[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-dev] [FWD: Re: Apple developer account + codesigning]



teor:
> 
> On 27 Oct 2015, at 05:41, Conrad Kramer <ckrames1234@xxxxxxxxx> wrote:
> 
> >> On Oct 26, 2015, at 11:22 AM, Spencer <spencerone@xxxxxxxxxxxxxxx> wrote:
> >> 
> >> Hi,
> >> 
> >>> Conrad Kramer:
> >>> All resources in a bundle (e.g. an app or framework) are
> >>> signed and the signatures are stored in a file named "CodeResourcesâ:
> >> 
> >> Then what is in 'CodeSignature', Apple's signing stuff?
> > 
> > The `_CodeSignature` folder currently only contains the `CodeResources` file.
> > The `CodeResources` file is simple XML.
> > 
> > The executables have their own signature in the `LC_CODE_SIGNATURE` load
> > command in the Mach-O binary.
> 
> Reproducible builds will be much easier if the executable signatures are also placed in a separate file, rather than modifying the executable.
> 
> I'm guessing there's no option for detached executable signatures?

Likely not, based on the description of the system. This is also the
case for Windows signatures, btw, which we have been already doing for
some time.

What we have done on Windows is to provide instructions for users to use
osslsigncode to remove the signatures if they wish to check what they
downloaded against a reproduced build. When the Windows signatures are
removed, the resulting de-signed files will have the same sha256sums as
the official builds:
https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification

We want to do this for MacOSX as well. Does anyone happen to know if we can
use otool in some way to remove these LC_CODE_SIGNATURE sections easily,
and get the same exact binary as before signing?

We won't be doing this for iOS any time soon, nor will we be using the
App Store. I think this means we can ignore the more complicated DRM
encryption/decryption jailbreaking steps in the docs that Mike Tigas
linked to, as DRM encryption should not be involved for us. Hopefully
this makes it easier?

-- 
Mike Perry

Attachment: signature.asc
Description: Digital signature

_______________________________________________
tor-dev mailing list
tor-dev@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev