macos 漏洞?在 codesign --remove-signature 功能中
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7500381/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
bug? in codesign --remove-signature feature
提问by user532477
I would like to remove the digital signature from a Mac app that has been signed with codesign. There is an undocumented option to codesign, --remove-signature, which by it's name seems to be what I need. However, I can't get it to work. I realize it is undocumented, but I could really use the functionality. Maybe I'm doing something wrong?
我想从使用 codesign 签名的 Mac 应用程序中删除数字签名。有一个未公开的协同设计选项,--remove-signature,它的名字似乎是我需要的。但是,我无法让它工作。我意识到它没有记录,但我真的可以使用该功能。也许我做错了什么?
codesign -s MyIdentity foo.app
works normally, signing the app
正常工作,签署应用程序
codesign --remove-signature foo.app
does disk activity for several seconds, then says
做磁盘活动几秒钟,然后说
foo.app: invalid format for signature
and foo.app has grown to 1.9 GB!!! (Specifically, it is the executable in foo.app/Contents/Resources/MacOS that grows, from 1.1 MB to 1.9 GB.)
而 foo.app 已经增长到 1.9 GB!!!(具体来说,是 foo.app/Contents/Resources/MacOS 中的可执行文件从 1.1 MB 增长到 1.9 GB。)
The same thing happens when I try to sign/unsign a binary support tool instead of a .app.
当我尝试对二进制支持工具而不是 .app 进行签名/取消签名时,也会发生同样的事情。
Any ideas?
有任何想法吗?
Background: This is my own app; I'm not trying to defeat copy protection or anything like that.
背景:这是我自己的应用程序;我不是要破坏复制保护或类似的东西。
I would like to distribute a signed app so that each update to the app won't need user approval to read/write the app's entries in the Keychain. However, some people need to modify the app by adding their own folder to /Resources. If they do that, the signature becomes invalid, and the app can't use it's own Keychain entries.
我想分发一个签名的应用程序,以便应用程序的每次更新都不需要用户批准来读/写钥匙串中的应用程序条目。但是,有些人需要通过将自己的文件夹添加到 /Resources 来修改应用程序。如果他们这样做,签名将变得无效,并且应用程序无法使用它自己的钥匙串条目。
The app can easily detect if this situation has happened. If the app could then remove it's signature, everything would be fine. Those people who make this modification would need to give the modified, now-unsigned app permission to use the Keychain, but that's fine with me.
该应用程序可以轻松检测到这种情况是否发生。如果应用程序可以删除它的签名,一切都会好起来的。进行此修改的人需要授予修改后的、现在未签名的应用程序使用钥匙串的权限,但这对我来说没问题。
回答by user532477
A bit late, but I've updated a public-domain tool called unsignwhich modifies executables to clear out signatures.
有点晚了,但我更新了一个名为的公共域工具unsign,它可以修改可执行文件以清除签名。
回答by user532477
Here's the sourcefor codesignwhich lists all options, including those not covered by the command-line -hand man page.
这里的来源为codesign其中列出了所有选项,包括那些未涉及的命令行-h和手册页。
Also, here is Apple's tech note on recent changes in how code-signing works
回答by Geoff Nixon
I ran into this issue today. I can confirm that the --remove-signatureoption to Apple's codesignis (and remains, six years after the OP asked this question) seriouslybuggy.
我今天遇到了这个问题。我可以确认--remove-signatureApple 的选项codesign(并且在 OP 提出这个问题六年后仍然存在)严重错误。
For a little background, Xcode (and Apple's command line developer tools) include the codesignutility, but there is not included a tool for removing signatures. However, as this is something that needs to be done in certain situations pretty frequently, there is included a completely undocumentedoption:
对于一些背景知识,Xcode(和 Apple 的命令行开发人员工具)包含该codesign实用程序,但不包含用于删除签名的工具。但是,由于在某些情况下需要经常执行此操作,因此包含一个完全未记录的选项:
codesign --remove-signaturewhich (one assumes, given lack of documentation) should, well, be fairly self-explanatory but unfortunately, it rarelyworks as intended without some effort. So I ended up writing a script that should take care of the OP's problem, mine, and similar. If enough people find it here and find it useful, let me know and I'll put it on GitHub or something.
codesign --remove-signature哪个(由于缺乏文档而假设)应该是不言自明的,但不幸的是,如果不付出一些努力,它很少能按预期工作。所以我最终编写了一个脚本来解决 OP 的问题,我的问题和类似的问题。如果有足够多的人在这里找到它并觉得它有用,请告诉我,我会将它放在 GitHub 或其他地方。
#!/bin/sh # codesign_remove_for_real -- working `codesign --remove-signature`
# (c) 2018 G. Nixon. BSD 2-clause minus retain/reproduce license requirements.
total_size(){
# Why its so damn hard to get decent recursive filesize total in the shell?
# - Darwin `du` doesn't do *bytes* (or anything less than 512B blocks)
# - `find` size options are completely non-standardized and doesn't recurse
# - `stat` is not in POSIX at all, and its options are all over the map...
# - ... etc.
# So: here we just use `find` for a recursive list of *files*, then wc -c
# and total it all up. Which sucks, because we have to read in every bit
# of every file. But its the only truly portable solution I think.
find "$@" -type f -print0 | xargs -0n1 cat | wc -c | tr -d '[:space:]'
}
# Get an accurate byte count before we touch anything. Zero would be bad.
size_total=$(total_size "$@") && [ $size_total -gt 0 ] || exit 1
recursively_repeat_remove_signature(){
# `codesign --remove-signature` randomly fails in a few ways.
# If you're lucky, you'll get an error like:
# [...]/codesign_allocate: can't write output file: [...] (Invalid argument)
# [...] the codesign_allocate helper tool cannot be found or used
# or something to that effect, in which case it will return non-zero.
# So we'll try it (suppressing stderr), and if it fails we'll just try again.
codesign --remove-signature --deep "$@" 2>/dev/null ||
recursively_repeat_remove_signature "$@"
# Unfortunately, the other very common way it fails is to do something? that
# hugely increases the binary size(s) by a seemingly arbitrary amount and
# then exits 0. `codesign -v` will tell you that there's no signature, but
# there are other telltale signs its not completely removed. For example,
# if you try stripping an executable after this, you'll get something like
# strip: changes being made to the file will invalidate the code signature
# So, the solution (well, my solution) is to do a file size check; once
# we're finally getting the same result, we've probably been sucessful.
# We could of course also use checksums, but its much faster this way.
[ $size_total == $(total_size "$@") ] ||
recursively_repeat_remove_signature "$@"
# Finally, remove any leftover _CodeSignature directories.
find "$@" -type d -name _CodeSignature -print0 | xargs -0n1 rm -rf
}
signature_info(){
# Get some info on code signatures. Not really required for anything here.
for info in "-dr-" "-vv"; do codesign $info "$@"; done # "-dvvvv"
}
# If we want to be be "verbose", check signature before. Un/comment out:
# echo >&2; echo "Current Signature State:" >&2; echo >&2; signature_info "$@"
# So we first remove any extended attributes and/or ACLs (which are common,
# and tend to interfere with the process here) then run our repeat scheme.
xattr -rc "$@" && chmod -RN "$@" && recursively_repeat_remove_signature "$@"
# Done!
# That's it; at this point, the executable or bundle(s) should sucessfully
# have truly become stripped of any code-signing. To test, one could
# try re-signing it again with an ad-hoc signature, then removing it again:
# (un/comment out below, as you see fit)
# echo >&2 && echo "Testing..." >&2; codesign -vvvvs - "$@" &&
# signature_info "$@" && recursively_repeat_remove_signature "$@"
# And of course, while it sometimes returns false positives, lets at least:
codesign -dvvvv "$@" || echo "Signature successfully removed!" >&2 && exit 0
回答by Geoff Nixon
On a second reading of this question, another thought: perhaps a better approach to accomplish what the ultimate goal of the question is would be not to removethe signatures, but to have users (via a script/transparently) re-sign the app after modification, using an ad-hoc signature. That is, codesign -fs - [app], I believe. See https://apple.stackexchange.com/questions/105588/anyone-with-experience-in-hacking-the-codesigning-on-os-x
在第二次阅读这个问题时,另一个想法是:也许实现问题最终目标的更好方法不是删除签名,而是让用户(通过脚本/透明地)在之后重新签名应用程序修改,使用临时签名。也就是说codesign -fs - [app],我相信。请参阅https://apple.stackexchange.com/questions/105588/anyone-with-experience-in-hacking-the-codesigning-on-os-x
回答by Yuji
I agree that there's something strange going on when you did --remove-signature.
我同意你这样做时发生了一些奇怪的事情--remove-signature。
However, instead of trying to un-code-sign, you should change the way your user put extra files in the Resources. Instead, designate a certain path, usually
但是,与其尝试取消代码签名,不如更改用户将额外文件放入Resources. 相反,指定某个路径,通常
~/Library/Application Support/Name_Of_Your_App/
or maybe
或许
~/Library/Application Support/Name_Of_Your_App/Resources/
and ask the user to put extra files there. Then, in your code, always check for the directory in addition to the files in the Resourceswhen you need to read a file.
并要求用户在那里放置额外的文件。然后,在您的代码中,除了Resources需要读取文件时的文件外,还要始终检查目录。
回答by BillyT2
I believe you can remove the signature by simply deleting the _CodeSignature folder in the App package.
我相信你可以通过简单地删除App包中的_CodeSignature文件夹来删除签名。
