents/MacOS/MyApp

d                      MyApp.app.NoMyFrameworkDoubleWild/Contents/_CodeSignature
f 6686de10a28a2fe11b36 MyApp.app.NoMyFrameworkDoubleWild/Contents/_CodeSignature/CodeResources


$ rcodesign sign --exclude 'Contents/Frameworks/**' MyApp.app MyApp.app.NoFrameworksDoubleWild

signing MyApp.app to MyApp.app.NoFrameworksDoubleWild

signing bundle at MyApp.app

signing 2 nested bundles in the following order:

Contents/Frameworks/MyFramework.framework/Versions/A
Contents/Frameworks/MyFramework.framework
entering nested bundle Contents/Frameworks/MyFramework.framework/Versions/A

bundle is in exclusion list; it will be copied instead of signed

leaving nested bundle Contents/Frameworks/MyFramework.framework/Versions/A

entering nested bundle Contents/Frameworks/MyFramework.framework

bundle is in exclusion list; it will be copied instead of signed

leaving nested bundle Contents/Frameworks/MyFramework.framework

signing bundle at MyApp.app into MyApp.app.NoFrameworksDoubleWild

could not find main executable of presumed nested bundle: Contents/Frameworks/MyFramework.framework

signing main executable Contents/MacOS/MyApp


$ rcodesign debug-file-tree MyApp.app.NoFrameworksDoubleWild

d                      MyApp.app.NoFrameworksDoubleWild/
d                      MyApp.app.NoFrameworksDoubleWild/Contents
d                      MyApp.app.NoFrameworksDoubleWild/Contents/Frameworks
d                      MyApp.app.NoFrameworksDoubleWild/Contents/Frameworks/MyFramework.framework
l                      MyApp.app.NoFrameworksDoubleWild/Contents/Frameworks/MyFramework.framework/Resources -> Versions/Current/Resources

d                      MyApp.app.NoFrameworksDoubleWild/Contents/Frameworks/MyFramework.framework/Versions
d                      MyApp.app.NoFrameworksDoubleWild/Contents/Frameworks/MyFramework.framework/Versions/A
f 8d89209153a67993e6ee MyApp.app.NoFrameworksDoubleWild/Contents/Frameworks/MyFramework.framework/Versions/A/MyFramework

d                      MyApp.app.NoFrameworksDoubleWild/Contents/Frameworks/MyFramework.framework/Versions/A/Resources
f 53c337af0bf7c0762126 MyApp.app.NoFrameworksDoubleWild/Contents/Frameworks/MyFramework.framework/Versions/A/Resources/Info.plist

l                      MyApp.app.NoFrameworksDoubleWild/Contents/Frameworks/MyFramework.framework/Versions/Current -> A

f 0a5902dc8e47f490d038 MyApp.app.NoFrameworksDoubleWild/Contents/Info.plist

d                      MyApp.app.NoFrameworksDoubleWild/Contents/MacOS
f 5320635ab22c67638660 MyApp.app.NoFrameworksDoubleWild/Contents/MacOS/MyApp

d                      MyApp.app.NoFrameworksDoubleWild/Contents/_CodeSignature
f 6686de10a28a2fe11b36 MyApp.app.NoFrameworksDoubleWild/Contents/_CodeSignature/CodeResources


$ rm -rf MyApp.app


```

Validate exclusion of Mach-O binaries


```
$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/MyApp

assuming default minimum version 11.0.0

writing Mach-O to MyApp.app/Contents/MacOS/MyApp


$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/macos-bin

assuming default minimum version 11.0.0

writing Mach-O to MyApp.app/Contents/MacOS/macos-bin


$ rcodesign debug-create-macho MyApp.app/Contents/Resources/resource-bin

assuming default minimum version 11.0.0

writing Mach-O to MyApp.app/Contents/Resources/resource-bin


$ rcodesign debug-create-info-plist --bundle-name MyApp MyApp.app/Contents/Info.plist

writing MyApp.app/Contents/Info.plist

$ rcodesign sign --exclude Contents/MacOS/macos-bin MyApp.app MyApp.app.NoMacOSBin

? 1
signing MyApp.app to MyApp.app.NoMacOSBin

signing bundle at MyApp.app

signing bundle at MyApp.app into MyApp.app.NoMacOSBin

skipping signing of nested Mach-O binary because excluded by settings: Contents/MacOS/macos-bin

(an error will occur if this binary is not already signed)

(if you see an error, sign that Mach-O explicitly or remove it from the exclusion settings)

Error: binary does not have code signature data


$ rcodesign sign MyApp.app/Contents/MacOS/macos-bin

signing MyApp.app/Contents/MacOS/macos-bin in place

signing MyApp.app/Contents/MacOS/macos-bin as a Mach-O binary

setting binary identifier to macos-bin

parsing Mach-O
writing Mach-O to MyApp.app/Contents/MacOS/macos-bin


$ rcodesign sign --exclude Contents/MacOS/macos-bin MyApp.app MyApp.app.NoMacOSBin

signing MyApp.app to MyApp.app.NoMacOSBin

signing bundle at MyApp.app

signing bundle at MyApp.app into MyApp.app.NoMacOSBin

skipping signing of nested Mach-O binary because excluded by settings: Contents/MacOS/macos-bin

(an error will occur if this binary is not already signed)

(if you see an error, sign that Mach-O explicitly or remove it from the exclusion settings)

signing Mach-O file Contents/Resources/resource-bin

signing main executable Contents/MacOS/MyApp


$ rcodesign debug-file-tree MyApp.app.NoMacOSBin

d                      MyApp.app.NoMacOSBin/
d                      MyApp.app.NoMacOSBin/Contents
f 0a5902dc8e47f490d038 MyApp.app.NoMacOSBin/Contents/Info.plist

d                      MyApp.app.NoMacOSBin/Contents/MacOS
f 83e61e1e1c3407ff46d1 MyApp.app.NoMacOSBin/Contents/MacOS/MyApp

f 90dd49841af359158311 MyApp.app.NoMacOSBin/Contents/MacOS/macos-bin

d                      MyApp.app.NoMacOSBin/Contents/Resources
f 30b6fef6ae310318e47f MyApp.app.NoMacOSBin/Contents/Resources/resource-bin

d                      MyApp.app.NoMacOSBin/Contents/_CodeSignature
f 0acb1d044d421846ebc7 MyApp.app.NoMacOSBin/Contents/_CodeSignature/CodeResources


$ rcodesign sign --exclude Contents/Resources/resource-bin MyApp.app MyApp.app.NoResourcesBin

signing MyApp.app to MyApp.app.NoResourcesBin

signing bundle at MyApp.app

signing bundle at MyApp.app into MyApp.app.NoResourcesBin

signing Mach-O file Contents/MacOS/macos-bin

signing main executable Contents/MacOS/MyApp


$ rcodesign debug-file-tree MyApp.app.NoResourcesBin

d                      MyApp.app.NoResourcesBin/
d                      MyApp.app.NoResourcesBin/Contents
f 0a5902dc8e47f490d038 MyApp.app.NoResourcesBin/Contents/Info.plist

d                      MyApp.app.NoResourcesBin/Contents/MacOS
f 322195d604cd3061f59d MyApp.app.NoResourcesBin/Contents/MacOS/MyApp

f 90dd49841af359158311 MyApp.app.NoResourcesBin/Contents/MacOS/macos-bin

d                      MyApp.app.NoResourcesBin/Contents/Resources
f 4cfaf70bc9fb6827fcf7 MyApp.app.NoResourcesBin/Contents/Resources/resource-bin

d                      MyApp.app.NoResourcesBin/Contents/_CodeSignature
f a1c3ba13551ece11eda7 MyApp.app.NoResourcesBin/Contents/_CodeSignature/CodeResources


$ rm -rf MyApp.app


```

Exclude a Mach-O in a nested bundle


```
$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/MyApp

assuming default minimum version 11.0.0

writing Mach-O to MyApp.app/Contents/MacOS/MyApp


$ rcodesign debug-create-info-plist --bundle-name MyApp MyApp.app/Contents/Info.plist

writing MyApp.app/Contents/Info.plist

$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/Extra.app/Contents/MacOS/Extra

assuming default minimum version 11.0.0

writing Mach-O to MyApp.app/Contents/MacOS/Extra.app/Contents/MacOS/Extra


$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/Extra.app/Contents/MacOS/extra-bin

assuming default minimum version 11.0.0

writing Mach-O to MyApp.app/Contents/MacOS/Extra.app/Contents/MacOS/extra-bin


$ rcodesign sign MyApp.app/Contents/MacOS/Extra.app/Contents/MacOS/extra-bin

signing MyApp.app/Contents/MacOS/Extra.app/Contents/MacOS/extra-bin in place

signing MyApp.app/Contents/MacOS/Extra.app/Contents/MacOS/extra-bin as a Mach-O binary

setting binary identifier to extra-bin

parsing Mach-O
writing Mach-O to MyApp.app/Contents/MacOS/Extra.app/Contents/MacOS/extra-bin


$ rcodesign debug-create-macho MyApp.app/Contents/MacOS/Extra.app/Contents/Resources/resource-bin

assuming default minimum version 11.0.0

writing Mach-O to MyApp.app/Contents/MacOS/Extra.app/Contents/Resources/resource-bin


$ rcodesign debug-create-info-plist --bundle-name Extra MyApp.app/Contents/MacOS/Extra.app/Contents/Info.plist

writing MyApp.app/Contents/MacOS/Extra.app/Contents/Info.plist

$ rcodesign sign --exclude Contents/MacOS/Extra.app/Contents/MacOS/extra-bin --exclude Contents/MacOS/Extra.app/Contents/Resources/resource-bin MyApp.app MyApp.app.NoExtraBin

signing MyApp.app to MyApp.app.NoExtraBin

signing bundle at MyApp.app

signing 1 nested bundles in the following order:

Contents/MacOS/Extra.app
entering nested bundle Contents/MacOS/Extra.app

signing bundle at MyApp.app/Contents/MacOS/Extra.app into MyApp.app.NoExtraBin/Contents/MacOS/Extra.app

skipping signing of nested Mach-O binary because excluded by settings: Contents/MacOS/extra-bin

(an error will occur if this binary is not already signed)

(if you see an error, sign that Mach-O explicitly or remove it from the exclusion settings)

signing main executable Contents/MacOS/Extra

leaving nested bundle Contents/MacOS/Extra.app

signing bundle at MyApp.app into MyApp.app.NoExtraBin

signing main executable Contents/MacOS/MyApp


$ rcodesign debug-file-tree MyApp.app.NoExtraBin

d                      MyApp.app.NoExtraBin/
d                      MyApp.app.NoExtraBin/Contents
f 0a5902dc8e47f490d038 MyApp.app.NoExtraBin/Contents/Info.plist

d                      MyApp.app.NoExtraBin/Contents/MacOS
d                      MyApp.app.NoExtraBin/Contents/MacOS/Extra.app
d                      MyApp.app.NoExtraBin/Contents/MacOS/Extra.app/Contents
f 63154cc4f75820c926eb MyApp.app.NoExtraBin/Contents/MacOS/Extra.app/Contents/Info.plist

d                      MyApp.app.NoExtraBin/Contents/MacOS/Extra.app/Contents/MacOS
f 0c02af539846df8f4e94 MyApp.app.NoExtraBin/Contents/MacOS/Extra.app/Contents/MacOS/Extra

f c83cc7362ebbacb94ac0 MyApp.app.NoExtraBin/Contents/MacOS/Extra.app/Contents/MacOS/extra-bin

d                      MyApp.app.NoExtraBin/Contents/MacOS/Extra.app/Contents/Resources
f 4cfaf70bc9fb6827fcf7 MyApp.app.NoExtraBin/Contents/MacOS/Extra.app/Contents/Resources/resource-bin

d                      MyApp.app.NoExtraBin/Contents/MacOS/Extra.app/Contents/_CodeSignature
f 596d62f4669d89f6bc8e MyApp.app.NoExtraBin/Contents/MacOS/Extra.app/Contents/_CodeSignature/CodeResources

f 1efc495c2cb290e5b2d3 MyApp.app.NoExtraBin/Contents/MacOS/MyApp

d                      MyApp.app.NoExtraBin/Contents/_CodeSignature
f c9a63c1dbccfd48e50b5 MyApp.app.NoExtraBin/Contents/_CodeSignature/CodeResources


$ rm -rf MyApp.app

```