Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Code signing on iOS/OSX

Marin Usalj
March 07, 2017
Education
2
450

Code signing on iOS/OSX

Talk about understanding elements of code signing on iOS and OSX.
It shows different file formats and open standards used for signatures, and some common usage.

Marin Usalj

March 07, 2017
Tweet

More Decks by Marin Usalj

See All by Marin Usalj
Launch Arguments - the mysteries
supermarin
1
170
Swift for CLI tools
supermarin
15
25k
CocoaPods intro
supermarin
2
200
Private pods - best practices
supermarin
1
140
CLI apps. For fun and profit
supermarin
4
16k
Alcatraz internals
supermarin
2
250
ObjectiveSugar & ObjectiveRecord
supermarin
5
500
Alcatraz - Xcode package manager
supermarin
3
280
BubbleWrap
supermarin
3
310

Other Decks in Education

See All in Education
世界のオープンソースロボットたち #1
shiba_8ro
0
130
Skynet to Schoolnet
draycottmc
0
160
The Blockchain Game
jscottmo
0
3.6k
Flinga
matleenalaakso
2
13k
ACT FAST 20240830
japanstrokeassociation
0
260
Kaggle 班ができるまで
abap34
1
190
Evaluation Methods - Lecture 6 - Human-Computer Interaction (1023841ANR)
signer
PRO
0
670
【COPILOT無料セミナー】エンゲージメントと自律性の高いプロジェクト型人材育成に向けて~プロジェクト・ベースド・ラーニング(PBL)という選択肢~
copilot
PRO
0
110
20240810_ワンオペ社内勉強会のノウハウ
ponponmikankan
2
860
小学生にスクラムを試してみた件~中学受検までの100週間の舞台裏~
ukky86
0
320
HCI Research Methods - Lecture 7 - Human-Computer Interaction (1023841ANR)
signer
PRO
0
670
謙虚なアジャイルコーチ__アダプティブ_ムーブ_による伴走支援.pdf
antmiyabin
0
240

Featured

See All Featured
Making Projects Easy
brettharned
115
5.9k
Six Lessons from altMBA
skipperchong
26
3.5k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
The Language of Interfaces
destraynor
154
24k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
664
120k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
Done Done
chrislema
181
16k
Being A Developer After 40
akosma
86
590k
The Art of Programming - Codeland 2020
erikaheidi
51
13k
Docker and Python
trallard
40
3.1k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Producing Creativity
orderedlist
PRO
341
39k

Transcript

  1. September 27, 2017 | Marin Usalj Understanding Code Signing on

    iOS/OSX

  2. September 27, 2017 | MARIN USALJ Like a signature written

    with ink on paper, a digital signature can be used to identify and authenticate the signer. However, a digital signature is more difficult to forge, and goes one step further: it can ensure that the signed data has not been altered. APPLE.COM

  3. September 27, 2017 | MARIN USALJ As a user, you're

    sure you're getting authorized software Protects developers from unauthorized copying User Benefits

  4. September 27, 2017 | MARIN USALJ Apple Benefits All the

    mentioned customer benefits Makes it impossible for programs to download and run more software No competition for the App Store™ (iOS only)

  5. September 27, 2017 | MARIN USALJ Code Signing Introduced on

    iOS from the first day of the App Store Creeping through Gatekeeper on OSX (> 10.8)

  6. September 27, 2017 | MARIN USALJ Why this talk Why

    this talk vs just Fastlane and going home

  7. September 27, 2017 | MARIN USALJ Why this talk vs

    just Fastlane Why this talk vs just Fastlane and going home

  8. September 27, 2017 | MARIN USALJ Why this talk vs

    just Fastlane and going home

  9. September 27, 2017 | MARIN USALJ Thousands of dev hours

    wasted Things break Important to understand the underlying technology Why this talk

  10. September 27, 2017 | MARIN USALJ Code Signing on Apple

    platforms Open source tools in combination with Apple's proprietary ones Relies on public-key cryptography based on the X.509 standard (like TLS/SSL) Keychain Access utility manages the X.509 infrastructure on OSX

  11. September 27, 2017 | MARIN USALJ CSR

  12. September 27, 2017 | MARIN USALJ CSR In Public Key

    Infrastructure systems, message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate.

  13. September 27, 2017 | MARIN USALJ 

  14. September 27, 2017 | MARIN USALJ 

  15. September 27, 2017 | MARIN USALJ Generated by 

  16. September 27, 2017 | MARIN USALJ  Generated by

  17. September 27, 2017 | MARIN USALJ CSR This all happens

    locally.

  18. September 27, 2017 | MARIN USALJ $ cat pl.csr -----BEGIN

    CERTIFICATE REQUEST----- asOdUe4+lRFvD4BtYExCZanetA3geXBUrf5wgOydIZlS4EeYQyBfWK9SidZpXc Np/JCEJeyQZH95P2+AvCY+QpuBxNa4z6TMIq/ gOIn+CT+9YENjgCXjNGNfyNeoVQBdm8v22jN15SST9JmfqlWP7P9qsdbPkTFl7 3MqWiKG6bNf/ ... ommitted... BQMBFHmLEx85uttpGvDcIxL3iwFC2l3aaFl88lVuV68dKzgaNtvUpIT+H5lQAf 3cNBh5Mm6tHXegPicOwfKSFW+sfkkZAvDLfovd2WClnecmE9/ fHrLlnYTGtbJr/ h10BLBptxWkmsKPbN110PE5ScGhfzhVrBh+BFGSIZFQ10tqxMZRklsepc6RlFM 2kCcbU= -----END CERTIFICATE REQUEST-----

  19. September 27, 2017 | MARIN USALJ $ openssl asn1parse -i

    -in pl.csr 17:d=5 hl=2 l= 9 prim: OBJECT :emailAddress 28:d=5 hl=2 l= 19 prim: IA5STRING :[email protected] 53:d=5 hl=2 l= 3 prim: OBJECT :commonName 58:d=5 hl=2 l= 11 prim: UTF8STRING :Marin Usalj 75:d=5 hl=2 l= 3 prim: OBJECT :countryName 80:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 90:d=4 hl=2 l= 9 prim: OBJECT :rsaEncryption 101:d=4 hl=2 l= 0 prim: NULL 103:d=3 hl=4 l= 271 prim: BIT STRING 378:d=2 hl=2 l= 0 cons: cont [ 0 ] 380:d=1 hl=2 l= 13 cons: SEQUENCE 382:d=2 hl=2 l= 9 prim: OBJECT :sha256WithRSAEncryption

  20. September 27, 2017 | MARIN USALJ $ openssl req -text

    -noout -in pl.csr Certificate Request: Data: Version: 0 (0x0) Subject: [email protected], CN=Marin Usalj, C=US Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): ed:89:b8:54:dd:fa:fd:87:db:03:07:10:6e:2e:a4: 7a:8b:07:cf:68:5c:af:bf:4a:8e:42:fe:14:db:2b: a0:2f:e9:76:8b:eb:53:76:a7:09:fb:0e:ed:bd:70: 00:a4:9c:c2:5c:61:a5:44:cb:e6:a0:76:a2:02:aa: ... ommitted ...

  21. September 27, 2017 | MARIN USALJ $ openssl req -text

    -noout -in pl.csr Certificate Request: ... ommitted ... Signature Algorithm: sha256WithRSAEncryption db:02:97:b4:d2:dc:7d:44:dd:35:e6:6e:34:9d:7f:20:c1:eb: c2:7a:8a:6d:f5:87:ed:91:15:e4:f1:1a:67:24:10:55:b3:c2: 7c:fb:5a:88:bd:34:6e:4b:9a:e2:bf:89:2a:4e:f3:4a:e1:d7: ac:65:71:09:0d:fe:47:31:bb:a1:07:3f:86:c5:f7:75:50:e2: 9b:74:9c:d3:31:13:7a:f3:06:9b:fc:81:f7:15:78:2e:79:61: 34:6b:c7:71:93:45:ec:14:63:97:f8:37:cd:5f:d6:39:f3:6b: 22:34:c8:4b:ab:ae:ca:ba:c9:c8:ed:30:25:4a:31:01:85:bf: ... ommitted ...

  22. September 27, 2017 | MARIN USALJ Private / Public Key

    Pair

  23. September 27, 2017 | MARIN USALJ Key Pair RSA (2048

    bit) Public key: Embedded in CSRs, certificates, shared Private key: Used for actual signing. Should not be shared

  24. September 27, 2017 | MARIN USALJ Key Pair Creating CSRs

    / certs on several Macs can be a problem Certificate you generate on one machine WILL NOT be usable for code signing on a machine that does not have that private key Forgetting this is a great way to waste hours and get angry

  25. September 27, 2017 | MARIN USALJ

  26. September 27, 2017 | MARIN USALJ Certificate

  27. September 27, 2017 | MARIN USALJ Certificate Broadly - A

    public key combined with additional information, Signed by Certificate Authority (CA) stating that the information in the certificate is correct.

  28. September 27, 2017 | MARIN USALJ Certificate It's a guarantee

    that: - you, the named developer, built this code - you are a member of the developer program - Apple has issued you a certificate to do so

  29. September 27, 2017 | MARIN USALJ  

  30. September 27, 2017 | MARIN USALJ  

  31. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75:  

  32. September 27, 2017 | MARIN USALJ

  33. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75:

  34. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout Certificate: Data: Version: 3 (0x2) Serial Number: 5a:a5:01:64:2e:8f:dd:62 Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority Validity Not Before: Sep 2 18:40:48 2016 GMT Not After : Sep 2 18:40:48 2017 GMT Subject: UID=XTD6RSHE3Y, CN=iPhone Developer: Marin Usalj (A4560M2TBD), OU=M3S82H073H, O=Playgrounds, Inc., C=US

  35. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout ... ommitted ... Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit) Modulus (2048 bit): 3f:d6:7d:d0:d9:b2:4a:9b:95:0e:b5:33:68:01:e3: a4:1d:0d:f9:58:3a:b8:c6:aa:43:5d:35:a0:b1:8a: ... ommitted ... 42:e3:b2:4e:f3:4a:bd:bc:56:3a:bc:7b:4d:94:63: 1d:b4:aa:1e:64:7b:e1:eb:7d:28:9a:8d:31:b4:25: Exponent: 65537 (0x10001)

  36. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout ... ommitted ... X509v3 extensions: X509v3 Subject Key Identifier: BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0 keyid:BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0:0D:BA:DF:00:DB:AD:F0 X509v3 Certificate Policies: Policy: 1.2.840.113635.100.5.1 User Notice: ... X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: critical Code Signing

  37. September 27, 2017 | MARIN USALJ $ openssl x509 -in

    marin.cer -inform DER -text -noout ... ommitted ... Signature Algorithm: sha256WithRSAEncryption 44:3c:85:fe:45:33:e4:dc:f8:4f:bb:dc:57:76:4f:f8:cd:32: 9b:4a:ca:35:83:a1:02:03:a6:d5:64:f2:96:96:3b:ad:86:97: 74:01:33:6c:df:2f:f8:46:17:d5:2f:00:b9:e2:8e:35:3a:46: 66:3d:1d:49:f5:cb:ff:04:1a:94:ae:9b:d7:ba:46:e7:bf:28: ... ommitted ... f8:f8:ba:3c:6c:db:b7:16:20:f7:e2:c2:23:ad:b4:b1:74:60: cf:5c:37:a0:a4:e0:76:d1:22:8a:1b:68:63:ad:c3:e1:4f:fd: ad:80:20:59

  38. September 27, 2017 | MARIN USALJ PKCS #12

  39. September 27, 2017 | MARIN USALJ PKCS #12 Archive file

    format for storing many cryptography objects as a single file Commonly used to bundle a private key with its X.509 certificate, or to bundle all the members of a chain of trust

  40. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75: Release.p12

  41. September 27, 2017 | MARIN USALJ PKCS #12 PKCS #12

    file may be encrypted and signed Internal storage containers are called SafeBags, may also be encrypted and signed

  42. September 27, 2017 | MARIN USALJ $ openssl pkcs12 -in

    marin.p12 -passinpass:passw0rd -passout pass:passw0rd MAC verified OK Bag Attributes friendlyName: iPhone Developer: [email protected] (ABCUT7VXYZ) localKeyID: BA DF 00 DB AD FO 0D BA DF 00 DB AD F0 0D BA DF 00 DB AD F0 subject=/UID=TBD6RSNF4Y/CN=iPhone Developer: [email protected] (ABCUT7VXYZ)/ OU=Q234J5G5G1/O=Marin Usalj/C=US issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority -----BEGIN CERTIFICATE----- LGh5IJEcCLvyzW+wV3SVIEIekP8x5lSXMAn7FiMg4IKh+sBCs4aIrcbiXov5YycQaT+gQHUc569hZY Ssdlz/asBQuqybJ+mCAMbBZ99jLM25wJO14l5IHd673EhrW/ ...ommitted... p7TVLKhK95bec7a1admvtJm+UbvJXzI7gEIfXZdvmh3FK4AVabvYoFlKwGzMavJB= -----END CERTIFICATE-----

  43. September 27, 2017 | MARIN USALJ $ openssl pkcs12 -in

    marin.p12 -passinpass:passw0rd -passout pass:passw0rd ... continued ... Bag Attributes friendlyName: iOS Developer: Marin Usalj (Marin Usalj) localKeyID: BA DF 00 DB AD FO 0D BA DF 00 DB AD F0 0D BA DF 00 DB AD F0 Key Attributes: <No Attributes> Enter PEM pass phrase: Verifying - Enter PEM pass phrase: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,2FD20992DD748148 iUWOSSWoLOR8xgDD7VexOSSMuWjvbRhO/Cyzdqd2orpzVkYTKDmEIjy8BScUD2pmW/ ...ommitted... 2fex4o7ZyE7QMgg49Jau5eidAlksyaJpFXvvA/boSEFO3WJ4m3wxt2== -----END RSA PRIVATE KEY-----

  44. September 27, 2017 | MARIN USALJ Team, Bundle, App ID

  45. September 27, 2017 | MARIN USALJ Team ID Each dev

    account has a unique identifier You might have an enterprise and a production account with Apple: - Team Rocket = BHKW85A12H - Team Rocket (Ent) = A8WFE5231P

  46. September 27, 2017 | MARIN USALJ Bundle ID Each app

    should have it's own bundle ID in a reverse DNS format Beta: com.yolo.ios.beta AppStore: com.yolo.ios

  47. September 27, 2017 | MARIN USALJ App ID An app

    ID is composed of a team prefix followed by a bundle ID. A8WFE5231P. com.yolo.ios.beta

  48. September 27, 2017 | MARIN USALJ Device IDs Each iOS

    device has a unique identifier Used in provisioning profiles for whitelisting (much wow. very device)

  49. September 27, 2017 | MARIN USALJ Entitlements

  50. September 27, 2017 | MARIN USALJ Entitlements Which system resources

    an app is allowed to use, and under what conditions. Each entitlement has a default value, which in most cases disables the capability associated with the entitlement.

  51. September 27, 2017 | MARIN USALJ Entitlements examples iCloud Push

    notifications get-task-allow (debug builds only) Siri, ...

  52. September 27, 2017 | MARIN USALJ Entitlements Enable only resource

    access you need This minimizes damage potential if malicious code exploits your app

  53. September 27, 2017 | MARIN USALJ Entitlements Plist format Can

    be inspected from a compiled app

  54. September 27, 2017 | MARIN USALJ $ codesign -d --entitlements

    :- Yolo.app ... <key>application-identifier</key> <string>A8WFE5231P.com.yolo.ios.beta</string> <key>get-task-allow</key> <false/> <key>com.apple.developer.siri</key> <true/> ...

  55. September 27, 2017 | MARIN USALJ Provisioning Profiles

  56. September 27, 2017 | MARIN USALJ Provisioning Profiles When put

    together all these objects combine so that: - This unique app (App ID) - Can run on this restricted set of devices (UDIDs) - With a set of permssions (Entitlements) - With trust based on the signed Certificate.

  57. September 27, 2017 | MARIN USALJ Not Before: Sep 2

    18:40:48 2016 GMT Not After: Sep 2 18:40:48 2017 GMT Signature Algorithm: sha256WithRSAEncryption 4d:f7:2d:ce:67:2a:41:19:6a:ad:2d:d2:01:ad:45:97:b9:42: c4:bb:ba:37:16:2a:a9:5a:aa:3b:a6:b0:5c:c6:86:1c:f3:fc: 59:a0:9d:4c:b3:c4:8f:6c:3f:6d:3b:a1:c6:00:52:db:e4:ff: c5:a5:6b:69:c0:1a:bd:28:a0:e1:6e:0d:23:2c:8c:99:42:6f: 96:8e:10:18:a5:55:c2:8f:78:c6:cd:4b:dd:0f:6c:db:d0:34: 70:87:aa:4e:1c:fd:b2:38:23:04:a4:04:a0:d1:36:bb:e6:d2: aa:c4:32:77:c0:5d:1c:cf:ad:ff:dd:80:40:a7:82:6b:2a:75: Provisioning profile A8WFE5231P. com.yolo.ios.beta <key>Entitlements</key> <dict> <key>keychain-access-groups</key> <array> <string> A8WFE5231P.*</string> </array> <key>get-task-allow</key> <false/> <key>com.apple.developer.siri</key> <true/> 760FB38B-F7CA-4789-B4A2-78B6B37B2217 EXP. 2018-01-30T19:05:44Z Yolo Beta

  58. September 27, 2017 | MARIN USALJ Provisioning Profiles Not a

    PLIST Cryptographic Message Syntax (CMS), RFC 3852

  59. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision <dict> <key>AppIDName</key> <string>XC com yolo ios beta</string> <key>ApplicationIdentifierPrefix</key> <array> <string> A8WFE5231P </string> </array> <key>CreationDate</key> <date>2017-01-30T19:05:44Z</date> <key>Platform</key> <array> <string>iOS</string> </array>

  60. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision ... <key>TeamName</key> <string>Team Rocket (Ent)</string> <key>TimeToLive</key> <integer>365</integer> <key>UUID</key> <string>927br60c-h7ob-8362-g8l3-62ked01y0863</string> <key>Version</key> <integer>1</integer> </dict>

  61. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision <key>DeveloperCertificates</key> <array> <data>hyMfz10PxbEahZCVeZvoXbRU7sUOhb1WpKxd6pl1UxSfG/ pm4kg1ABVBPTWy9ykk6UNh5xgEKdKQbkHGanfFCqmGwiDWDxxZWDhdO vd108Hjbr162Kg45XRWLWqZAY6XgsmI10BikHkM1077TpShJSBqH76rYeGuV sp7rTO6HKm+CSKxVsYhq10yM1Gf4vqHODNxTOPwwueenOWa+ThGiexIRN EpNFb3Hn792gFlUqRNrv373EgR ...ommitted... gIze2hoxtLn5JPOlkCDOp4mUgitmjOnAgcrojnB4qMbEA10emTYbI3bAR1IKb Rger5i8H8iSDi10ggbs27KINCp10F98rfa5ErKCKcPOKmvmax7E5P8PF79cZH uZe/7idS4SEJ10X6HiY7GznHWJg+Y928GBlQBhu8cikTO5nw44JTILe1/S2== </data> </array>

  62. September 27, 2017 | MARIN USALJ $ security cms -D

    -i Yolo.app/embedded.mobileprovision ... <key>Entitlements</key> <dict> <key>get-task-allow</key> <false/> <key>application-identifier</key> <key>com.apple.developer.siri</key> <true/> </dict> ...

  63. September 27, 2017 | MARIN USALJ Signing Code

  64. September 27, 2017 | MARIN USALJ Signing Code After building

    is done, signing is performed All the individual components of the app are signed Signing all sorts of code, including tools, applications, scripts, libraries, plug-ins, ...

  65. September 27, 2017 | MARIN USALJ Signing Code Code signature

    consists of three parts: - A seal - A digital signature - Code requirements

  66. September 27, 2017 | MARIN USALJ Seal Code signature consists

    of three parts: - A seal - A digital signature - Code requirements abc1234 badf00d asd23f

  67. September 27, 2017 | MARIN USALJ Signing Code Code signature

    consists of three parts: - A seal - A digital signature - Code requirements abc1234 badf00d asd23f + --------->

  68. September 27, 2017 | MARIN USALJ Signing Code Code signature

    consists of three parts: - A seal - A digital signature - Code requirements

  69. September 27, 2017 | MARIN USALJ Signature Signed code may

    contain several different digital signatures If the code is universal, the object code for each slice (arch) is signed separately. This signature is stored within the binary file itself

  70. September 27, 2017 | MARIN USALJ Signature Various data components

    signed in _CodeSignature/CodeResources - Bundle contents (e.g. Info.plist, sounds, images) - Nested code, libraries, tools

  71. September 27, 2017 | MARIN USALJ $ vi _CodeSignature/CodeResources <key>AppIcon-Dev29x29~ipad.png</key>

    <data> uz2wfiTTUrftvAmfLV9iVgc210sO= </data> <key>[email protected]</key> <data> QBsZgAb7ostVQ10hvWLNfYmP7ECq= </data>

  72. September 27, 2017 | MARIN USALJ Verifying Signatures

  73. September 27, 2017 | MARIN USALJ Verifying Verifying software computes

    the same set of hashes across the various blocks of code and data Public key from cert used to decrypt hashes -> original hashes If the two hashes match, the signature is valid

  74. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo yolo >> Lyft.app/yolo $ codesign -vvv --verify Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo

  75. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo yolo >> Lyft.app/yolo $ codesign -vvv --verify Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo

  76. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo "wat" >> Lyft.app/yolo # adding a random file $ codesign -vvv --verify Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo

  77. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo "wat" >> Lyft.app/yolo # adding a random file $ codesign -vvvv Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo

  78. September 27, 2017 | MARIN USALJ $ codesign -vvvv Lyft.app

    Lyft.app: valid on disk Lyft.app: satisfies its Designated Requirement $ echo "wat" >> Lyft.app/yolo # adding a random file $ codesign -vvvv Lyft.app Lyft.app: a sealed resource is missing or invalid file added: /Users/marinusalj/Downloads/Payload/ Lyft.app/yolo

  79. September 27, 2017 | MARIN USALJ tl;dr;

  80. September 27, 2017 | MARIN USALJ    Archiving

    is broken!

  81. September 27, 2017 | MARIN USALJ    Try

    now, I've fixed provisioning profiles

  82. September 27, 2017 | MARIN USALJ   

  83. September 27, 2017 | MARIN USALJ   

  84. September 27, 2017 | MARIN USALJ    ...

  85. September 27, 2017 | MARIN USALJ    㿄

  86. September 27, 2017 | MARIN USALJ ... 3 hours later

  87. September 27, 2017 | MARIN USALJ

  88. September 27, 2017 | MARIN USALJ  Generated by

  89. September 27, 2017 | MARIN USALJ  Needed for code

    signing Stored only on this Mac

  90. September 27, 2017 | MARIN USALJ tl;dr; Always know which

    machine generated the PKs Store certs with keys encrypted in .p12 files Private key is needed for signing!

  91. September 27, 2017 | MARIN USALJ tl;dr; Codesign is deterministic,

    xcodebuild phones home Unpack .p12 yourself on CI instead of relying on developer.apple.com Try debugging systematically step by step instead of brute forcing

  92. September 27, 2017 | MARIN USALJ References newosxbook.com/articles/CodeSigning.pdf https://wiki.cacert.org/ConvertingPgpKeyToCertificate https://en.wikipedia.org/wiki/Certificate_signing_request

    https://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One#Example_encoded_in_DER https://developer.apple.com/support/certificates https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/AboutCS/AboutCS.html https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and- csrs https://www.raywenderlich.com/2915/ios-code-signing-under-the-hood https://developer.apple.com/library/content/technotes/tn2206/_index.html#/apple_ref/doc/uid/DTS40007919-CH1-TNTAG207 https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/ LaunchingYourApponDevices/LaunchingYourApponDevices.html#//apple_ref/doc/uid/TP40012582-CH27-SW4 https://www.objc.io/issues/17-security/inside-code-signing/ https://developer.apple.com/library/content/qa/qa1798/_index.html https://developer.apple.com/library/content/documentation/IDEs/Conceptual/AppDistributionGuide/ MaintainingCertificates/MaintainingCertificates.html

  93. September 27, 2017 | MARIN USALJ Thanks PLAYGROUNDS, LYFT

  94. September 27, 2017 | MARIN USALJ @supermarin supermar.in Marin Usalj