search

XVimProject / XVim2

Vim key-bindings for Xcode 9
MIT License
2.31k stars 181 forks source link

Reconsider Xcode re-signing instruction. #376

Open r-plus opened 3 years ago

r-plus commented 3 years ago

Current re-signing Xcode step is for disable "Library Validation" feature since Xcode 8.

This is codesing information original Xcode and re-signed Xcode.

original 12.4

Executable=/Applications/Xcode_12.4.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20200 size=722 flags=0x2000(library-validation) hashes=15+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=89179fda01d07ba9862d293b896020a0b3516de6
CandidateCDHashFull sha256=89179fda01d07ba9862d293b896020a0b3516de69e03f4885f58239c24ea6a40
Hash choices=sha256
CMSDigest=89179fda01d07ba9862d293b896020a0b3516de69e03f4885f58239c24ea6a40
CMSDigestType=2
CDHash=89179fda01d07ba9862d293b896020a0b3516de6
Signature size=4547
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=44
TeamIdentifier=59GAB85EFG
Sealed Resources version=2 rules=13 files=478483
Internal requirements count=1 size=68

re-signed 12.4

$ codesign -dvvv /Applications/Xcode.app
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=683 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=4d8e4e0d729d83a8afe1da4155560c764b23a821
CandidateCDHashFull sha256=4d8e4e0d729d83a8afe1da4155560c764b23a82128ad61e11d8d1b863b230742
Hash choices=sha256
CMSDigest=4d8e4e0d729d83a8afe1da4155560c764b23a82128ad61e11d8d1b863b230742
CMSDigestType=2
CDHash=4d8e4e0d729d83a8afe1da4155560c764b23a821
Signature size=1604
Authority=XcodeSigner
Signed Time=Apr 20, 2021 10:04:14
Info.plist entries=44
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=478483
Internal requirements count=1 size=96

original old versions

7.3.1 has 0x0(none) flags ``` Executable=/Applications/Xcode.app/Contents/MacOS/Xcode Identifier=com.apple.dt.Xcode Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20100 size=387 flags=0x0(none) hashes=7+3 location=embedded Hash type=sha256 size=32 CandidateCDHash sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6 CandidateCDHashFull sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6 CandidateCDHash sha256=3dc708c9c3e773179aa3b58523a94706f83d176a CandidateCDHashFull sha256=3dc708c9c3e773179aa3b58523a94706f83d176aeed06e3d3b025079e6fc18ff Hash choices=sha1,sha256 CMSDigest=63c87bc3848fa4ffec5cadabf519ccd0d9a69253e12ae2f3a17ef16c95ffc320 CMSDigestType=2 CDHash=3dc708c9c3e773179aa3b58523a94706f83d176a Signature size=4658 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Signed Time=Oct 5, 2019 9:36:14 Info.plist entries=34 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=401974 Internal requirements count=1 size=68 ```

CodeDirectory flags changed to 0x0(none) from flags=0x2000(library-validation). and TeamIdentifier will be not set.

In this case, I'm thinking that re-sign with self signed cert and simply removing signature are equivalent. Both Xcode (re-sign and remove) no longer prevent malicious plugin like XcodeGhost, thus removing codesign signature is same risk.

Removing codesign signature from Xcode is simple, faster and no expire period. NOTE: not resolve sign-in to Apple ID via Xcode on BigSur.

tested on Intel mac. TBD for M1 mac.

xcode env load system x64 arm64
re-signed any Xcode Plugin
remove codesign (don't use! this occur `tccd` problem) any Xcode Plugin TBD
original disable library-validation Xcode Plugin TBD TBD
disable library-validation and SIP Xcode Plugin TBD
SIMBL MacForge 1.1.0 not yet support M1

hmm, is re-signing for tccd process performance...? in my use case, could not run app on iOS simulator.

r-plus commented 3 years ago

I learned why unsign is not good. stuck something via tccd process issue. https://github.com/inket/update_xcode_plugins/issues/51

r-plus commented 3 years ago

$ sudo codesign -f -s - /Applications/Xcode.app command will codesign as adhoc.

$ codesign -dvvv /Applications/Xcode.app
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=651 flags=0x2(adhoc) hashes=14+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=b869b3d9079c8b2ceb427f94a0eb2660470f4073
CandidateCDHashFull sha256=b869b3d9079c8b2ceb427f94a0eb2660470f40733c9c53a63314685f7e631449
Hash choices=sha256
CMSDigest=b869b3d9079c8b2ceb427f94a0eb2660470f40733c9c53a63314685f7e631449
CMSDigestType=2
CDHash=b869b3d9079c8b2ceb427f94a0eb2660470f4073
Signature=adhoc
Info.plist entries=44
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=477681
Internal requirements count=0 size=12

If this way have not any problem, we can skip create self signed cert (XcodeSigner) for re-codesign step. I'll test it for a few days...

NOTE: yes, this will not resolve login to Apple ID via Xcode issue on BigSur.

r-plus commented 3 years ago

adhoc re-codesigning is no problem in my daily use case.