[tor-dev] [FWD: Re: Apple developer account + codesigning]

Conrad Kramer ckrames1234 at gmail.com
Tue Oct 27 22:03:18 UTC 2015 

> On Oct 27, 2015, at 5:32 AM, Mike Perry <mikeperry at torproject.org> wrote:
> 
> Tim Wilson-Brown - teor:
>> 
>>> On 27 Oct 2015, at 20:06, Mike Perry <mikeperry at torproject.org> wrote:
>>> 
>>> teor:
>>>> 
>>>> On 27 Oct 2015, at 05:41, Conrad Kramer <ckrames1234 at gmail.com> wrote:
>>>> 
>>>>>> On Oct 26, 2015, at 11:22 AM, Spencer <spencerone at openmailbox.org> wrote:
>>>>>> 
>>>>>> Hi,
>>>>>> 
>>>>>>> Conrad Kramer:
>>>>>>> All resources in a bundle (e.g. an app or framework) are
>>>>>>> signed and the signatures are stored in a file named "CodeResources”:
>>>>>> 
>>>>>> Then what is in 'CodeSignature', Apple's signing stuff?
>>>>> 
>>>>> The `_CodeSignature` folder currently only contains the `CodeResources` file.
>>>>> The `CodeResources` file is simple XML.
>>>>> 
>>>>> The executables have their own signature in the `LC_CODE_SIGNATURE` load
>>>>> command in the Mach-O binary.
>>>> 
>>>> ...
>>> What we have done on Windows is to provide instructions for users to use
>>> osslsigncode to remove the signatures if they wish to check what they
>>> downloaded against a reproduced build. When the Windows signatures are
>>> removed, the resulting de-signed files will have the same sha256sums as
>>> the official builds:
>>> https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification <https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification>
>>> 
>>> We want to do this for MacOSX as well. Does anyone happen to know if we can
>>> use otool in some way to remove these LC_CODE_SIGNATURE sections easily,
>>> and get the same exact binary as before signing?
>>> 
>>> ...
>> 
>> otool will display sections, but it won’t modify the binary.
>> 
>> strip -no_uuid strips the UUID section, and strip -c creates a stub library by stripping the code signature and all section (code) contents. But it can't strip LC_CODE_SIGNATURE sections without stripping all the code as well.
>> 
>> There's no documented Apple tool to strip code signatures.
>> But the codesign tool itself has an undocumented option to remove signatures:
>> 
>>> codesign has several operations and options that are purposely left
>>>     undocumented in this manual page because they are either experimental
>>>     (and subject to change at any time), or unadvised to the unwary.  The
>>>     interminably curious are referred to the published source code.
>> 
>> 
>> https://opensource.apple.com/source/security_systemkeychain/security_systemkeychain-39457/src/codesign.cpp<https://opensource.apple.com/source/security_systemkeychain/security_systemkeychain-39457/src/codesign.cpp>
>>> { "remove-signature", no_argument,		NULL, optRemoveSignature },
>>> 			case optRemoveSignature:
>>> 				signerName = NULL;
>>> 				operation = doSign;		// well, un-sign
>> Unfortunately, I can't seem to get that option to work - perhaps others will have better luck:
>> 
>> $ codesign --remove-signature /.../TestSignature.app/Contents/MacOS/TestSignature
>> /.../TestSignature.app/Contents/MacOS/TestSignature: unsupported type or version of signature
>> $ codesign --remove-signature /.../TestSignature.app
>> /.../TestSignature.app: unsupported type or version of signature
>> $ codesign --remove-signature /.../TestSignature.app/Contents/_CodeSignature/CodeResources
>> (Prints nothing, leaves CodeResources unchanged.)
>> 
>> TestSignature is the OS X Objective C app template signed by "-" (local, default identity).
>> 
>> I wonder if it only strips v1 signatures, and hasn't been updated for v2 signatures?
>> (I'm on 10.10.5 with Xcode 7.1, perhaps other versions of codesign will work.)
>> 
>> I've been working off this Apple code signing documentation:
>> https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211<https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211>
>> 
>> 
>> Mozilla has solved a related problem by adding striptease (an enhanced strip command) to their build process:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=411954 <https://bugzilla.mozilla.org/show_bug.cgi?id=411954>
>> https://github.com/mackyle/striptease <https://github.com/mackyle/striptease>
>> 
>> striptease will strip code signatures, but it's an external tool, so that's not an ideal dependency.
> 
> Ah, nice. While looking today, I also found:
> https://github.com/Tyilo/insert_dylib#removing-code-signature
> 
> And another, far more sketchy tool:
> http://www.insanelymac.com/forum/topic/293359-tool-to-remove-apple-code-signatures-from-binaries/
> 
> In general, I think external tools are fine, if we can get them to work
> reproducibly (in either the removal direction, or in the addition
> direction that Lunar suggested).

I think it makes sense to ship the binary with the signature in it (and remove
it to test reproducibility) if that’s the only way for Gatekeeper to validate
the app.

I’ve written code to manually extract the entitlements from a binary before, so
I am familiar with how to go about making a tool to remove the code signature.
The signature format is documented in the code of Jay Freeman’s cross-platform
`ldid` tool, which is used to “fakesign” binaries for jailbroken devices:
http://gitweb.saurik.com/ldid.git, http://www.saurik.com/id/8

The code is a solid base to work with, and I could probably add functionality
to remove the signature. If it’s as simple as axing the entire
`LC_CODE_SIGNATURE` command, then that’s relatively straightforward.

I’ve been personally meaning to add Mach-O support to diffoscope as well,
so I should probably do that, as it would be extremely helpful for this endeavor.

I will also investigate the possibility of using detached signatures.


Conrad

> I'm also wondering if we can add detached code signatures from codesign
> to a plist or other XML property inside the .app folder. That would make
> all of this better, if it works. Then performing the check is as simple
> as removing the detached sigs and altering metadata.
> 
> 
> --
> Mike Perry
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151027/800d7f87/attachment-0001.sig>

More information about the tor-dev mailing list