Code signing on iOS/OSX

Transcript

1. September 27, 2017 | Marin Usalj Understanding Code Signing on

   iOS/OSX

2. September 27, 2017 | MARIN USALJ Like a signature written

   with ink on paper, a digital signature can be used to identify and authenticate the signer. However, a digital signature is more difficult to forge, and goes one step further: it can ensure that the signed data has not been altered. APPLE.COM

3. September 27, 2017 | MARIN USALJ As a user, you're

   sure you're getting authorized software Protects developers from unauthorized copying User Benefits

4. September 27, 2017 | MARIN USALJ Apple Benefits All the

   mentioned customer benefits Makes it impossible for programs to download and run more software No competition for the App Store™ (iOS only)

5. September 27, 2017 | MARIN USALJ Code Signing Introduced on

   iOS from the first day of the App Store Creeping through Gatekeeper on OSX (> 10.8)

6. September 27, 2017 | MARIN USALJ Why this talk Why

   this talk vs just Fastlane and going home

7. September 27, 2017 | MARIN USALJ Why this talk vs

   just Fastlane Why this talk vs just Fastlane and going home

8. September 27, 2017 | MARIN USALJ Why this talk vs

   just Fastlane and going home

9. September 27, 2017 | MARIN USALJ Thousands of dev hours

   wasted Things break Important to understand the underlying technology Why this talk

10. September 27, 2017 | MARIN USALJ Code Signing on Apple

    platforms Open source tools in combination with Apple's proprietary ones Relies on public-key cryptography based on the X.509 standard (like TLS/SSL) Keychain Access utility manages the X.509 infrastructure on OSX

11. September 27, 2017 | MARIN USALJ CSR

12. September 27, 2017 | MARIN USALJ CSR In Public Key

    Infrastructure systems, message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate.

13. September 27, 2017 | MARIN USALJ 

14. September 27, 2017 | MARIN USALJ 

15. September 27, 2017 | MARIN USALJ Generated by 

16. September 27, 2017 | MARIN USALJ  Generated by

17. September 27, 2017 | MARIN USALJ CSR This all happens

    locally.

18. September 27, 2017 | MARIN USALJ $ cat pl.csr -----BEGIN

    CERTIFICATE REQUEST----- asOdUe4+lRFvD4BtYExCZanetA3geXBUrf5wgOydIZlS4EeYQyBfWK9SidZpXc Np/JCEJeyQZH95P2+AvCY+QpuBxNa4z6TMIq/ gOIn+CT+9YENjgCXjNGNfyNeoVQBdm8v22jN15SST9JmfqlWP7P9qsdbPkTFl7 3MqWiKG6bNf/ ... ommitted... BQMBFHmLEx85uttpGvDcIxL3iwFC2l3aaFl88lVuV68dKzgaNtvUpIT+H5lQAf 3cNBh5Mm6tHXegPicOwfKSFW+sfkkZAvDLfovd2WClnecmE9/ fHrLlnYTGtbJr/ h10BLBptxWkmsKPbN110PE5ScGhfzhVrBh+BFGSIZFQ10tqxMZRklsepc6RlFM 2kCcbU= -----END CERTIFICATE REQUEST-----

19. September 27, 2017 | MARIN USALJ $ openssl asn1parse -i

    -in pl.csr 17:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 28:d=5 hl=2 l= 19 prim: IA5STRING :[email protected] 53:d=5 hl=2 l= 3 prim: OBJECT :commonName 58:d=5 hl=2 l= 11 prim: UTF8STRING :Marin Usalj 75:d=5 hl=2 l= 3 prim: OBJECT :countryName 80:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 90:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 101:d=4 hl=2 l= 0 prim: NULL 103:d=3 hl=4 l= 271 prim: BIT STRING 378:d=2 hl=2 l= 0 cons: cont [ 0 ] 380:d=1 hl=2 l= 13 cons: SEQUENCE 382:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption

20. September 27, 2017 | MARIN USALJ $ openssl req -text

    -noout -in pl.csr Certificate Request: Data: Version: 0 (0x0) Subject: [email protected], CN=Marin Usalj, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): ed:89:b8:54:dd:fa:fd:87:db:03:07:10:6e:2e:a4: 7a:8b:07:cf:68:5c:af:bf:4a:8e:42:fe:14:db:2b: a0:2f:e9:76:8b:eb:53:76:a7:09:fb:0e:ed:bd:70: 00:a4:9c:c2:5c:61:a5:44:cb:e6:a0:76:a2:02:aa: ... ommitted ...

21. September 27, 2017 | MARIN USALJ $ openssl req -text

    -noout -in pl.csr Certificate Request: ... ommitted ... Signature Algorithm: sha256WithRSAEncryption db:02:97:b4:d2:dc:7d:44:dd:35:e6:6e:34:9d:7f:20:c1:eb: c2:7a:8a:6d:f5:87:ed:91:15:e4:f1:1a:67:24:10:55:b3:c2: 7c:fb:5a:88:bd:34:6e:4b:9a:e2:bf:89:2a:4e:f3:4a:e1:d7: ac:65:71:09:0d:fe:47:31:bb:a1:07:3f:86:c5:f7:75:50:e2: 9b:74:9c:d3:31:13:7a:f3:06:9b:fc:81:f7:15:78:2e:79:61: 34:6b:c7:71:93:45:ec:14:63:97:f8:37:cd:5f:d6:39:f3:6b: 22:34:c8:4b:ab:ae:ca:ba:c9:c8:ed:30:25:4a:31:01:85:bf: ... ommitted ...

22. September 27, 2017 | MARIN USALJ Private / Public Key

    Pair

23. September 27, 2017 | MARIN USALJ Key Pair RSA (2048

    bit) Public key: Embedded in CSRs, certificates, shared Private key: Used for actual signing. Should not be shared

24. September 27, 2017 | MARIN USALJ Key Pair Creating CSRs

    / certs on several Macs can be a problem Certificate you generate on one machine WILL NOT be usable for code signing on a machine that does not have that private key Forgetting this is a great way to waste hours and get angry

25. September 27, 2017 | MARIN USALJ

26. September 27, 2017 | MARIN USALJ Certificate

27. September 27, 2017 | MARIN USALJ Certificate Broadly - A

    public key combined with additional information, Signed by Certificate Authority (CA) stating that the information in the certificate is correct.

28. September 27, 2017 | MARIN USALJ Certificate It's a guarantee

    that: - you, the named developer, built this code - you are a member of the developer program - Apple has issued you a certificate to do so

29. September 27, 2017 | MARIN USALJ  

30. September 27, 2017 | MARIN USALJ  

31. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75:  

32. September 27, 2017 | MARIN USALJ

33. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75:

34. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 5a:a5:01:64:2e:8f:dd:62 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority Validity Not Before: Sep 2 18:40:48 2016 GMT Not After : Sep 2 18:40:48 2017 GMT Subject: UID=XTD6RSHE3Y, CN=iPhone Developer: Marin Usalj (A4560M2TBD), OU=M3S82H073H, O=Playgrounds, Inc., C=US

35. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout ... ommitted ... Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 3f:d6:7d:d0:d9:b2:4a:9b:95:0e:b5:33:68:01:e3: a4:1d:0d:f9:58:3a:b8:c6:aa:43:5d:35:a0:b1:8a: ... ommitted ... 42:e3:b2:4e:f3:4a:bd:bc:56:3a:bc:7b:4d:94:63: 1d:b4:aa:1e:64:7b:e1:eb:7d:28:9a:8d:31:b4:25: Exponent: 65537 (0x10001)

36. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout ... ommitted ... X509v3 extensions: X509v3 Subject Key Identifier: BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0 keyid:BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0 X509v3 Certificate Policies: Policy: 1.2.840.113635.100.5.1 User Notice: ... X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical Code Signing

37. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout ... ommitted ... Signature Algorithm: sha256WithRSAEncryption 44:3c:85:fe:45:33:e4:dc:f8:4f:bb:dc:57:76:4f:f8:cd:32: 9b:4a:ca:35:83:a1:02:03:a6:d5:64:f2:96:96:3b:ad:86:97: 74:01:33:6c:df:2f:f8:46:17:d5:2f:00:b9:e2:8e:35:3a:46: 66:3d:1d:49:f5:cb:ff:04:1a:94:ae:9b:d7:ba:46:e7:bf:28: ... ommitted ... f8:f8:ba:3c:6c:db:b7:16:20:f7:e2:c2:23:ad:b4:b1:74:60: cf:5c:37:a0:a4:e0:76:d1:22:8a:1b:68:63:ad:c3:e1:4f:fd: ad:80:20:59

38. September 27, 2017 | MARIN USALJ PKCS #12

39. September 27, 2017 | MARIN USALJ PKCS #12 Archive file

    format for storing many cryptography objects as a single file Commonly used to bundle a private key with its X.509 certificate, or to bundle all the members of a chain of trust

40. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75: Release.p12

41. September 27, 2017 | MARIN USALJ PKCS #12 PKCS #12

    file may be encrypted and signed Internal storage containers are called SafeBags, may also be encrypted and signed

42. September 27, 2017 | MARIN USALJ $ openssl pkcs12 -in

    marin.p12 -passinpass:passw0rd -passout pass:passw0rd MAC verified OK Bag Attributes friendlyName: iPhone Developer: [email protected] (ABCUT7VXYZ) localKeyID: BA DF 00 DB AD FO 0D BA DF 00 DB AD F0 0D BA DF 00 DB AD F0 subject=/UID=TBD6RSNF4Y/CN=iPhone Developer: [email protected] (ABCUT7VXYZ)/ OU=Q234J5G5G1/O=Marin Usalj/C=US issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority -----BEGIN CERTIFICATE----- LGh5IJEcCLvyzW+wV3SVIEIekP8x5lSXMAn7FiMg4IKh+sBCs4aIrcbiXov5YycQaT+gQHUc569hZY Ssdlz/asBQuqybJ+mCAMbBZ99jLM25wJO14l5IHd673EhrW/ ...ommitted... p7TVLKhK95bec7a1admvtJm+UbvJXzI7gEIfXZdvmh3FK4AVabvYoFlKwGzMavJB= -----END CERTIFICATE-----

43. September 27, 2017 | MARIN USALJ $ openssl pkcs12 -in

    marin.p12 -passinpass:passw0rd -passout pass:passw0rd ... continued ... Bag Attributes friendlyName: iOS Developer: Marin Usalj (Marin Usalj) localKeyID: BA DF 00 DB AD FO 0D BA DF 00 DB AD F0 0D BA DF 00 DB AD F0 Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FD20992DD748148 iUWOSSWoLOR8xgDD7VexOSSMuWjvbRhO/Cyzdqd2orpzVkYTKDmEIjy8BScUD2pmW/ ...ommitted... 2fex4o7ZyE7QMgg49Jau5eidAlksyaJpFXvvA/boSEFO3WJ4m3wxt2== -----END RSA PRIVATE KEY-----

44. September 27, 2017 | MARIN USALJ Team, Bundle, App ID

45. September 27, 2017 | MARIN USALJ Team ID Each dev

    account has a unique identifier You might have an enterprise and a production account with Apple: - Team Rocket = BHKW85A12H - Team Rocket (Ent) = A8WFE5231P

46. September 27, 2017 | MARIN USALJ Bundle ID Each app

    should have it's own bundle ID in a reverse DNS format Beta: com.yolo.ios.beta AppStore: com.yolo.ios

47. September 27, 2017 | MARIN USALJ App ID An app

    ID is composed of a team prefix followed by a bundle ID. A8WFE5231P. com.yolo.ios.beta

48. September 27, 2017 | MARIN USALJ Device IDs Each iOS

    device has a unique identifier Used in provisioning profiles for whitelisting (much wow. very device)

49. September 27, 2017 | MARIN USALJ Entitlements

50. September 27, 2017 | MARIN USALJ Entitlements Which system resources

    an app is allowed to use, and under what conditions. Each entitlement has a default value, which in most cases disables the capability associated with the entitlement.

51. September 27, 2017 | MARIN USALJ Entitlements examples iCloud Push

    notifications get-task-allow (debug builds only) Siri, ...

52. September 27, 2017 | MARIN USALJ Entitlements Enable only resource

    access you need This minimizes damage potential if malicious code exploits your app

53. September 27, 2017 | MARIN USALJ Entitlements Plist format Can

    be inspected from a compiled app

54. September 27, 2017 | MARIN USALJ $ codesign -d --entitlements

    :- Yolo.app ... <key>application-identifier</key> <string>A8WFE5231P.com.yolo.ios.beta</string> <key>get-task-allow</key> <false/> <key>com.apple.developer.siri</key> <true/> ...

55. September 27, 2017 | MARIN USALJ Provisioning Profiles

56. September 27, 2017 | MARIN USALJ Provisioning Profiles When put

    together all these objects combine so that: - This unique app (App ID) - Can run on this restricted set of devices (UDIDs) - With a set of permssions (Entitlements) - With trust based on the signed Certificate.

57. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75: Provisioning profile A8WFE5231P. com.yolo.ios.beta <key>Entitlements</key> <dict> <key>keychain-access-groups</key> <array> <string> A8WFE5231P.*</string> </array> <key>get-task-allow</key> <false/> <key>com.apple.developer.siri</key> <true/> 760FB38B-F7CA-4789-B4A2-78B6B37B2217 EXP. 2018-01-30T19:05:44Z Yolo Beta

58. September 27, 2017 | MARIN USALJ Provisioning Profiles Not a

    PLIST Cryptographic Message Syntax (CMS), RFC 3852

59. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision <dict> <key>AppIDName</key> <string>XC com yolo ios beta</string> <key>ApplicationIdentifierPrefix</key> <array> <string> A8WFE5231P </string> </array> <key>CreationDate</key> <date>2017-01-30T19:05:44Z</date> <key>Platform</key> <array> <string>iOS</string> </array>

60. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision ... <key>TeamName</key> <string>Team Rocket (Ent)</string> <key>TimeToLive</key> <integer>365</integer> <key>UUID</key> <string>927br60c-h7ob-8362-g8l3-62ked01y0863</string> <key>Version</key> <integer>1</integer> </dict>

61. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision <key>DeveloperCertificates</key> <array> <data>hyMfz10PxbEahZCVeZvoXbRU7sUOhb1WpKxd6pl1UxSfG/ pm4kg1ABVBPTWy9ykk6UNh5xgEKdKQbkHGanfFCqmGwiDWDxxZWDhdO vd108Hjbr162Kg45XRWLWqZAY6XgsmI10BikHkM1077TpShJSBqH76rYeGuV sp7rTO6HKm+CSKxVsYhq10yM1Gf4vqHODNxTOPwwueenOWa+ThGiexIRN EpNFb3Hn792gFlUqRNrv373EgR ...ommitted... gIze2hoxtLn5JPOlkCDOp4mUgitmjOnAgcrojnB4qMbEA10emTYbI3bAR1IKb Rger5i8H8iSDi10ggbs27KINCp10F98rfa5ErKCKcPOKmvmax7E5P8PF79cZH uZe/7idS4SEJ10X6HiY7GznHWJg+Y928GBlQBhu8cikTO5nw44JTILe1/S2== </data> </array>

62. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision ... <key>Entitlements</key> <dict> <key>get-task-allow</key> <false/> <key>application-identifier</key> <key>com.apple.developer.siri</key> <true/> </dict> ...

63. September 27, 2017 | MARIN USALJ Signing Code

64. September 27, 2017 | MARIN USALJ Signing Code After building

    is done, signing is performed All the individual components of the app are signed Signing all sorts of code, including tools, applications, scripts, libraries, plug-ins, ...

65. September 27, 2017 | MARIN USALJ Signing Code Code signature

    consists of three parts: - A seal - A digital signature - Code requirements

66. September 27, 2017 | MARIN USALJ Seal Code signature consists

    of three parts: - A seal - A digital signature - Code requirements abc1234 badf00d asd23f

67. September 27, 2017 | MARIN USALJ Signing Code Code signature

    consists of three parts: - A seal - A digital signature - Code requirements abc1234 badf00d asd23f + --------->

68. September 27, 2017 | MARIN USALJ Signing Code Code signature

    consists of three parts: - A seal - A digital signature - Code requirements

69. September 27, 2017 | MARIN USALJ Signature Signed code may

    contain several different digital signatures If the code is universal, the object code for each slice (arch) is signed separately. This signature is stored within the binary file itself

70. September 27, 2017 | MARIN USALJ Signature Various data components

    signed in _CodeSignature/CodeResources - Bundle contents (e.g. Info.plist, sounds, images) - Nested code, libraries, tools

71. September 27, 2017 | MARIN USALJ $ vi _CodeSignature/CodeResources <key>AppIcon-Dev29x29~ipad.png</key>

    <data> uz2wfiTTUrftvAmfLV9iVgc210sO= </data> <key>[email protected]</key> <data> QBsZgAb7ostVQ10hvWLNfYmP7ECq= </data>

72. September 27, 2017 | MARIN USALJ Verifying Signatures

73. September 27, 2017 | MARIN USALJ Verifying Verifying software computes

    the same set of hashes across the various blocks of code and data Public key from cert used to decrypt hashes -> original hashes If the two hashes match, the signature is valid

74. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo yolo >> Lyft.app/yolo $ codesign -vvv --verify Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo

75. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo yolo >> Lyft.app/yolo $ codesign -vvv --verify Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo

76. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo "wat" >> Lyft.app/yolo # adding a random file $ codesign -vvv --verify Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo

77. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo "wat" >> Lyft.app/yolo # adding a random file $ codesign -vvvv Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo

78. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo "wat" >> Lyft.app/yolo # adding a random file $ codesign -vvvv Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo

79. September 27, 2017 | MARIN USALJ tl;dr;

80. September 27, 2017 | MARIN USALJ    Archiving

    is broken!

81. September 27, 2017 | MARIN USALJ    Try

    now, I've fixed provisioning profiles

82. September 27, 2017 | MARIN USALJ   

83. September 27, 2017 | MARIN USALJ   

84. September 27, 2017 | MARIN USALJ    ...

85. September 27, 2017 | MARIN USALJ    㿄

86. September 27, 2017 | MARIN USALJ ... 3 hours later

87. September 27, 2017 | MARIN USALJ

88. September 27, 2017 | MARIN USALJ  Generated by

89. September 27, 2017 | MARIN USALJ  Needed for code

    signing Stored only on this Mac

90. September 27, 2017 | MARIN USALJ tl;dr; Always know which

    machine generated the PKs Store certs with keys encrypted in .p12 files Private key is needed for signing!

91. September 27, 2017 | MARIN USALJ tl;dr; Codesign is deterministic,

    xcodebuild phones home Unpack .p12 yourself on CI instead of relying on developer.apple.com Try debugging systematically step by step instead of brute forcing

92. September 27, 2017 | MARIN USALJ References newosxbook.com/articles/CodeSigning.pdf https://wiki.cacert.org/ConvertingPgpKeyToCertificate https://en.wikipedia.org/wiki/Certificate_signing_request

    https://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One#Example_encoded_in_DER https://developer.apple.com/support/certificates https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and- csrs https://www.raywenderlich.com/2915/ios-code-signing-under-the-hood https://developer.apple.com/library/content/technotes/tn2206/_index.html#/apple_ref/doc/uid/DTS40007919-CH1-TNTAG207 https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/ LaunchingYourApponDevices/LaunchingYourApponDevices.html#//apple_ref/doc/uid/TP40012582-CH27-SW4 https://www.objc.io/issues/17-security/inside-code-signing/ https://developer.apple.com/library/content/qa/qa1798/_index.html https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/ MaintainingCertificates/MaintainingCertificates.html

93. September 27, 2017 | MARIN USALJ Thanks PLAYGROUNDS, LYFT

94. September 27, 2017 | MARIN USALJ @supermarin supermar.in Marin Usalj