[tor-dev] [FWD: Re: Apple developer account + codesigning]

Conrad Kramer ckrames1234 at gmail.com
Wed Oct 28 00:29:38 UTC 2015 

> On Oct 27, 2015, at 3:03 PM, Conrad Kramer <ckrames1234 at gmail.com> wrote:
> 
>> 
>> On Oct 27, 2015, at 5:32 AM, Mike Perry <mikeperry at torproject.org> wrote:
>> 
>> Tim Wilson-Brown - teor:
>>> 
>>>> On 27 Oct 2015, at 20:06, Mike Perry <mikeperry at torproject.org> wrote:
>>>> 
>>>> teor:
>>>>> 
>>>>> On 27 Oct 2015, at 05:41, Conrad Kramer <ckrames1234 at gmail.com> wrote:
>>>>> 
>>>>>>> On Oct 26, 2015, at 11:22 AM, Spencer <spencerone at openmailbox.org> wrote:
>>>>>>> 
>>>>>>> Hi,
>>>>>>> 
>>>>>>>> Conrad Kramer:
>>>>>>>> All resources in a bundle (e.g. an app or framework) are
>>>>>>>> signed and the signatures are stored in a file named "CodeResources”:
>>>>>>> 
>>>>>>> Then what is in 'CodeSignature', Apple's signing stuff?
>>>>>> 
>>>>>> The `_CodeSignature` folder currently only contains the `CodeResources` file.
>>>>>> The `CodeResources` file is simple XML.
>>>>>> 
>>>>>> The executables have their own signature in the `LC_CODE_SIGNATURE` load
>>>>>> command in the Mach-O binary.
>>>>> 
>>>>> ...
>>>> What we have done on Windows is to provide instructions for users to use
>>>> osslsigncode to remove the signatures if they wish to check what they
>>>> downloaded against a reproduced build. When the Windows signatures are
>>>> removed, the resulting de-signed files will have the same sha256sums as
>>>> the official builds:
>>>> https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification <https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification>
>>>> 
>>>> We want to do this for MacOSX as well. Does anyone happen to know if we can
>>>> use otool in some way to remove these LC_CODE_SIGNATURE sections easily,
>>>> and get the same exact binary as before signing?
>>>> 
>>>> ...
>>> 
>>> otool will display sections, but it won’t modify the binary.
>>> 
>>> strip -no_uuid strips the UUID section, and strip -c creates a stub library by stripping the code signature and all section (code) contents. But it can't strip LC_CODE_SIGNATURE sections without stripping all the code as well.
>>> 
>>> There's no documented Apple tool to strip code signatures.
>>> But the codesign tool itself has an undocumented option to remove signatures:
>>> 
>>>> codesign has several operations and options that are purposely left
>>>>    undocumented in this manual page because they are either experimental
>>>>    (and subject to change at any time), or unadvised to the unwary.  The
>>>>    interminably curious are referred to the published source code.
>>> 
>>> 
>>> https://opensource.apple.com/source/security_systemkeychain/security_systemkeychain-39457/src/codesign.cpp<https://opensource.apple.com/source/security_systemkeychain/security_systemkeychain-39457/src/codesign.cpp>
>>>> { "remove-signature", no_argument,		NULL, optRemoveSignature },
>>>> 			case optRemoveSignature:
>>>> 				signerName = NULL;
>>>> 				operation = doSign;		// well, un-sign
>>> Unfortunately, I can't seem to get that option to work - perhaps others will have better luck:
>>> 
>>> $ codesign --remove-signature /.../TestSignature.app/Contents/MacOS/TestSignature
>>> /.../TestSignature.app/Contents/MacOS/TestSignature: unsupported type or version of signature
>>> $ codesign --remove-signature /.../TestSignature.app
>>> /.../TestSignature.app: unsupported type or version of signature
>>> $ codesign --remove-signature /.../TestSignature.app/Contents/_CodeSignature/CodeResources
>>> (Prints nothing, leaves CodeResources unchanged.)
>>> 
>>> TestSignature is the OS X Objective C app template signed by "-" (local, default identity).
>>> 
>>> I wonder if it only strips v1 signatures, and hasn't been updated for v2 signatures?
>>> (I'm on 10.10.5 with Xcode 7.1, perhaps other versions of codesign will work.)
>>> 
>>> I've been working off this Apple code signing documentation:
>>> https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211<https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211>
>>> 
>>> 
>>> Mozilla has solved a related problem by adding striptease (an enhanced strip command) to their build process:
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=411954 <https://bugzilla.mozilla.org/show_bug.cgi?id=411954>
>>> https://github.com/mackyle/striptease <https://github.com/mackyle/striptease>
>>> 
>>> striptease will strip code signatures, but it's an external tool, so that's not an ideal dependency.
>> 
>> Ah, nice. While looking today, I also found:
>> https://github.com/Tyilo/insert_dylib#removing-code-signature
>> 
>> And another, far more sketchy tool:
>> http://www.insanelymac.com/forum/topic/293359-tool-to-remove-apple-code-signatures-from-binaries/
>> 
>> In general, I think external tools are fine, if we can get them to work
>> reproducibly (in either the removal direction, or in the addition
>> direction that Lunar suggested).
> 
> I think it makes sense to ship the binary with the signature in it (and remove
> it to test reproducibility) if that’s the only way for Gatekeeper to validate
> the app.
> 
> I’ve written code to manually extract the entitlements from a binary before, so
> I am familiar with how to go about making a tool to remove the code signature.
> The signature format is documented in the code of Jay Freeman’s cross-platform
> `ldid` tool, which is used to “fakesign” binaries for jailbroken devices:
> http://gitweb.saurik.com/ldid.git, http://www.saurik.com/id/8

Sorry to double post, but I stand corrected: ldid already supports stripping
code signatures, and Jay made it “really really good” in the last few
months. He knows a lot about codesigning, so I am getting his feedback
on a good approach.


Conrad

> The code is a solid base to work with, and I could probably add functionality
> to remove the signature. If it’s as simple as axing the entire
> `LC_CODE_SIGNATURE` command, then that’s relatively straightforward.
> 
> I’ve been personally meaning to add Mach-O support to diffoscope as well,
> so I should probably do that, as it would be extremely helpful for this endeavor.
> 
> I will also investigate the possibility of using detached signatures.
> 
> 
> Conrad
> 
>> I'm also wondering if we can add detached code signatures from codesign
>> to a plist or other XML property inside the .app folder. That would make
>> all of this better, if it works. Then performing the check is as simple
>> as removing the detached sigs and altering metadata.
>> 
>> 
>> --
>> Mike Perry
>> _______________________________________________
>> tor-dev mailing list
>> tor-dev at lists.torproject.org
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20151027/eaaedbfe/attachment.sig>

More information about the tor-dev mailing list