Dissecting code signature

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Dissecting code signature

Postby terran » Fri Mar 08, 2019 4:39 pm

Hi!
I've been trying to figure out what is the format of the signature blob.
It's not CMS nor binary plist.
Googling yielded no results.
I extracted the blob using jtool (of course), maybe I need to delete some bytes in order to get the correct format? There are entitlements (bplist) and certificates (DER I suppose), it has to have some structure.
terran
 
Posts: 5
Joined: Fri Mar 08, 2019 10:14 am

Re: Dissecting code signature

Postby morpheus » Sun Mar 10, 2019 12:53 am

Half of Chapter 5 in Volume III explains the format in detail...

jtool or jtool2 --sig -v will also display the blob , down to its last field.
morpheus
Site Admin
 
Posts: 698
Joined: Thu Apr 11, 2013 6:24 pm

Re: Dissecting code signature

Postby terran » Sun Mar 10, 2019 2:59 pm

Oh, thank you. I haven't had the chance to read the trilogy yet, waiting on Volume II to come out and saving money haha
I used jtool2 and got the following output:
Code: Select all
@executable_path/FrameworksAn embedded signature of 6746 bytes, and 4 blobs
   Blob 0: Type: 0 @44: Code Directory (1212 bytes)
      Version:     20200
      Flags:       none
      CodeLimit:   0x1d600
      Identifier:  code.sign.prov.test.PROVTEST (@0x34)
      Team ID:     A1B2C3D4E5 (0x51)
      CDHash:        9e9cee749cc5dcea5a85dd8a64379c87e66559c27ac48a4df31a0497f00bc88a (computed)
      # of Hashes: 30 code + 5 special
      Hashes @252 size: 32 Type: SHA-256
   Blob 1: Type: 2 @1256: Requirement Set (196 bytes) with 1 requirement:
Unhandled opcode - let J know about this, please
   0: Designated Requirement (@20, 164 bytes): Ident(code.sign.prov.test.PROVTEST) AND
   Blob 2: Type: 5 @1452: Entitlements (557 bytes) (use --ent to view)
   Blob 3: Type: 10000 @2009: Blob Wrapper (4737 bytes) (0x10000 is CMS (RFC3852) signature)
   CA: Apple Certification Authority    CN: Apple Root CA
   CA: Apple Worldwide Developer Relations    CN: Apple Worldwide Developer Relations Certification Authority
   CA: Apple Certification Authority    CN: Apple Root CA
   CA: Apple Certification Authority    CN: Apple Root CA
   Timestamp: 10:54:18 2019/03/09

I couldn't find a way to buy an electronic copy of V III and it would take the shipment a month to reach me anyway, so could you please share some details on what Type is? I assume the symbols after @ are an offset and Code Directory is __TEXT + __DATA (or is it?).
Should I supply any additional information regarding the unhandled opcode?
terran
 
Posts: 5
Joined: Fri Mar 08, 2019 10:14 am

Re: Dissecting code signature

Postby morpheus » Mon Mar 11, 2019 12:11 am

shipping is linear, so I don't know how much that would save. And there are no eBooks due to rampant piracy of my other works. But here's a sample of what you're missing
which answers your questions as well. Btw, Security.framework is OpenSource, and libsecurity_codesigning is also helpful in figuring this stuff out.

Screen Shot 2019-03-10 at 19.49.16.png
Screen Shot 2019-03-10 at 19.49.16.png (801.38 KiB) Viewed 2173 times
Screen Shot 2019-03-10 at 19.48.42.png
Screen Shot 2019-03-10 at 19.48.42.png (896.81 KiB) Viewed 2173 times
morpheus
Site Admin
 
Posts: 698
Joined: Thu Apr 11, 2013 6:24 pm

Re: Dissecting code signature

Postby terran » Wed Mar 13, 2019 10:03 pm

Got it, thank you very much!
terran
 
Posts: 5
Joined: Fri Mar 08, 2019 10:14 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 3 guests