Singed binary's signature in iOS and OS X

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Singed binary's signature in iOS and OS X

Postby jorel » Thu Aug 04, 2016 1:53 pm

As most of us are aware that in case of OS X and iOS the binaries are signed and the signature is verified before executing it.

For example, lets take "/bin/ls" file as starting point, where exactly is the signature stored for this binary.

I have till now understood following things: there is a hash for each 4KB data stored in Codedirectory. Also, there is a whole certificate chain embedded in the binary which is used for signing it. But I am not able to determine where exactly is the signature stored in the binary, and what data is signed using the above mentioned certificate chain. Is it the whole binary, or the hashes in the codedirectory. Any information on this will be very helpful for me.
jorel
 
Posts: 2
Joined: Thu Aug 04, 2016 1:36 pm

Re: Singed binary's signature in iOS and OS X

Postby morpheus » Thu Aug 04, 2016 3:55 pm

The LC_CODE_SIGNATURE points to the area of the code signature. It's essentially a "blob", which is comprised of a superblob, and minor blobs, each with different magic values. The main one of interest is the "code directory", which contains the hashes.

You can use jtool --sig to dump the whole thing:

Mes-Mac:Desktop morpheus$ ~/jtool --sig /bin/ls
Warning: companion file /bin/ls.x86_64.C32DC04B-356F-306A-826D-027BB7D880AD not found
Blob at offset: 29136 (9488 bytes) is an embedded signature
Code Directory (381 bytes)
Version: 20100
Flags: none
CodeLimit: 0x71d0
Identifier: com.apple.ls (0x30)
CDHash: 9da37f871f61f9bdcbae64c8d40bffde5786aee5
# of Hashes: 8 code + 2 special
Hashes @125 size: 32 Type: SHA-256
Requirement Set (60 bytes) with 1 requirement:
0: Designated Requirement (@20, 28 bytes): SIZE: 28
Ident: (com.apple.ls) AND Apple Anchor
Blob Wrapper (4113 bytes) (0x10000 is CMS (RFC3852) signature)
CA: Apple Certification Authority CN: Apple Root CA
CA: Apple Certification Authority CN: Apple Code Signing Certification Authority
CA: Apple Certification Authority CN: Apple Root CA
CA: Apple Certification Authority CN: Apple Root CA
CA: Apple Certification Authority CN: Apple Code Signing Certification Authority
CA: Apple Software CN: Software Signing


There is indeed a hash for each page (which may be 16k as well, it's variable , but usually 4k). And the hash is either SHA-1 or SHA-256 (MacOS12/iOS10 and later). jtool will automatically verify the hashes and complain if they mismatch, or display them with --sig -v.

And the upcoming book has an entire chapter on code signatures! Here's an illustration,

Image

Stay tuned. It's coming.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Singed binary's signature in iOS and OS X

Postby jorel » Fri Aug 05, 2016 3:12 am

Thank you very much for the answer and also jtool is a great tool. I use it frequently to increase my understanding about Mach O files.

Coming back to the question, I am able to figure out that these hashes exist in code directory for every 4KB/16KB blocks. I want to know, is this information further signed by Apple's private key? Logic being, how does OS get to know that the binary and corresponding hashes not altered?
jorel
 
Posts: 2
Joined: Thu Aug 04, 2016 1:36 pm

Re: Singed binary's signature in iOS and OS X

Postby morpheus » Fri Aug 05, 2016 3:30 am

again, Jtool reveals all - for iOS binaries, Apple uses "Ad-hoc", which means that just the CDHash is consulted, and is vetted by AMFI's trust cache. For third parties (and on MacOS), there is a certificate chain leading up to the well known certificates which are in the System keychain. This verification is performed in user mode, which is what AMFId is for (and, despite the name, is also on MacOS, as of 10.10). The user mode daemon allows for the heavier cert validation, which may involve outcalls to online_mis_agent as well (to check for revoked provisioning profiles)
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Singed binary's signature in iOS and OS X

Postby NJJN » Tue Aug 09, 2016 2:53 pm

Just wanted to thank you J, Have started understanding little bit of LC_Code_Signature.
jtool rocks !
Attachments
Code-Signature-understanding.jpg
Code-Signature-understanding.jpg (151.99 KiB) Viewed 4368 times
NJJN
 
Posts: 9
Joined: Sat Feb 27, 2016 12:09 pm

Re: Singed binary's signature in iOS and OS X

Postby morpheus » Wed Aug 10, 2016 2:05 am

Thank you! It's those (unfortunately few and far between) moments of appreciation that make it all worth my while! :-) Upcoming book will make you understand not "little bit" but "fully"! Every nook and cranny explored! Stay tuned!
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Singed binary's signature in iOS and OS X

Postby merong » Wed Aug 31, 2016 2:36 am

can i know this thing( code sign structure) which source project or compiled binary?

in case of mach o file, can know with macho.h and loader.h

which project can helpful for understanding?
merong
 
Posts: 4
Joined: Tue Aug 30, 2016 4:56 pm

Re: Singed binary's signature in iOS and OS X

Postby morpheus » Thu Sep 01, 2016 10:50 pm

Security.framework, libsecurity_codesigning, as well as some of XNU's source (kern_cs/exec)
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm

Re: Singed binary's signature in iOS and OS X

Postby merong » Fri Sep 02, 2016 11:50 am

thanks a lot, J ^^

i always thanks to your note and book ^^

Administrator wrote:Security.framework, libsecurity_codesigning, as well as some of XNU's source (kern_cs/exec)
merong
 
Posts: 4
Joined: Tue Aug 30, 2016 4:56 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest