teor:
On 27 Oct 2015, at 05:41, Conrad Kramer ckrames1234@gmail.com wrote:
On Oct 26, 2015, at 11:22 AM, Spencer spencerone@openmailbox.org wrote:
Hi,
Conrad Kramer: All resources in a bundle (e.g. an app or framework) are signed and the signatures are stored in a file named "CodeResources”:
Then what is in 'CodeSignature', Apple's signing stuff?
The `_CodeSignature` folder currently only contains the `CodeResources` file. The `CodeResources` file is simple XML.
The executables have their own signature in the `LC_CODE_SIGNATURE` load command in the Mach-O binary.
Reproducible builds will be much easier if the executable signatures are also placed in a separate file, rather than modifying the executable.
I'm guessing there's no option for detached executable signatures?
Likely not, based on the description of the system. This is also the case for Windows signatures, btw, which we have been already doing for some time.
What we have done on Windows is to provide instructions for users to use osslsigncode to remove the signatures if they wish to check what they downloaded against a reproduced build. When the Windows signatures are removed, the resulting de-signed files will have the same sha256sums as the official builds: https://www.torproject.org/docs/verifying-signatures.html.en#BuildVerificati...
We want to do this for MacOSX as well. Does anyone happen to know if we can use otool in some way to remove these LC_CODE_SIGNATURE sections easily, and get the same exact binary as before signing?
We won't be doing this for iOS any time soon, nor will we be using the App Store. I think this means we can ignore the more complicated DRM encryption/decryption jailbreaking steps in the docs that Mike Tigas linked to, as DRM encryption should not be involved for us. Hopefully this makes it easier?