> On Oct 27, 2015, at 3:03 PM, Conrad Kramer <ckrames1234@xxxxxxxxx> wrote:
>
>>
>> On Oct 27, 2015, at 5:32 AM, Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:
>>
>> Tim Wilson-Brown - teor:
>>>
>>>> On 27 Oct 2015, at 20:06, Mike Perry <mikeperry@xxxxxxxxxxxxxx> wrote:
>>>>
>>>> teor:
>>>>>
>>>>> On 27 Oct 2015, at 05:41, Conrad Kramer <ckrames1234@xxxxxxxxx> wrote:
>>>>>
>>>>>>> On Oct 26, 2015, at 11:22 AM, Spencer <spencerone@xxxxxxxxxxxxxxx> wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>> Conrad Kramer:
>>>>>>>> All resources in a bundle (e.g. an app or framework) are
>>>>>>>> signed and the signatures are stored in a file named "CodeResourcesâ:
>>>>>>>
>>>>>>> Then what is in 'CodeSignature', Apple's signing stuff?
>>>>>>
>>>>>> The `_CodeSignature` folder currently only contains the `CodeResources` file.
>>>>>> The `CodeResources` file is simple XML.
>>>>>>
>>>>>> The executables have their own signature in the `LC_CODE_SIGNATURE` load
>>>>>> command in the Mach-O binary.
>>>>>
>>>>> ...
>>>> What we have done on Windows is to provide instructions for users to use
>>>> osslsigncode to remove the signatures if they wish to check what they
>>>> downloaded against a reproduced build. When the Windows signatures are
>>>> removed, the resulting de-signed files will have the same sha256sums as
>>>> the official builds:
>>>> https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification <https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification>
>>>>
>>>> We want to do this for MacOSX as well. Does anyone happen to know if we can
>>>> use otool in some way to remove these LC_CODE_SIGNATURE sections easily,
>>>> and get the same exact binary as before signing?
>>>>
>>>> ...
>>>
>>> otool will display sections, but it wonât modify the binary.
>>>
>>> strip -no_uuid strips the UUID section, and strip -c creates a stub library by stripping the code signature and all section (code) contents. But it can't strip LC_CODE_SIGNATURE sections without stripping all the code as well.
>>>
>>> There's no documented Apple tool to strip code signatures.
>>> But the codesign tool itself has an undocumented option to remove signatures:
>>>
>>>> codesign has several operations and options that are purposely left
>>>> undocumented in this manual page because they are either experimental
>>>> (and subject to change at any time), or unadvised to the unwary. The
>>>> interminably curious are referred to the published source code.
>>>
>>>
>>> https://opensource.apple.com/source/security_systemkeychain/security_systemkeychain-39457/src/codesign.cpp<https://opensource.apple.com/source/security_systemkeychain/security_systemkeychain-39457/src/codesign.cpp>
>>>> { "remove-signature", no_argument, NULL, optRemoveSignature },
>>>> case optRemoveSignature:
>>>> signerName = NULL;
>>>> operation = doSign; // well, un-sign
>>> Unfortunately, I can't seem to get that option to work - perhaps others will have better luck:
>>>
>>> $ codesign --remove-signature /.../TestSignature.app/Contents/MacOS/TestSignature
>>> /.../TestSignature.app/Contents/MacOS/TestSignature: unsupported type or version of signature
>>> $ codesign --remove-signature /.../TestSignature.app
>>> /.../TestSignature.app: unsupported type or version of signature
>>> $ codesign --remove-signature /.../TestSignature.app/Contents/_CodeSignature/CodeResources
>>> (Prints nothing, leaves CodeResources unchanged.)
>>>
>>> TestSignature is the OS X Objective C app template signed by "-" (local, default identity).
>>>
>>> I wonder if it only strips v1 signatures, and hasn't been updated for v2 signatures?
>>> (I'm on 10.10.5 with Xcode 7.1, perhaps other versions of codesign will work.)
>>>
>>> I've been working off this Apple code signing documentation:
>>> https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211<https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211>
>>>
>>>
>>> Mozilla has solved a related problem by adding striptease (an enhanced strip command) to their build process:
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=411954 <https://bugzilla.mozilla.org/show_bug.cgi?id=411954>
>>> https://github.com/mackyle/striptease <https://github.com/mackyle/striptease>
>>>
>>> striptease will strip code signatures, but it's an external tool, so that's not an ideal dependency.
>>
>> Ah, nice. While looking today, I also found:
>> https://github.com/Tyilo/insert_dylib#removing-code-signature
>>
>> And another, far more sketchy tool:
>> http://www.insanelymac.com/forum/topic/293359-tool-to-remove-apple-code-signatures-from-binaries/
>>
>> In general, I think external tools are fine, if we can get them to work
>> reproducibly (in either the removal direction, or in the addition
>> direction that Lunar suggested).
>
> I think it makes sense to ship the binary with the signature in it (and remove
> it to test reproducibility) if thatâs the only way for Gatekeeper to validate
> the app.
>
> Iâve written code to manually extract the entitlements from a binary before, so
> I am familiar with how to go about making a tool to remove the code signature.
> The signature format is documented in the code of Jay Freemanâs cross-platform
> `ldid` tool, which is used to âfakesignâ binaries for jailbroken devices:
> http://gitweb.saurik.com/ldid.git, http://www.saurik.com/id/8
Sorry to double post, but I stand corrected: ldid already supports stripping
code signatures, and Jay made it âreally really goodâ in the last few
months. He knows a lot about codesigning, so I am getting his feedback
on a good approach.
Conrad
> The code is a solid base to work with, and I could probably add functionality
> to remove the signature. If itâs as simple as axing the entire
> `LC_CODE_SIGNATURE` command, then thatâs relatively straightforward.
>
> Iâve been personally meaning to add Mach-O support to diffoscope as well,
> so I should probably do that, as it would be extremely helpful for this endeavor.
>
> I will also investigate the possibility of using detached signatures.
>
>
> Conrad
>
>> I'm also wondering if we can add detached code signatures from codesign
>> to a plist or other XML property inside the .app folder. That would make
>> all of this better, if it works. Then performing the check is as simple
>> as removing the detached sigs and altering metadata.
>>
>>
>> --
>> Mike Perry
>> _______________________________________________
>> tor-dev mailing list
>> tor-dev@xxxxxxxxxxxxxxxxxxxx
>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ tor-dev mailing list tor-dev@xxxxxxxxxxxxxxxxxxxx https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev