Jtool code signing resulting in empty requirments

Used for discussing the various tools in the book as well as encouraging members to share tools

Jtool code signing resulting in empty requirments

Postby Leandro » Tue Jun 20, 2017 10:54 am

Hello I am using jtool in Linux and after siging an iOS binary and verifying the result with --sig I noticed that the requirements are empty. In the following snippets you can see what I am talking about.

Code: Select all
$ jtool.ELF64 --sign --inplace --ident 7465293276 --ent Entitlements.plist app_patched
mmap(2) failed.. Defaulting to malloc, instead
Patching Linkedit by -87328 bytes
Patching Linkedit by 30416 bytes
Warning: Destructive option. Output (6113072 bytes) written to 9292_patched


Code: Select all
$ jtool.ELF64 --sig app_patched
Blob at offset: 6082656 (30416 bytes) is an embedded signature
Code Directory (29875 bytes)
      Version:     20001
      Flags:       none
      CodeLimit:   0x5cd060
      Identifier:  7465893475 (0x2c)
      CDHash:        e4ce40d7faad23622828be93b96b1b919fa96efe (computed)
      # of Hashes: 1486 code + 5 special
      Hashes @155 size: 20 Type: SHA-1
 Empty requirement set (12 bytes)
Entitlements (474 bytes) (use --ent to view)


It seems that this is how jtool works by default, however this is a problem since I need to resign the binary with a valid certificate.

To give you more context what I am trying to do is:

- Insert a load_dylib command into the binary
- Sign with jtool the binary
- Sign with isign (external tool) the complete IPA archive
- Deploy to an iDevice the modified IPA
- Start the installed IPA in debug mode

Since the result of the jtool signature is a binary with Empty requirement set, I cant continue with the IPA signing process.
So my questions are:
- How can I sign without making the requirments empty?
- Is there a way to provide a valid mobileprovision file to jtool in order to sing properly the binary so it passes the verification check in a non-jailbroker device? This is how codesing in MAXOS does it.
Leandro
 
Posts: 1
Joined: Tue Jun 20, 2017 10:32 am

Re: Jtool code signing resulting in empty requirments

Postby morpheus » Wed Jun 21, 2017 1:02 am

So.. I never actually needed to code requirements, which is why I left it as a null block (you can see that if you --sign and JDEBUG=1)

I can put that in. You could also try embedded the output of csreq(1). As for enabling signing with provisioning profiles, that's a *great* idea. Will take some work, but I will add it in future release. Thank you.
morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm


Return to Tools

Who is online

Users browsing this forum: No registered users and 3 guests