Multiple CSMAGIC_CODEDIRECTORY?

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Multiple CSMAGIC_CODEDIRECTORY?

Postby pbr » Tue Oct 03, 2017 10:20 pm

When running jtool on some binaries (with only one embedded architecture [armv7]) that have been signed with Apple's latest codesign I find that it includes both the SHA1 and SHA256 CDHash and hash arrays for the binary. jtool will show me 2 print outs for Code Directory.

My question is how is this organized within the binary itself?

I know that LC_CODE_SIGNATURE points to a blob in the __LINKEDIT section. That superblob includes blobs identified with magic numbers (ex. CSMAGIC_CODEDIRECTORY).

If the SHA1 blob lives here, where does the SHA256 blob live? Is it separate from CSMAGIC_CODEDIRECTORY or within it?

Any help would be appreciated, thanks!
pbr
 
Posts: 1
Joined: Tue Oct 03, 2017 10:14 pm

Re: Multiple CSMAGIC_CODEDIRECTORY?

Postby morpheus » Wed Oct 04, 2017 1:57 am

you're correct, and it's not a jtool bug - Apple has started signing with both SHA1 *and* SHA256. code sign as well as jtool show this, and you can use jtool's -v to see it specifically (though that has side effect of also validating all pages, which may take time, be warned).

There's still only one LC_CODE_SIGNATURE, but the superblob now contains two CodeDirectory blobs side by side. With -v, you'll get the offsets of each

Example, from MacOS App Store Kindle (same strategy, despite x86_64)

Code: Select all
Blob at offset: 23323120 (306448 bytes) is an embedded signature of 302024 bytes, and 5 blobs
        Blob 0: Type: 0 @52: Code Directory (114081 bytes)
                Version:     20200
                Flags:        kill if invalidated (0x200) (0x200)
                CodeLimit:   0x163e1f0
                Identifier:  com.amazon.Kindle (0x34)
                Team ID:     94KV3E626L (0x46)
                CDHash:      aa738546d66c0e1faadb59039b4846000383ea88 (computed)
                # of Hashes: 5695 code + 5 special
               Hashes @181 size: 20 Type: SHA-1
...
        Blob 1: Type: 2 @114133: Requirement Set (220 bytes) with 1 requirement:
...
        Blob 2: Type: 5 @114353: Entitlements (577 bytes) (use --ent to view)
        Blob 3: Type: 1000 @114930: Code Directory (182481 bytes)
                Version:     20200
                Flags:        kill if invalidated (0x200) (0x200)
                CodeLimit:   0x163e1f0
                Identifier:  com.amazon.Kindle (0x34)
                Team ID:     94KV3E626L (0x46)
                CDHash:      854649ee539608c92b775d9aa231e9db844009ec152edfb1e8a26d338eb22cab (computed)
                # of Hashes: 5695 code + 5 special
                Hashes @241 size: 32 Type: SHA-256

morpheus
Site Admin
 
Posts: 530
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest