Code signing on iOS/OSX

Code signing on iOS/OSX

Talk about understanding elements of code signing on iOS and OSX.
It shows different file formats and open standards used for signatures, and some common usage.

1a8210be06c7e4e4add04eb95ea7964c?s=128

Marin Usalj

March 07, 2017
Tweet

Transcript

  1. September 27, 2017 | Marin Usalj Understanding Code Signing on

    iOS/OSX
  2. September 27, 2017 | MARIN USALJ Like a signature written

    with ink on paper, a digital signature can be used to identify and authenticate the signer. However, a digital signature is more difficult to forge, and goes one step further: it can ensure that the signed data has not been altered. APPLE.COM
  3. September 27, 2017 | MARIN USALJ As a user, you're

    sure you're getting authorized software Protects developers from unauthorized copying User Benefits
  4. September 27, 2017 | MARIN USALJ Apple Benefits All the

    mentioned customer benefits Makes it impossible for programs to download and run more software No competition for the App Store™ (iOS only)
  5. September 27, 2017 | MARIN USALJ Code Signing Introduced on

    iOS from the first day of the App Store Creeping through Gatekeeper on OSX (> 10.8)
  6. September 27, 2017 | MARIN USALJ Why this talk Why

    this talk vs just Fastlane and going home
  7. September 27, 2017 | MARIN USALJ Why this talk vs

    just Fastlane Why this talk vs just Fastlane and going home
  8. September 27, 2017 | MARIN USALJ Why this talk vs

    just Fastlane and going home
  9. September 27, 2017 | MARIN USALJ Thousands of dev hours

    wasted Things break Important to understand the underlying technology Why this talk
  10. September 27, 2017 | MARIN USALJ Code Signing on Apple

    platforms Open source tools in combination with Apple's proprietary ones Relies on public-key cryptography based on the X.509 standard (like TLS/SSL) Keychain Access utility manages the X.509 infrastructure on OSX
  11. September 27, 2017 | MARIN USALJ CSR

  12. September 27, 2017 | MARIN USALJ CSR In Public Key

    Infrastructure systems, message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate.
  13. September 27, 2017 | MARIN USALJ 

  14. September 27, 2017 | MARIN USALJ 

  15. September 27, 2017 | MARIN USALJ Generated by 

  16. September 27, 2017 | MARIN USALJ  Generated by

  17. September 27, 2017 | MARIN USALJ CSR This all happens

    locally.
  18. September 27, 2017 | MARIN USALJ $ cat pl.csr -----BEGIN

    CERTIFICATE REQUEST----- asOdUe4+lRFvD4BtYExCZanetA3geXBUrf5wgOydIZlS4EeYQyBfWK9SidZpXc Np/JCEJeyQZH95P2+AvCY+QpuBxNa4z6TMIq/ gOIn+CT+9YENjgCXjNGNfyNeoVQBdm8v22jN15SST9JmfqlWP7P9qsdbPkTFl7 3MqWiKG6bNf/ ... ommitted... BQMBFHmLEx85uttpGvDcIxL3iwFC2l3aaFl88lVuV68dKzgaNtvUpIT+H5lQAf 3cNBh5Mm6tHXegPicOwfKSFW+sfkkZAvDLfovd2WClnecmE9/ fHrLlnYTGtbJr/ h10BLBptxWkmsKPbN110PE5ScGhfzhVrBh+BFGSIZFQ10tqxMZRklsepc6RlFM 2kCcbU= -----END CERTIFICATE REQUEST-----
  19. September 27, 2017 | MARIN USALJ $ openssl asn1parse -i

    -in pl.csr 17:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 28:d=5 hl=2 l= 19 prim: IA5STRING :marin2211@gmail.com 53:d=5 hl=2 l= 3 prim: OBJECT :commonName 58:d=5 hl=2 l= 11 prim: UTF8STRING :Marin Usalj 75:d=5 hl=2 l= 3 prim: OBJECT :countryName 80:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 90:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 101:d=4 hl=2 l= 0 prim: NULL 103:d=3 hl=4 l= 271 prim: BIT STRING 378:d=2 hl=2 l= 0 cons: cont [ 0 ] 380:d=1 hl=2 l= 13 cons: SEQUENCE 382:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption
  20. September 27, 2017 | MARIN USALJ $ openssl req -text

    -noout -in pl.csr Certificate Request: Data: Version: 0 (0x0) Subject: emailAddress=marin2211@gmail.com, CN=Marin Usalj, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): ed:89:b8:54:dd:fa:fd:87:db:03:07:10:6e:2e:a4: 7a:8b:07:cf:68:5c:af:bf:4a:8e:42:fe:14:db:2b: a0:2f:e9:76:8b:eb:53:76:a7:09:fb:0e:ed:bd:70: 00:a4:9c:c2:5c:61:a5:44:cb:e6:a0:76:a2:02:aa: ... ommitted ...
  21. September 27, 2017 | MARIN USALJ $ openssl req -text

    -noout -in pl.csr Certificate Request: ... ommitted ... Signature Algorithm: sha256WithRSAEncryption db:02:97:b4:d2:dc:7d:44:dd:35:e6:6e:34:9d:7f:20:c1:eb: c2:7a:8a:6d:f5:87:ed:91:15:e4:f1:1a:67:24:10:55:b3:c2: 7c:fb:5a:88:bd:34:6e:4b:9a:e2:bf:89:2a:4e:f3:4a:e1:d7: ac:65:71:09:0d:fe:47:31:bb:a1:07:3f:86:c5:f7:75:50:e2: 9b:74:9c:d3:31:13:7a:f3:06:9b:fc:81:f7:15:78:2e:79:61: 34:6b:c7:71:93:45:ec:14:63:97:f8:37:cd:5f:d6:39:f3:6b: 22:34:c8:4b:ab:ae:ca:ba:c9:c8:ed:30:25:4a:31:01:85:bf: ... ommitted ...
  22. September 27, 2017 | MARIN USALJ Private / Public Key

    Pair
  23. September 27, 2017 | MARIN USALJ Key Pair RSA (2048

    bit) Public key: Embedded in CSRs, certificates, shared Private key: Used for actual signing. Should not be shared
  24. September 27, 2017 | MARIN USALJ Key Pair Creating CSRs

    / certs on several Macs can be a problem Certificate you generate on one machine WILL NOT be usable for code signing on a machine that does not have that private key Forgetting this is a great way to waste hours and get angry
  25. September 27, 2017 | MARIN USALJ

  26. September 27, 2017 | MARIN USALJ Certificate

  27. September 27, 2017 | MARIN USALJ Certificate Broadly - A

    public key combined with additional information, Signed by Certificate Authority (CA) stating that the information in the certificate is correct.
  28. September 27, 2017 | MARIN USALJ Certificate It's a guarantee

    that: - you, the named developer, built this code - you are a member of the developer program - Apple has issued you a certificate to do so
  29. September 27, 2017 | MARIN USALJ  

  30. September 27, 2017 | MARIN USALJ  

  31. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75:  
  32. September 27, 2017 | MARIN USALJ

  33. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75:
  34. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 5a:a5:01:64:2e:8f:dd:62 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority Validity Not Before: Sep 2 18:40:48 2016 GMT Not After : Sep 2 18:40:48 2017 GMT Subject: UID=XTD6RSHE3Y, CN=iPhone Developer: Marin Usalj (A4560M2TBD), OU=M3S82H073H, O=Playgrounds, Inc., C=US
  35. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout ... ommitted ... Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 3f:d6:7d:d0:d9:b2:4a:9b:95:0e:b5:33:68:01:e3: a4:1d:0d:f9:58:3a:b8:c6:aa:43:5d:35:a0:b1:8a: ... ommitted ... 42:e3:b2:4e:f3:4a:bd:bc:56:3a:bc:7b:4d:94:63: 1d:b4:aa:1e:64:7b:e1:eb:7d:28:9a:8d:31:b4:25: Exponent: 65537 (0x10001)
  36. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout ... ommitted ... X509v3 extensions: X509v3 Subject Key Identifier: BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0 keyid:BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0 X509v3 Certificate Policies: Policy: 1.2.840.113635.100.5.1 User Notice: ... X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical Code Signing
  37. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout ... ommitted ... Signature Algorithm: sha256WithRSAEncryption 44:3c:85:fe:45:33:e4:dc:f8:4f:bb:dc:57:76:4f:f8:cd:32: 9b:4a:ca:35:83:a1:02:03:a6:d5:64:f2:96:96:3b:ad:86:97: 74:01:33:6c:df:2f:f8:46:17:d5:2f:00:b9:e2:8e:35:3a:46: 66:3d:1d:49:f5:cb:ff:04:1a:94:ae:9b:d7:ba:46:e7:bf:28: ... ommitted ... f8:f8:ba:3c:6c:db:b7:16:20:f7:e2:c2:23:ad:b4:b1:74:60: cf:5c:37:a0:a4:e0:76:d1:22:8a:1b:68:63:ad:c3:e1:4f:fd: ad:80:20:59
  38. September 27, 2017 | MARIN USALJ PKCS #12

  39. September 27, 2017 | MARIN USALJ PKCS #12 Archive file

    format for storing many cryptography objects as a single file Commonly used to bundle a private key with its X.509 certificate, or to bundle all the members of a chain of trust
  40. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75: Release.p12
  41. September 27, 2017 | MARIN USALJ PKCS #12 PKCS #12

    file may be encrypted and signed Internal storage containers are called SafeBags, may also be encrypted and signed
  42. September 27, 2017 | MARIN USALJ $ openssl pkcs12 -in

    marin.p12 -passinpass:passw0rd -passout pass:passw0rd MAC verified OK Bag Attributes friendlyName: iPhone Developer: marin@yolo.com (ABCUT7VXYZ) localKeyID: BA DF 00 DB AD FO 0D BA DF 00 DB AD F0 0D BA DF 00 DB AD F0 subject=/UID=TBD6RSNF4Y/CN=iPhone Developer: marin@yolo.com (ABCUT7VXYZ)/ OU=Q234J5G5G1/O=Marin Usalj/C=US issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority -----BEGIN CERTIFICATE----- LGh5IJEcCLvyzW+wV3SVIEIekP8x5lSXMAn7FiMg4IKh+sBCs4aIrcbiXov5YycQaT+gQHUc569hZY Ssdlz/asBQuqybJ+mCAMbBZ99jLM25wJO14l5IHd673EhrW/ ...ommitted... p7TVLKhK95bec7a1admvtJm+UbvJXzI7gEIfXZdvmh3FK4AVabvYoFlKwGzMavJB= -----END CERTIFICATE-----
  43. September 27, 2017 | MARIN USALJ $ openssl pkcs12 -in

    marin.p12 -passinpass:passw0rd -passout pass:passw0rd ... continued ... Bag Attributes friendlyName: iOS Developer: Marin Usalj (Marin Usalj) localKeyID: BA DF 00 DB AD FO 0D BA DF 00 DB AD F0 0D BA DF 00 DB AD F0 Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FD20992DD748148 iUWOSSWoLOR8xgDD7VexOSSMuWjvbRhO/Cyzdqd2orpzVkYTKDmEIjy8BScUD2pmW/ ...ommitted... 2fex4o7ZyE7QMgg49Jau5eidAlksyaJpFXvvA/boSEFO3WJ4m3wxt2== -----END RSA PRIVATE KEY-----
  44. September 27, 2017 | MARIN USALJ Team, Bundle, App ID

  45. September 27, 2017 | MARIN USALJ Team ID Each dev

    account has a unique identifier You might have an enterprise and a production account with Apple: - Team Rocket = BHKW85A12H - Team Rocket (Ent) = A8WFE5231P
  46. September 27, 2017 | MARIN USALJ Bundle ID Each app

    should have it's own bundle ID in a reverse DNS format Beta: com.yolo.ios.beta AppStore: com.yolo.ios
  47. September 27, 2017 | MARIN USALJ App ID An app

    ID is composed of a team prefix followed by a bundle ID. A8WFE5231P. com.yolo.ios.beta
  48. September 27, 2017 | MARIN USALJ Device IDs Each iOS

    device has a unique identifier Used in provisioning profiles for whitelisting (much wow. very device)
  49. September 27, 2017 | MARIN USALJ Entitlements

  50. September 27, 2017 | MARIN USALJ Entitlements Which system resources

    an app is allowed to use, and under what conditions. Each entitlement has a default value, which in most cases disables the capability associated with the entitlement.
  51. September 27, 2017 | MARIN USALJ Entitlements examples iCloud Push

    notifications get-task-allow (debug builds only) Siri, ...
  52. September 27, 2017 | MARIN USALJ Entitlements Enable only resource

    access you need This minimizes damage potential if malicious code exploits your app
  53. September 27, 2017 | MARIN USALJ Entitlements Plist format Can

    be inspected from a compiled app
  54. September 27, 2017 | MARIN USALJ $ codesign -d --entitlements

    :- Yolo.app ... <key>application-identifier</key> <string>A8WFE5231P.com.yolo.ios.beta</string> <key>get-task-allow</key> <false/> <key>com.apple.developer.siri</key> <true/> ...
  55. September 27, 2017 | MARIN USALJ Provisioning Profiles

  56. September 27, 2017 | MARIN USALJ Provisioning Profiles When put

    together all these objects combine so that: - This unique app (App ID) - Can run on this restricted set of devices (UDIDs) - With a set of permssions (Entitlements) - With trust based on the signed Certificate.
  57. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75: Provisioning profile A8WFE5231P. com.yolo.ios.beta <key>Entitlements</key> <dict> <key>keychain-access-groups</key> <array> <string> A8WFE5231P.*</string> </array> <key>get-task-allow</key> <false/> <key>com.apple.developer.siri</key> <true/> 760FB38B-F7CA-4789-B4A2-78B6B37B2217 EXP. 2018-01-30T19:05:44Z Yolo Beta
  58. September 27, 2017 | MARIN USALJ Provisioning Profiles Not a

    PLIST Cryptographic Message Syntax (CMS), RFC 3852
  59. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision <dict> <key>AppIDName</key> <string>XC com yolo ios beta</string> <key>ApplicationIdentifierPrefix</key> <array> <string> A8WFE5231P </string> </array> <key>CreationDate</key> <date>2017-01-30T19:05:44Z</date> <key>Platform</key> <array> <string>iOS</string> </array>
  60. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision ... <key>TeamName</key> <string>Team Rocket (Ent)</string> <key>TimeToLive</key> <integer>365</integer> <key>UUID</key> <string>927br60c-h7ob-8362-g8l3-62ked01y0863</string> <key>Version</key> <integer>1</integer> </dict>
  61. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision <key>DeveloperCertificates</key> <array> <data>hyMfz10PxbEahZCVeZvoXbRU7sUOhb1WpKxd6pl1UxSfG/ pm4kg1ABVBPTWy9ykk6UNh5xgEKdKQbkHGanfFCqmGwiDWDxxZWDhdO vd108Hjbr162Kg45XRWLWqZAY6XgsmI10BikHkM1077TpShJSBqH76rYeGuV sp7rTO6HKm+CSKxVsYhq10yM1Gf4vqHODNxTOPwwueenOWa+ThGiexIRN EpNFb3Hn792gFlUqRNrv373EgR ...ommitted... gIze2hoxtLn5JPOlkCDOp4mUgitmjOnAgcrojnB4qMbEA10emTYbI3bAR1IKb Rger5i8H8iSDi10ggbs27KINCp10F98rfa5ErKCKcPOKmvmax7E5P8PF79cZH uZe/7idS4SEJ10X6HiY7GznHWJg+Y928GBlQBhu8cikTO5nw44JTILe1/S2== </data> </array>
  62. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision ... <key>Entitlements</key> <dict> <key>get-task-allow</key> <false/> <key>application-identifier</key> <key>com.apple.developer.siri</key> <true/> </dict> ...
  63. September 27, 2017 | MARIN USALJ Signing Code

  64. September 27, 2017 | MARIN USALJ Signing Code After building

    is done, signing is performed All the individual components of the app are signed Signing all sorts of code, including tools, applications, scripts, libraries, plug-ins, ...
  65. September 27, 2017 | MARIN USALJ Signing Code Code signature

    consists of three parts: - A seal - A digital signature - Code requirements
  66. September 27, 2017 | MARIN USALJ Seal Code signature consists

    of three parts: - A seal - A digital signature - Code requirements abc1234 badf00d asd23f
  67. September 27, 2017 | MARIN USALJ Signing Code Code signature

    consists of three parts: - A seal - A digital signature - Code requirements abc1234 badf00d asd23f + --------->
  68. September 27, 2017 | MARIN USALJ Signing Code Code signature

    consists of three parts: - A seal - A digital signature - Code requirements
  69. September 27, 2017 | MARIN USALJ Signature Signed code may

    contain several different digital signatures If the code is universal, the object code for each slice (arch) is signed separately. This signature is stored within the binary file itself
  70. September 27, 2017 | MARIN USALJ Signature Various data components

    signed in _CodeSignature/CodeResources - Bundle contents (e.g. Info.plist, sounds, images) - Nested code, libraries, tools
  71. September 27, 2017 | MARIN USALJ $ vi _CodeSignature/CodeResources <key>AppIcon-Dev29x29~ipad.png</key>

    <data> uz2wfiTTUrftvAmfLV9iVgc210sO= </data> <key>AppIcon-Dev40x40@2x.png</key> <data> QBsZgAb7ostVQ10hvWLNfYmP7ECq= </data>
  72. September 27, 2017 | MARIN USALJ Verifying Signatures

  73. September 27, 2017 | MARIN USALJ Verifying Verifying software computes

    the same set of hashes across the various blocks of code and data Public key from cert used to decrypt hashes -> original hashes If the two hashes match, the signature is valid
  74. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo yolo >> Lyft.app/yolo $ codesign -vvv --verify Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo
  75. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo yolo >> Lyft.app/yolo $ codesign -vvv --verify Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo
  76. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo "wat" >> Lyft.app/yolo # adding a random file $ codesign -vvv --verify Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo
  77. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo "wat" >> Lyft.app/yolo # adding a random file $ codesign -vvvv Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo
  78. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo "wat" >> Lyft.app/yolo # adding a random file $ codesign -vvvv Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo
  79. September 27, 2017 | MARIN USALJ tl;dr;

  80. September 27, 2017 | MARIN USALJ    Archiving

    is broken!
  81. September 27, 2017 | MARIN USALJ    Try

    now, I've fixed provisioning profiles
  82. September 27, 2017 | MARIN USALJ   

  83. September 27, 2017 | MARIN USALJ   

  84. September 27, 2017 | MARIN USALJ    ...

  85. September 27, 2017 | MARIN USALJ    㿄

  86. September 27, 2017 | MARIN USALJ ... 3 hours later

  87. September 27, 2017 | MARIN USALJ

  88. September 27, 2017 | MARIN USALJ  Generated by

  89. September 27, 2017 | MARIN USALJ  Needed for code

    signing Stored only on this Mac
  90. September 27, 2017 | MARIN USALJ tl;dr; Always know which

    machine generated the PKs Store certs with keys encrypted in .p12 files Private key is needed for signing!
  91. September 27, 2017 | MARIN USALJ tl;dr; Codesign is deterministic,

    xcodebuild phones home Unpack .p12 yourself on CI instead of relying on developer.apple.com Try debugging systematically step by step instead of brute forcing
  92. September 27, 2017 | MARIN USALJ References newosxbook.com/articles/CodeSigning.pdf https://wiki.cacert.org/ConvertingPgpKeyToCertificate https://en.wikipedia.org/wiki/Certificate_signing_request

    https://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One#Example_encoded_in_DER https://developer.apple.com/support/certificates https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and- csrs https://www.raywenderlich.com/2915/ios-code-signing-under-the-hood https://developer.apple.com/library/content/technotes/tn2206/_index.html#/apple_ref/doc/uid/DTS40007919-CH1-TNTAG207 https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/ LaunchingYourApponDevices/LaunchingYourApponDevices.html#//apple_ref/doc/uid/TP40012582-CH27-SW4 https://www.objc.io/issues/17-security/inside-code-signing/ https://developer.apple.com/library/content/qa/qa1798/_index.html https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/ MaintainingCertificates/MaintainingCertificates.html
  93. September 27, 2017 | MARIN USALJ Thanks PLAYGROUNDS, LYFT

  94. September 27, 2017 | MARIN USALJ @supermarin supermar.in Marin Usalj