On 27 Oct 2015, at 20:06, Mike Perry <mikeperry@torproject.org> wrote:

teor:

On 27 Oct 2015, at 05:41, Conrad Kramer <ckrames1234@gmail.com> wrote:

On Oct 26, 2015, at 11:22 AM, Spencer <spencerone@openmailbox.org> wrote:

Hi,

Conrad Kramer:
All resources in a bundle (e.g. an app or framework) are
signed and the signatures are stored in a file named "CodeResources”:

Then what is in 'CodeSignature', Apple's signing stuff?

The `_CodeSignature` folder currently only contains the `CodeResources` file.
The `CodeResources` file is simple XML.

The executables have their own signature in the `LC_CODE_SIGNATURE` load
command in the Mach-O binary.

...
What we have done on Windows is to provide instructions for users to use
osslsigncode to remove the signatures if they wish to check what they
downloaded against a reproduced build. When the Windows signatures are
removed, the resulting de-signed files will have the same sha256sums as
the official builds:
https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerification

We want to do this for MacOSX as well. Does anyone happen to know if we can
use otool in some way to remove these LC_CODE_SIGNATURE sections easily,
and get the same exact binary as before signing?

...

otool will display sections, but it won’t modify the binary.

strip -no_uuid strips the UUID section, and strip -c creates a stub library by stripping the code signature and all section (code) contents. But it can't strip LC_CODE_SIGNATURE sections without stripping all the code as well.

There's no documented Apple tool to strip code signatures.
But the codesign tool itself has an undocumented option to remove signatures:

codesign has several operations and options that are purposely left
     undocumented in this manual page because they are either experimental
     (and subject to change at any time), or unadvised to the unwary.  The
     interminably curious are referred to the published source code.

https://opensource.apple.com/source/security_systemkeychain/security_systemkeychain-39457/src/codesign.cpp
{ "remove-signature", no_argument,		NULL, optRemoveSignature },
			case optRemoveSignature:
				signerName = NULL;
				operation = doSign;		// well, un-sign
Unfortunately, I can't seem to get that option to work - perhaps others will have better luck:

$ codesign --remove-signature /.../TestSignature.app/Contents/MacOS/TestSignature 
/.../TestSignature.app/Contents/MacOS/TestSignature: unsupported type or version of signature
$ codesign --remove-signature /.../TestSignature.app 
/.../TestSignature.app: unsupported type or version of signature
$ codesign --remove-signature /.../TestSignature.app/Contents/_CodeSignature/CodeResources
(Prints nothing, leaves CodeResources unchanged.)

TestSignature is the OS X Objective C app template signed by "-" (local, default identity).

I wonder if it only strips v1 signatures, and hasn't been updated for v2 signatures?
(I'm on 10.10.5 with Xcode 7.1, perhaps other versions of codesign will work.)

I've been working off this Apple code signing documentation:
https://developer.apple.com/library/mac/technotes/tn2206/_index.html#//apple_ref/doc/uid/DTS40007919-CH1-TNTAG211


Mozilla has solved a related problem by adding striptease (an enhanced strip command) to their build process:
https://bugzilla.mozilla.org/show_bug.cgi?id=411954
https://github.com/mackyle/striptease

striptease will strip code signatures, but it's an external tool, so that's not an ideal dependency.

Tim

Tim Wilson-Brown (teor)

teor2345 at gmail dot com
PGP 968F094B

teor at blah dot im
OTR CAD08081 9755866D 89E2A06F E3558B7F B5A9D14F