rbxl format: Signature data - Githubissues

RobloxAPI / spec

Specifications related to Roblox.

Creative Commons Attribution Share Alike 4.0 International

13 stars 3 forks source link

rbxl format: Signature data #10

Open Anaminus opened 2 years ago

Anaminus commented 2 years ago

Present in several Roblox-sourced binary models are structures related to content validation. There appear to be two separate implementations:

Encryption-based

~~Script Source properties are encoded with type 0x1D instead of the usual string type. The remaining content appears to be encrypted.~~
~~A SIGN chunk is present, which presumably contains a signature used to decrypt the encrypted-string type.~~
~~Appears to be no longer used, likely in favor of the more-robust signature-based method.~~

Signature-based

~~Script Source properties are encoded as usual.~~
~~A SIGN chunk is present, which presumably contains a signature. This is possibly used to validate the content of previous chunks.~~

Resources

rbxasset://models/DataModelPatch/DataModelPatch.rbxm

Anaminus commented 1 year ago

The above interpretation is incorrect. the SIGN chunk is mostly independent from the 0x1D type.

The 0x1D type refers to compiled Luau bytecode (called "Bytecode").
The SIGN chunk is indeed used to validate the content of the file.

Because arbitrary Bytecode is unsafe to execute, files are validated using the SIGN chunk to ensure that the bytecode comes from a trustworthy source. This is how the two concepts are related.

Resources

https://github.com/latte-soft/0x1D