OS X codesign nested code is modified or invalid - macos

Qt4 application with bundle structure like that:
QtCore.framework/
QtCore -> Versions/Current/QtCore
Resources -> Versions/Current/Resources
Versions/
4/
QtCore
Resources/
Info.plist
Current -> 4
codesign --verbose --force --deep --sign "Certificate Name" Test.app
Result: Test.app: signed bundle with Mach-O thin (x86_64) [...]
"Certificate Name" is Comodo code sign certificate
codesign --verify -vvvv Test.app
Test.app: nested code is modified or invalid
codesign --verbose --verify Test.app/Contents/Frameworks/QtCore.framework
Test.app/Contents/Frameworks/QtCore.framework: valid on disk
Test.app/Contents/Frameworks/QtCore.framework: does not satisfy its designated Requirement
p.s. I have tried to sign manually all framework/dylib without option --deep and the same result.

create a folder called A inside versions with same contents of 4, change the symbolic links to the A folder especially current->A
try signing now and it may sign. But the problem may be with the binary, it will use a different framework than A, which you can check with otool -L (take care big L and not small l)
to change it, you need to use install_name_tool
good luck and have fun

Related

Sign a XAR with productsign is corrupting the archive file

I am trying to use productsign to sign a XAR archive containing 2 pkg files created using productbuild . The xar tool is creating the file correctly, but I think the signing is corrupting the content, even though the file obtained is signed.
Some relevant command outputs below (I replaced the sensitive information with INFO):
$ ls .
file1.pkg file2.pkg
$
$ xar -cf '../_file.xar' .
$
$ cd ..
$ /usr/bin/productsign --sign 'Developer ID Installer: INFO' '_file.xar' 'file.xar'
productsign: using timestamp authority for signature
productsign: signing product with identity "Developer ID Installer: INFO" from keychain /Users/INFO/Library/Keychains/login.keychain
productsign: adding certificate "Developer ID Certification Authority"
productsign: adding certificate "Apple Root CA"
productsign: Wrote signed product archive to file.xar
$
$ /usr/sbin/pkgutil --check-signature 'file.xar'
Package "file.xar":
Status: signed by a certificate trusted by Mac OS X
Certificate Chain:
1. Developer ID Installer: INFO
SHA1 fingerprint: INFO
-----------------------------------------------------------------------------
2. Developer ID Certification Authority
SHA1 fingerprint: INFO
-----------------------------------------------------------------------------
3. Apple Root CA
SHA1 fingerprint: INFO
$ file file.xar
file.xar: xar archive - version 1
$
$ xar -xf file.xar -D /tmp
Error while extracting archive:(file1.pkg): Error decompressing file
$
Is the productsign command intended to work in some other way? I don't understand what is wrong with my approach.
After some testing, I found out xar is using relative paths inside the archive, so in my case there was a problem because I used "../" inside a path name.

Unable to sign app bundle using Qt frameworks on OS X 10.10

I am having trouble signing Qt Based application un OS X. I am using Qt 5.3.2.
I have read various information source that contain contradictory information.
Here is the content of my application bundle after I run the bin/macdeployqt Qt utility
SimpleHello.app/
Contents/
Info.plist
PkgInfo
Frameworks/
QtCore.framework/
Resources/
Versions/
5/
QtCore
QtGui.framework/ ... same as Qt core
QtPrintSupport.framework/ ... same as Qt core
QtWidgets.framework/ ... same as Qt core
MacOS/
SimpleHello
PlugIns/ ... some plugins
Resources/
empty.lproj
qt.conf
First:
I tried: http://successfulsoftware.net/2012/08/30/how-to-sign-your-mac-os-x-app-for-gatekeeper/
However, it seems that it is not valid anymore in OS X 10.10 Yosemite
Second:
I tried: Sign a Framework for OSX 10.9
I was able to sign the whole application without any error. However, when running spctl to verify the validity of the application, I get
spctl -a -vvvv SimpleHello.app
SimpleHello.app/: rejected
source=obsolete resource envelope
origin=Developer ID Application: MY CERTIFICATE
Additionally when verifying signature with codesign, I get this:
codesign --verify --deep --verbose=4 SimpleHello.app
--prepared:/My/Path/SimpleHello.app/Contents/Frameworks/QtCore.framework
--validated:/My/Path/SimpleHello.app/Contents/Frameworks/QtCore.framework
SimpleHello.app/: embedded framework contains modified or invalid version
In subcomponent: /My/Path/SimpleHello.app/Contents/Frameworks/QtCore.framework
Third:
Added the --no-strict option in codesign verification according to: Error when export archive
It fixes the issue with codesign verification but does not fix the spctl issue.
Forth:
I tried adding the --no-legacy-signing option when signing frameworks. However I get this error when verifying the bundle signature (both with codesign and spctl
codesign --verify --deep --verbose=4 SimpleHello.app
SimpleHello.app/: code has no resources but signature indicates they must be present
Fifth:
Modified the framework structure according to:
http://qt-project.org/forums/viewthread/47768
and
https://gist.github.com/kingcheez/6154462d7734e0c0f3a4
In this case I get this error when trying to sign frameworks
SimpleHello.app/Contents/Frameworks/QtCore.framework: unsealed contents present in the root directory of an embedded framework
SimpleHello.app/Contents/Frameworks/QtGui.framework: unsealed contents present in the root directory of an embedded framework
SimpleHello.app/Contents/Frameworks/QtPrintSupport.framework: unsealed contents present in the root directory of an embedded framework
SimpleHello.app/Contents/Frameworks/QtWidgets.framework: unsealed contents present in the root directory of an embedded framework
EDIT: It seems that the issue with the unsealed contents present in the root directory of an embedded framework was because one of the simlink was malformed. It was:
QtCore.framework.framework/Versions/Current -> 5/
Instead of
QtCore.framework.framework/Versions/Current -> 5
After this fix, I still get the same result as in Sixth though.
Sixth:
Added the --no-strict option when calling codesign for Frameworks. I was able to sign all frameworks except for one
SimpleHello.app//Contents/Frameworks/QtCore.framework: signed bundle with Mach-O thin (x86_64) [.]
SimpleHello.app//Contents/Frameworks/QtGui.framework: signed bundle with Mach-O thin (x86_64) [.]
SimpleHello.app//Contents/Frameworks/QtPrintSupport.framework: code object is not signed at all
In subcomponent: /My/Path/SimpleHello.app/Contents/Frameworks/QtPrintSupport.framework/Versions/Current/QtPrintSupport
SimpleHello.app//Contents/Frameworks/QtWidgets.framework: signed bundle with Mach-O thin (x86_64) [.]
Seventh:
I posted this question since I don't know what to look for anymore
After digging a bit more, I figured out what the issue in section seventh was: Some of the Qt Framework contain bad information in the Info.plist files (framework name ends with _debug)
I came out with this script that fixes all issues (there are still a few hardcoded values that could probably get processed with some improvement to the script)
#!/bin/bash
# Script name: deploy.sh
# Following environment variables must be defined:
# - QT_FRAMEWORK_PATH
# - QT_BIN_PATH
# - CERTIFICATE
# - FRAMEWORKS
# - BAD_FRAMEWORKS
# retrieve bundle name from first parameter
BUNDLE_NAME=$1
# Run QT tool to deploy
${QT_BIN_PATH}/macdeployqt $BUNDLE_NAME
# FIX ISSUE 6
# Please note that Qt5 frameworks have incorrect layout after SDK build, so this isn't just a problem with `macdeployqt` but whole framework assembly part.
# Present
# QtCore.framework/
# Contents/
# Info.plist
# QtCore -> Versions/Current/QtCore
# Versions/
# Current -> 5
# 5/
# QtCore
# After macdeployqt
# QtCore.framework/
# Resources/
# Versions/
# 5/
# QtCore
#
# Expected
# QtCore.framework/
# QtCore -> Versions/Current/QtCore
# Resources -> Versions/Current/Resources
# Versions/
# Current -> 5
# 5/
# QtCore
# Resources/
# Info.plist
# So in order to comply with expected layout: https://developer.apple.com/library/mac/documentation/MacOSX/Conceptual/BPFrameworks/Concepts/FrameworkAnatomy.html
for CURRENT_FRAMEWORK in ${FRAMEWORKS}; do
echo "Processing framework: ${CURRENT_FRAMEWORK}"
echo "Deleting existing resource folder"
rmdir ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources
echo "create resource folder"
mkdir -p ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Versions/5/Resources
echo "create copy resource file"
cp ${QT_FRAMEWORK_PATH}/${CURRENT_FRAMEWORK}.framework/Contents/Info.plist $BUNDLE_NAME/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Versions/5/Resources/
echo "create symbolic links"
ln -nfs 5 ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Versions/Current
ln -nfs Versions/Current/${CURRENT_FRAMEWORK} ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/${CURRENT_FRAMEWORK}
ln -nfs Versions/Current/Resources ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources
done
# FIX ISSUE 7
echo "***** Correct Frameworks Info.plist file*****"
for CURRENT_FRAMEWORK in ${BAD_FRAMEWORKS}; do
echo "Correcting bad framework Info.plist: ${CURRENT_FRAMEWORK}"
TMP=$(sed 's/_debug//g' ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources/Info.plist)
echo "$TMP" > ${BUNDLE_NAME}/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework/Resources/Info.plist
done
# SIGNING FIXED FRAMEWORK
CODESIGN_OPTIONS="--verbose=4"
#echo "******* Sign QtWebEngineProcess ***********"
#codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME/Contents/Frameworks/QtWebEngineCore.framework/Versions/Current/Helpers/QtWebEngineProcess.app
echo "******* Sign Frameworks-subApps ***********"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME/Contents/Frameworks/*.framework/Versions/*/*/*.app
echo "******* Signing Frameworks ***********"
for CURRENT_FRAMEWORK in ${FRAMEWORKS}; do
echo "Signing framework: ${CURRENT_FRAMEWORK}"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME/Contents/Frameworks/${CURRENT_FRAMEWORK}.framework
done
# Sign plugins
echo "******* Signing Plugins ***********"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "${CERTIFICATE}" ${BUNDLE_NAME}/Contents/Plugins/*/*.dylib
# Sign bundle itself
echo "******* Signing Bundle ***********"
codesign --force --verify ${CODESIGN_OPTIONS} --sign "$CERTIFICATE" $BUNDLE_NAME
# Verify
echo "******* Verify Bundle ***********"
codesign --verify --deep ${CODESIGN_OPTIONS} $BUNDLE_NAME
echo "******* Verify Bundle using dpctl ***********"
spctl -a -vvvv $BUNDLE_NAME
As for calling the script:
# Define environment variables
export QT_FRAMEWORK_PATH=/Path/To/Qt_5.3.2/5.3/clang_64/lib
export QT_BIN_PATH=/Path/To/Qt_5.3.2/5.3/clang_64/bin
export CERTIFICATE="Developer ID Application: My Certificate"
export FRAMEWORKS="QtCore QtGui QtPrintSupport QtWidgets"
export BAD_FRAMEWORKS="QtPrintSupport"
# Call itself
deploy.sh SimpleHello.app
With this script, the final output is:
SimpleHello.app/: accepted
source=Developer ID
origin=Developer ID Application: My Certificate (HASH)
I run a script similar to this after running macdeployqt:
#!/bin/bash
#copy .plist files to frameworks
cp "/usr/local/Trolltech/Qt-4.8.5/lib/QtCore.framework/Contents/Info.plist" "SimpleHello.app/Contents/Frameworks/QtCore.framework/Resources/Info.plist"
#copy folders to proper location
cp -r "SimpleHello.app/Contents/Frameworks/QtCore.framework/Resources" "SimpleHello.app/Contents/Frameworks/QtCore.framework/Versions/4/Resources"
#delete old folders
rm -rf "SimpleHello.app/Contents/Frameworks/QtCore.framework/Resources"
#create symlinks
ln -s "Versions/4/Resources" "SimpleHello.app/Contents/Frameworks/QtCore.framework/Resources"
After, I use:
codesign --deep -f -s
and it works, just add the missing frameworks in a similar fashion.
I haven't tried it with qt 5+ but it might work for it to.

Terminal's "codesign" command trouble

I've been trying to use the "codesign" command on Mail.app so that I can modify the info.plist using the "defaults write" command. It used to work, but after I re-installed Yosemite, I get this result when running the command:
/Applications/Mail.app: no identity found
I ran this command:
codesign -f -s /Applications/Mail.app
If anyone could tell me how I could properly run the codesign command on Mail.app so that I can modify the info.plist of Mail.app using the "defaults write" command, that would be nice! Thanks!
You're just missing a parameter here. I can re-codesign an app using --force and specifying exactly which signature I want to use:
$ codesign --force -s "Developer ID Application: Michael Dautermann" Mail.app
Mail.app: replacing existing signature
And if you want to verify that Mail.app is indeed signed, here is what my copy of Mail looks like before I forced my signature onto it:
$codesign --display --verbose=4 Mail.app
Executable=/Applications/Mail.app/Contents/MacOS/Mail
Identifier=com.apple.mail
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=23743 flags=0x0(none) hashes=1179+5 location=embedded
Hash type=sha1 size=20
CDHash=a3920218afa4f082aac98bf486dd797b13fde588
Signature size=4097
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=41
TeamIdentifier=not set
Sealed Resources version=2 rules=15 files=262
Internal requirements count=1 size=64

Codesigning Kext with kext enabled certificate fails during kextload, "code signature invalid"

So we have a certificate that allows us to sign kexts,
but when we run > sudo kextload friendly.kext, it fails
and we sign the kext we want, and to prove it's signed, here's some diagnostic output:
👉 codesign --verify -vvvv friendly.kext
friendly.kext: valid on disk
friendly.kext: satisfies its Designated Requirement
👉 spctl -a -vvvv friendly.kext
friendly.kext: accepted
source=Developer ID
origin=Developer ID Application: Friendly Corporation
/Library/Extensions
👉 codesign -dvvv friendly.kext
Executable=/Library/Extensions/friendly.kext/Contents/MacOS/friendly
Identifier=com.friendly.friendly
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20200 size=502 flags=0x0(none) hashes=18+3 location=embedded
Hash type=sha1 size=20
CDHash=a1e2bf8d53ea67c6cfe9fc3d6d2001fe56c838a7
Signature size=8528
Authority=Developer ID Application: Friendly Corporation
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Oct 9, 2014, 11:49:02 AM
Info.plist entries=21
TeamIdentifier=1234567890
Sealed Resources version=2 rules=12 files=1
Internal requirements count=1 size=180
👉 codesign --verify -vvvv friendly.kext
friendly.kext: valid on disk
friendly.kext: satisfies its Designated Requirement
It looks like it's signed properly;
However, when I run > sudo kextutil -v friendly.kext :
Defaulting to kernel file '/System/Library/Kernels/kernel'
Diagnostics for /Library/Extensions/friendly.kext:
Code Signing Failure: code signature is invalid
/Library/Extensions/friendly.kext appears to be loadable (not including linkage for on-disk libraries).
ERROR: invalid signature for com.techsmith.friendly, will not load
I'm thinking either I downloaded the certificate wrong (we definitely got approved for kext signing), although I tried redownloading the certificate once before so that may not be the problem.
Otherwise, it's the way that I'm signing. I'm thinking maybe it has something to do with the permissions I set on the kext before I sign them?
Has anybody seen this problem before?
Thanks in advance!
The kext signing certificate must have the extension "( 1.2.840.113635.100.6.1.18 )" listed - this is what designates it as a kext-enabled certificate. You can easily verify this by viewing it in Keychain Access.app. (it's listed near the bottom, below extension "( 1.2.840.113635.100.6.1.13 )" which I think is used for apps and thus present in all Developer ID certificates)

Continuous Integration Code Signing issue

I've been working on setting up a TeamCity continuous integration build agent for my iOS builds and I've run into a bit of a road block.
We're going to be making builds for different clients with different certificates and mobile provisioning profiles, so I figured I would write a build script that would create an unsigned archive, then sign it with the appropriate identity and mobileprovision. It seems like the xcrun command doesn't like that the .app file is not signed, and therefore won't sign it.
Am I doing something wrong, or is there some other, more elegant way of accomplishing what I'm trying to do?
Infodump follows...
I'm creating the unsigned build with the following command:
xcodebuild -workspace "[workspace].xcworkspace" -scheme "[scheme]" clean archive CODE_SIGN_ENTITY="" CODE_SIGNING_REQUIRED=NO
Then, I'm attempting to code sign and create the IPA with this command:
APP=[path to .app file in archive]
OUT_IPA=[desired location of .ipa]
IDENTITY=[CodeSigning Identity]
MOBILE_PROVISION=[path to .mobileprovision]
xcrun -sdk iphoneos PackageApplication -v "${APP}" -o "${OUT_IPA}" --sign "${IDENTITY}" --embed "${MOBILE_PROVISION}"
The xcrun command prints a bunch of debug info, then copies files around to temporary directories. Then it checks the original app
### Checking original app
+ /usr/bin/codesign --verify -vvvv /Users/jibanez/Library/Developer/Xcode/Archives/2012-09-14/[scheme] 9-14-12 12.02 PM.xcarchive/Products/Applications/[product].app
Program /usr/bin/codesign returned 1 : [/Users/jibanez/Library/Developer/Xcode/Archives/2012-09-14/[scheme] 9-14-12 12.02 PM.xcarchive/Products/Applications/[product].app: code object is not signed at all
In architecture: armv7
]
Codesign check fails : /Users/jibanez/Library/Developer/Xcode/Archives/2012-09-14/[scheme] 9-14-12 12.02 PM.xcarchive/Products/Applications/[product].app: code object is not signed at all
In architecture: armv7
Done checking the original app
This seems about right. After all, I didn't code sign the archive, that's what xcrun is supposed to do. Here's where things get weird:
### Embedding '/Users/jibanez/Documents/[projectdir]/codesign/[scheme]/842F2922-D0CB-46CE-81E5-B7362DD1D960.mobileprovision'
+ /bin/rm -rf /var/folders/hh/qhf8930s5hg8lwbp2j_zsdm822y1s1/T/NycIiYdEYe/Payload/[product].app/embedded.mobileprovision
Program /bin/rm returned 0 : []
+ /bin/cp -rp /Users/jibanez/Documents/[projectdir]/codesign/[scheme]/mobileProvision.mobileprovision /var/folders/hh/qhf8930s5hg8lwbp2j_zsdm822y1s1/T/NycIiYdEYe/Payload/[product].app/embedded.mobileprovision
Program /bin/cp returned 0 : []
+ /usr/bin/codesign -d --entitlements /var/folders/hh/qhf8930s5hg8lwbp2j_zsdm822y1s1/T/NycIiYdEYe/entitlements_rawwAdCadPV /var/folders/hh/qhf8930s5hg8lwbp2j_zsdm822y1s1/T/NycIiYdEYe/Payload/[product].app
Program /usr/bin/codesign returned 1 : [/var/folders/hh/qhf8930s5hg8lwbp2j_zsdm822y1s1/T/NycIiYdEYe/Payload/[product].app: code object is not signed at all
]
error: Failed to read entitlements from '/var/folders/hh/qhf8930s5hg8lwbp2j_zsdm822y1s1/T/NycIiYdEYe/Payload/[product].app'
Failed: PackageApplication

Resources