From 5f7ad515b745e5a3be314c8f599fe29f6b5fbeb8 Mon Sep 17 00:00:00 2001 From: Cameron Katri Date: Fri, 8 Oct 2021 22:34:48 -0400 Subject: [PATCH 1/7] Add ldid.1 --- ldid.1 | 140 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 140 insertions(+) create mode 100644 ldid.1 diff --git a/ldid.1 b/ldid.1 new file mode 100644 index 0000000..32f8ac3 --- /dev/null +++ b/ldid.1 @@ -0,0 +1,140 @@ +.\"- +.\" Copyright (c) 2021 Cameron Katri +.\" SPDX-License-Identifier: AGPL-3.0-or-later +.\" +.Dd October 8, 2021 +.Dt LDID 1 +.Os +.Sh NAME +.Nm ldid +.Nd Link Identity Editor +.Sh SYNOPSIS +.Nm +.Op Fl aDdehMPqu +.Op Fl A Ns Ar cputype : Ns Ar subtype +.Op Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime +.Op Fl K Ns Ar key.p12 +.Op Fl r | Fl S Ns Ar file | Fl s +.Ar +.Sh DESCRIPTION +.Nm +adds SHA1 and SHA256 hashes to a Mach-O file so that they can be run on a system that has validation but not signature verification. +.Bl -tag -width -indent +.It Fl a +Print the CPU types and subtypes in hexadecimal. +.It Fl A Ns Ar cputype : Ns Ar subtype +When used with +.Fl a , Fl D , Fl e , Fl h , Fl q , +or +.Fl u , +only act on the slice specified by +.Ar cputype +and +.Ar subtype . +.Ar cputype +and +.Ar subtype +should both be integers. +.It Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime +Specify the option flags to embed in the code signature. +See +.Xr codesign 1 +for details about these options. +.It Fl D +Reset the cryptid. +.It Fl d +Print the cryptid in the binaries if it exists. +For compatibility reasons it also acts as +.Fl h , +but this will be removed in the future. +.It Fl e +Print the entitlements in each slice, or the slice specified by +.Fl A , +to +.Ar stdout . +.It Fl h +Print information about the signature, such as hash types, flags, CDHash, and CodeDirectory version to +.Ar stdout . +.It Fl K Ns Ar key.p12 +Sign using the identity in +.Ar key.p12 . +This will give the binary a valid signature so that it can be run on a system with signature validation. +.Ar key.p12 +must not have a password. +.It Fl M +When used with +.Fl S , +merge the new and existing entitlements instead of replacing the existing entitlements, this is useful for adding a few specific entitlements to a handful of binaries. +.It Fl P +Mark the Mach-O as a platform binary. +.It Fl Q Ns Ar file +Embed the requirements found in +.Ar file . +.It Fl q +Print embedded requirements of the binaries. +.It Fl r +Remove the signature from the Mach-O. +.It Fl S Ns Op Ar file +Pseudo sign the Mach-O binaries. +If +.Ar file +is specified then the entitlements found in +.Ar file +will be embedded in the Mach-O. +.It Fl s +Resign the Mach-O binaries while keeping the existing entitlements. +.It Fl u +If the binary was linked against UIKit, then print the UIKit version that the Mach-O binaries was linked against. +.El +.Sh EXAMPLES +The command: +.Pp +.Dl "ldid -S file" +.Pp +will fakesign +.Ar file +with no entitlements. +.Pp +The command: +.Pp +.Dl "ldid -Cadhoc -K/path/to/key.p12 -Sent.xml file" +.Pp +will sign +.Ar file +using the key in +.Ar /path/to/key.p12 +with the entitlements found in +.Ar ent.xml , +and mark it as an adhoc signature. +.Pp +The command: +.Pp +.Dl "ldid -Sent.xml -M file" +.Pp +will add the entitlements in +.Ar ent.xml +to the entitlements already in +.Ar file . +.Pp +The command: +.Pp +.Dl "ldid -e file > ent.xml" +.Pp +will save the entitlements found in each slice of +.Ar file +to +.Ar ent.xml . +.Sh SEE ALSO +.Xr codesign 1 +.Sh HISTORY +The +.Nm +utility was written by +.An Jay \*qSaurik\*q Freeman . +iPhoneOS 1.2.0 and 2.0 support was added on April 6, 2008. +.Fl S +was added on June 13, 2008. +SHA256 support was added on August 25, 2016, fixing iOS 11 support. +iOS 14 support was added on July 31, 2020 by +.An Kabir Oberai . +iOS 15 support was added on June 11, 2021. From 801a07cb76512e2bf28d71073c31ba904d6cf0d2 Mon Sep 17 00:00:00 2001 From: Cameron Katri Date: Fri, 8 Oct 2021 23:01:33 -0400 Subject: [PATCH 2/7] Update usage --- ldid.cpp | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/ldid.cpp b/ldid.cpp index b017ebe..d09d2f0 100644 --- a/ldid.cpp +++ b/ldid.cpp @@ -3090,15 +3090,10 @@ std::string Hex(const uint8_t *data, size_t size) { static void usage(const char *argv0) { fprintf(stderr, "Link Identity Editor %s\n\n", LDID_VERSION); - fprintf(stderr, "usage: %s -S[entitlements.xml] \n", argv0); - fprintf(stderr, " %s -e MobileSafari\n", argv0); - fprintf(stderr, " %s -S cat\n", argv0); - fprintf(stderr, " %s -Stfp.xml gdb\n", argv0); - fprintf(stderr, "\n"); - fprintf(stderr, "Other Options\n"); - fprintf(stderr, " -Kkey.p12 Sign using private key in key.p12\n"); - fprintf(stderr, " -M Merge entitlements with any existing\n"); - fprintf(stderr, " -h Print CDHash of file\n"); + fprintf(stderr, "usage: %s [-aDdehMPqu] [-Acputype:subtype]\n", argv0); + fprintf(stderr, " [-C[adhoc | enforcement | expires |\n"); + fprintf(stderr, " hard | host | kill | library-validation | restrict | runtime]]\n"); + fprintf(stderr, " [-Kkey.p12] [-r | -Sfile | -s] file ...\n"); } #ifndef LDID_NOTOOLS From 38ec06d41454b3d447ac6dd9346742465283c587 Mon Sep 17 00:00:00 2001 From: Cameron Katri Date: Sat, 9 Oct 2021 15:25:25 -0400 Subject: [PATCH 3/7] ldid.1: Document -T --- ldid.1 | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/ldid.1 b/ldid.1 index 32f8ac3..7fba359 100644 --- a/ldid.1 +++ b/ldid.1 @@ -15,6 +15,7 @@ .Op Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime .Op Fl K Ns Ar key.p12 .Op Fl r | Fl S Ns Ar file | Fl s +.Op Fl T Ns Ar timestamp .Ar .Sh DESCRIPTION .Nm @@ -83,6 +84,15 @@ is specified then the entitlements found in will be embedded in the Mach-O. .It Fl s Resign the Mach-O binaries while keeping the existing entitlements. +.It Fl T Ns Ar timestamp +When signing a dylib, set the timestamp to +.Ar timestamp . +.Ar timestamp +should be an UNIX timestamp in seconds, if +.Ar timestamp +is a single dash +.Pq Sq Fl , +the timestamp will be set to a hash of the Mach-O header. .It Fl u If the binary was linked against UIKit, then print the UIKit version that the Mach-O binaries was linked against. .El From 58b9c283a2b414d4c9a1ce0499126a423adb97d0 Mon Sep 17 00:00:00 2001 From: Cameron Katri Date: Sun, 10 Oct 2021 12:32:01 -0400 Subject: [PATCH 4/7] ldid.1: Each arg needs it's own - --- ldid.1 | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ldid.1 b/ldid.1 index 7fba359..6dbb90e 100644 --- a/ldid.1 +++ b/ldid.1 @@ -10,12 +10,20 @@ .Nd Link Identity Editor .Sh SYNOPSIS .Nm -.Op Fl aDdehMPqu .Op Fl A Ns Ar cputype : Ns Ar subtype +.Op Fl a .Op Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime +.Op Fl D +.Op Fl d +.Op Fl e +.Op Fl h .Op Fl K Ns Ar key.p12 +.Op Fl M +.Op Fl P +.Op Fl q .Op Fl r | Fl S Ns Ar file | Fl s .Op Fl T Ns Ar timestamp +.Op Fl u .Ar .Sh DESCRIPTION .Nm From 4681072dfb14525030bc03b078de95f0e033f203 Mon Sep 17 00:00:00 2001 From: Cameron Katri Date: Sun, 10 Oct 2021 12:34:57 -0400 Subject: [PATCH 5/7] Update usage --- ldid.cpp | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/ldid.cpp b/ldid.cpp index d09d2f0..8656b24 100644 --- a/ldid.cpp +++ b/ldid.cpp @@ -3090,10 +3090,11 @@ std::string Hex(const uint8_t *data, size_t size) { static void usage(const char *argv0) { fprintf(stderr, "Link Identity Editor %s\n\n", LDID_VERSION); - fprintf(stderr, "usage: %s [-aDdehMPqu] [-Acputype:subtype]\n", argv0); - fprintf(stderr, " [-C[adhoc | enforcement | expires |\n"); - fprintf(stderr, " hard | host | kill | library-validation | restrict | runtime]]\n"); - fprintf(stderr, " [-Kkey.p12] [-r | -Sfile | -s] file ...\n"); + fprintf(stderr, "usage: %s [-Acputype:subtype] [-a]\n", argv0); + fprintf(stderr, " [-C[adhoc | enforcement | expires | hard |\n"); + fprintf(stderr, " host | kill | library-validation | restrict | runtime]] [-D] [-d]\n"); + fprintf(stderr, " [-e] [-h] [-Kkey.p12] [-M] [-P] [-q] [-r | -Sfile | -s]\n"); + fprintf(stderr, " [-Ttimestamp] [-u] file ...\n"); } #ifndef LDID_NOTOOLS From 34dc232cb63f4d18007e79bba40a5fe86adcfe81 Mon Sep 17 00:00:00 2001 From: Cameron Katri Date: Sun, 10 Oct 2021 13:18:23 -0400 Subject: [PATCH 6/7] Improve usage --- ldid.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ldid.cpp b/ldid.cpp index 8656b24..acfc679 100644 --- a/ldid.cpp +++ b/ldid.cpp @@ -3095,6 +3095,12 @@ static void usage(const char *argv0) { fprintf(stderr, " host | kill | library-validation | restrict | runtime]] [-D] [-d]\n"); fprintf(stderr, " [-e] [-h] [-Kkey.p12] [-M] [-P] [-q] [-r | -Sfile | -s]\n"); fprintf(stderr, " [-Ttimestamp] [-u] file ...\n"); + fprintf(stderr, "Options:\n"); + fprintf(stderr, " -S[file] Pseudo sign using the entitlements in file\n"); + fprintf(stderr, " -Kkey.p12 Sign using private key in key.p12\n"); + fprintf(stderr, " -M Merge entitlements with any existing\n"); + fprintf(stderr, " -h Print CDHash of file\n\n"); + fprintf(stderr, "More information: 'man ldid'\n"); } #ifndef LDID_NOTOOLS From d340893fe816da24fba26cf3a201f1ec35b129c2 Mon Sep 17 00:00:00 2001 From: Cameron Katri Date: Sun, 10 Oct 2021 13:31:34 -0400 Subject: [PATCH 7/7] Update -S[file.xml --- ldid.1 | 10 +++++----- ldid.cpp | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ldid.1 b/ldid.1 index 6dbb90e..a79107c 100644 --- a/ldid.1 +++ b/ldid.1 @@ -21,7 +21,7 @@ .Op Fl M .Op Fl P .Op Fl q -.Op Fl r | Fl S Ns Ar file | Fl s +.Op Fl r | Fl S Ns Ar file.xml | Fl s .Op Fl T Ns Ar timestamp .Op Fl u .Ar @@ -83,12 +83,12 @@ Embed the requirements found in Print embedded requirements of the binaries. .It Fl r Remove the signature from the Mach-O. -.It Fl S Ns Op Ar file -Pseudo sign the Mach-O binaries. +.It Fl S Ns Op Ar file.xml +Pseudo-sign the Mach-O binaries. If -.Ar file +.Ar file.xml is specified then the entitlements found in -.Ar file +.Ar file.xml will be embedded in the Mach-O. .It Fl s Resign the Mach-O binaries while keeping the existing entitlements. diff --git a/ldid.cpp b/ldid.cpp index acfc679..d3c5069 100644 --- a/ldid.cpp +++ b/ldid.cpp @@ -3096,7 +3096,7 @@ static void usage(const char *argv0) { fprintf(stderr, " [-e] [-h] [-Kkey.p12] [-M] [-P] [-q] [-r | -Sfile | -s]\n"); fprintf(stderr, " [-Ttimestamp] [-u] file ...\n"); fprintf(stderr, "Options:\n"); - fprintf(stderr, " -S[file] Pseudo sign using the entitlements in file\n"); + fprintf(stderr, " -S[file.xml] Pseudo-sign using the entitlements in file\n"); fprintf(stderr, " -Kkey.p12 Sign using private key in key.p12\n"); fprintf(stderr, " -M Merge entitlements with any existing\n"); fprintf(stderr, " -h Print CDHash of file\n\n");