apple-codesign: prefer deriving binary identifier from filename durin…

…g bundle signing

This prevents another scenario where the binary identifiers could get out of
sync.

Closes #109.

apple-codesign/CHANGELOG.md

@@ -22,6 +22,10 @@ Released on ReleaseDate.
   more similar to Apple's. e.g. `foo1.2.dylib` will now resolve to `foo1`
   instead of `foo1.2`. We still don't use the binary UUID or digest of its
   load commands to compute the binary identifier like Apple does.
+* When signing nested Mach-O binaries in a bundle, we now set the binary
+  identifier from the filename rather than preserving the identifier in an
+  existing signature. This helps ensure identifiers stay in sync and prevents
+  bad signatures. (#109)
 
 ## 0.24.0
 

apple-codesign/src/bundle_signing.rs

@@ -383,21 +383,18 @@ impl<'a, 'key> BundleSigningContext<'a, 'key> {
             .settings
             .as_bundle_macho_settings(dest_rel_path.to_string_lossy().as_ref());
 
-        settings.import_settings_from_macho(&macho_data)?;
-
-        // If there isn't a defined binary identifier, derive one from the file name so one is set
-        // and we avoid a signing error due to missing identifier.
-        // TODO do we need to check the nested Mach-O settings?
+        // When signing a Mach-O in the context of a bundle, always define the
+        // binary identifier from the filename so everything is consistent.
+        // Unless an existing setting overrides it, of course.
         if settings.binary_identifier(SettingsScope::Main).is_none() {
             let identifier = path_identifier(dest_rel_path)?;
+            info!("setting binary identifier based on path: {}", identifier);
 
-            info!(
-                "Mach-O is missing binary identifier; setting to {} based on file name",
-                identifier
-            );
-            settings.set_binary_identifier(SettingsScope::Main, identifier);
+            settings.set_binary_identifier(SettingsScope::Main, &identifier);
         }
 
+        settings.import_settings_from_macho(&macho_data)?;
+
         let mut new_data = Vec::<u8>::with_capacity(macho_data.len() + 2_usize.pow(17));
         signer.write_signed_binary(&settings, &mut new_data)?;
 

apple-codesign/tests/cmd/sign-bundle-nested-macho-identifier.trycmd

@@ -44,24 +44,24 @@ collecting code resources files
 copying file MyApp.app/Contents/Info.plist -> MyApp.app.signed/Contents/Info.plist
 sealing nested Mach-O binary: Contents/MacOS/new-bin
 signing Mach-O file Contents/MacOS/new-bin
+setting binary identifier based on path: new-bin
 inferring default signing settings from Mach-O binary
-preserving existing binary identifier in Mach-O (old-bin-x86_64)
+using binary identifier from settings
 preserving code signature flags in existing Mach-O signature (CodeSignatureFlags(ADHOC))
-identifiers within Mach-O do not agree (initial: old-bin-x86_64, subsequent: old-bin-name); reconciling to old-bin-x86_64
+using binary identifier from settings
 preserving code signature flags in existing Mach-O signature (CodeSignatureFlags(ADHOC))
-Mach-O is missing binary identifier; setting to new-bin based on file name
 signing Mach-O binary at index 0
 binary targets macOS >= 11.0.0 with SDK 11.0.0
 adding code signature flags from signing settings: CodeSignatureFlags(ADHOC)
 creating ad-hoc signature
 code directory version: 132096
-total signature size: 287 bytes
+total signature size: 280 bytes
 signing Mach-O binary at index 1
 binary targets macOS >= 11.0.0 with SDK 11.0.0
 adding code signature flags from signing settings: CodeSignatureFlags(ADHOC)
 creating ad-hoc signature
 code directory version: 132096
-total signature size: 383 bytes
+total signature size: 376 bytes
 writing Mach-O to MyApp.app.signed/Contents/MacOS/new-bin
 writing sealed resources to MyApp.app.signed/Contents/_CodeSignature/CodeResources
 signing main executable Contents/MacOS/MyApp
@@ -81,7 +81,7 @@ $ rcodesign print-signature-info MyApp.app.signed
   entity: other
 - path: Contents/MacOS/MyApp
   file_size: 22544
-  file_sha256: db855f41277cbf8764f1fbdd8f320f5f1920c51510c01556c1dcb21c17b38fb6
+  file_sha256: e1dfbe5e2a27918a25ccbe0971b0b40e96c8a1a031a332e8b9fb79475fe0345a
   entity:
     mach_o:
       macho_linkedit_start_offset: 16384 / 0x4000
@@ -99,8 +99,8 @@ $ rcodesign print-signature-info MyApp.app.signed
         - slot: CodeDirectory (0)
           magic: fade0c02
           length: 365
-          sha1: 95fc759cb4618043b356eca1c8b2d1bc0dfdafdb
-          sha256: 64c61b9f73c441c04ac7d4a166b1c05b29cb59c3c956b819a7919103849368df
+          sha1: c826994bd20c58899a48dbca7e237bcc1940096b
+          sha256: ccbff6200513f074b4299064006b820d714a57ad77d06f44924e34c0a6bff910
         - slot: RequirementSet (2)
           magic: fade0c01
           length: 12
@@ -123,31 +123,31 @@ $ rcodesign print-signature-info MyApp.app.signed
           slot_digests:
           - 'Info (1): 0a5902dc8e47f490d03889d3593d17bddbf79e6c1f79494e20dd28f9459effa5'
           - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
-          - 'Resources (3): c90fda247e05dd8623e66d8f7137beeaac69977eb14dfdbacfac5b0bf1a74fc6'
+          - 'Resources (3): c28145c843d03ba3ddb1c7e5a2029c1e179750bd1be9bfe9ebecb6e7f51922c5'
         cms: null
 - path: Contents/MacOS/new-bin
   file_size: 55312
-  file_sha256: 486fbe542e62f687f3ed659ebb3823b5e37ef0c58a1f557aba4385c7330f6921
+  file_sha256: 177b1b4ff578e3803cade0b792f7ca4537bf94c7ca6844ae584819c118683011
   sub_path: macho-index:0
   entity:
     mach_o:
       macho_linkedit_start_offset: 4096 / 0x1000
       macho_signature_start_offset: 4112 / 0x1010
-      macho_signature_end_offset: 4399 / 0x112f
+      macho_signature_end_offset: 4392 / 0x1128
       macho_linkedit_end_offset: 10256 / 0x2810
       macho_end_offset: 10256 / 0x2810
       linkedit_signature_start_offset: 16 / 0x10
-      linkedit_signature_end_offset: 303 / 0x12f
-      linkedit_bytes_after_signature: 5857 / 0x16e1
+      linkedit_signature_end_offset: 296 / 0x128
+      linkedit_bytes_after_signature: 5864 / 0x16e8
       signature:
-        superblob_length: 287 / 0x11f
+        superblob_length: 280 / 0x118
         blob_count: 3
         blobs:
         - slot: CodeDirectory (0)
           magic: fade0c02
-          length: 231
-          sha1: 6ef81a567d4b35f0ae96d662c6acc3656a03a889
-          sha256: 2b924a5a5139929a31c419711dd348f7f906a5d12053e914453e1dccb0e19c44
+          length: 224
+          sha1: 95cb29468e76eefe3f75aa4a6847bdf4ca44cd30
+          sha256: f677a5c4d4239ef741c96b66a5b1356d3d3d8630f4ca91593f2620f80224a549
         - slot: RequirementSet (2)
           magic: fade0c01
           length: 12
@@ -161,7 +161,7 @@ $ rcodesign print-signature-info MyApp.app.signed
         code_directory:
           version: '0x20400'
           flags: CodeSignatureFlags(ADHOC)
-          identifier: old-bin-x86_64
+          identifier: new-bin
           digest_type: sha256
           platform: 0
           signed_entity_size: 4112
@@ -173,27 +173,27 @@ $ rcodesign print-signature-info MyApp.app.signed
         cms: null
 - path: Contents/MacOS/new-bin
   file_size: 55312
-  file_sha256: 486fbe542e62f687f3ed659ebb3823b5e37ef0c58a1f557aba4385c7330f6921
+  file_sha256: 177b1b4ff578e3803cade0b792f7ca4537bf94c7ca6844ae584819c118683011
   sub_path: macho-index:1
   entity:
     mach_o:
       macho_linkedit_start_offset: 16384 / 0x4000
       macho_signature_start_offset: 16400 / 0x4010
-      macho_signature_end_offset: 16783 / 0x418f
+      macho_signature_end_offset: 16776 / 0x4188
       macho_linkedit_end_offset: 22544 / 0x5810
       macho_end_offset: 22544 / 0x5810
       linkedit_signature_start_offset: 16 / 0x10
-      linkedit_signature_end_offset: 399 / 0x18f
-      linkedit_bytes_after_signature: 5761 / 0x1681
+      linkedit_signature_end_offset: 392 / 0x188
+      linkedit_bytes_after_signature: 5768 / 0x1688
       signature:
-        superblob_length: 383 / 0x17f
+        superblob_length: 376 / 0x178
         blob_count: 3
         blobs:
         - slot: CodeDirectory (0)
           magic: fade0c02
-          length: 327
-          sha1: 33af78da2e17f2d37b4b67da71bddb98b04399c4
-          sha256: 2d13578727cbc8ed64e38e20a67d520cf86103a8ca966a0005ee727ab7a70dd6
+          length: 320
+          sha1: 6399ea612a352a77a5e69020d92ff0c3cafc89b5
+          sha256: 7c122679cc9f0796e02496f20a9f428468c9fc3e74045530ed1a938745c8ee27
         - slot: RequirementSet (2)
           magic: fade0c01
           length: 12
@@ -207,7 +207,7 @@ $ rcodesign print-signature-info MyApp.app.signed
         code_directory:
           version: '0x20400'
           flags: CodeSignatureFlags(ADHOC)
-          identifier: old-bin-x86_64
+          identifier: new-bin
           digest_type: sha256
           platform: 0
           signed_entity_size: 16400
@@ -219,7 +219,7 @@ $ rcodesign print-signature-info MyApp.app.signed
         cms: null
 - path: Contents/_CodeSignature/CodeResources
   file_size: 2483
-  file_sha256: c90fda247e05dd8623e66d8f7137beeaac69977eb14dfdbacfac5b0bf1a74fc6
+  file_sha256: c28145c843d03ba3ddb1c7e5a2029c1e179750bd1be9bfe9ebecb6e7f51922c5
   entity:
     bundle_code_signature_file: !ResourcesXml
     - <?xml version="1.0" encoding="UTF-8"?>
@@ -234,10 +234,10 @@ $ rcodesign print-signature-info MyApp.app.signed
     - '    <dict>'
     - '      <key>cdhash</key>'
     - '      <data>'
-    - '      K5JKWlE5kpoxxBlxHdNI9/kGpdE='
+    - '      9nelxNQjnvdByWtmpbE1bT09hjA='
     - '      </data>'
     - '      <key>requirement</key>'
-    - '      <string>(cdhash H"2b924a5a5139929a31c419711dd348f7f906a5d1") or (cdhash H"2d13578727cbc8ed64e38e20a67d520cf86103a8")</string>'
+    - '      <string>(cdhash H"f677a5c4d4239ef741c96b66a5b1356d3d3d8630") or (cdhash H"7c122679cc9f0796e02496f20a9f428468c9fc3e")</string>'
     - '    </dict>'
     - '  </dict>'
     - '  <key>rules</key>'