Page 1 of 1

Jtool code signing resulting in empty requirments

PostPosted: Tue Jun 20, 2017 10:54 am
by Leandro
Hello I am using jtool in Linux and after siging an iOS binary and verifying the result with --sig I noticed that the requirements are empty. In the following snippets you can see what I am talking about.

Code: Select all
$ jtool.ELF64 --sign --inplace --ident 7465293276 --ent Entitlements.plist app_patched
mmap(2) failed.. Defaulting to malloc, instead
Patching Linkedit by -87328 bytes
Patching Linkedit by 30416 bytes
Warning: Destructive option. Output (6113072 bytes) written to 9292_patched

Code: Select all
$ jtool.ELF64 --sig app_patched
Blob at offset: 6082656 (30416 bytes) is an embedded signature
Code Directory (29875 bytes)
      Version:     20001
      Flags:       none
      CodeLimit:   0x5cd060
      Identifier:  7465893475 (0x2c)
      CDHash:        e4ce40d7faad23622828be93b96b1b919fa96efe (computed)
      # of Hashes: 1486 code + 5 special
      Hashes @155 size: 20 Type: SHA-1
 Empty requirement set (12 bytes)
Entitlements (474 bytes) (use --ent to view)

It seems that this is how jtool works by default, however this is a problem since I need to resign the binary with a valid certificate.

To give you more context what I am trying to do is:

- Insert a load_dylib command into the binary
- Sign with jtool the binary
- Sign with isign (external tool) the complete IPA archive
- Deploy to an iDevice the modified IPA
- Start the installed IPA in debug mode

Since the result of the jtool signature is a binary with Empty requirement set, I cant continue with the IPA signing process.
So my questions are:
- How can I sign without making the requirments empty?
- Is there a way to provide a valid mobileprovision file to jtool in order to sing properly the binary so it passes the verification check in a non-jailbroker device? This is how codesing in MAXOS does it.

Re: Jtool code signing resulting in empty requirments

PostPosted: Wed Jun 21, 2017 1:02 am
by morpheus
So.. I never actually needed to code requirements, which is why I left it as a null block (you can see that if you --sign and JDEBUG=1)

I can put that in. You could also try embedded the output of csreq(1). As for enabling signing with provisioning profiles, that's a *great* idea. Will take some work, but I will add it in future release. Thank you.