Open r-plus opened 3 years ago
I learned why unsign is not good.
stuck something via tccd
process issue. https://github.com/inket/update_xcode_plugins/issues/51
$ sudo codesign -f -s - /Applications/Xcode.app
command will codesign as adhoc.
$ codesign -dvvv /Applications/Xcode.app
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=651 flags=0x2(adhoc) hashes=14+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=b869b3d9079c8b2ceb427f94a0eb2660470f4073
CandidateCDHashFull sha256=b869b3d9079c8b2ceb427f94a0eb2660470f40733c9c53a63314685f7e631449
Hash choices=sha256
CMSDigest=b869b3d9079c8b2ceb427f94a0eb2660470f40733c9c53a63314685f7e631449
CMSDigestType=2
CDHash=b869b3d9079c8b2ceb427f94a0eb2660470f4073
Signature=adhoc
Info.plist entries=44
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=477681
Internal requirements count=0 size=12
If this way have not any problem, we can skip create self signed cert (XcodeSigner) for re-codesign step. I'll test it for a few days...
NOTE: yes, this will not resolve login to Apple ID via Xcode issue on BigSur.
adhoc re-codesigning is no problem in my daily use case.
Current re-signing Xcode step is for disable "Library Validation" feature since Xcode 8.
This is codesing information original Xcode and re-signed Xcode.
original 12.4
re-signed 12.4
original old versions
7.3.1 has 0x0(none) flags
``` Executable=/Applications/Xcode.app/Contents/MacOS/Xcode Identifier=com.apple.dt.Xcode Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20100 size=387 flags=0x0(none) hashes=7+3 location=embedded Hash type=sha256 size=32 CandidateCDHash sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6 CandidateCDHashFull sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6 CandidateCDHash sha256=3dc708c9c3e773179aa3b58523a94706f83d176a CandidateCDHashFull sha256=3dc708c9c3e773179aa3b58523a94706f83d176aeed06e3d3b025079e6fc18ff Hash choices=sha1,sha256 CMSDigest=63c87bc3848fa4ffec5cadabf519ccd0d9a69253e12ae2f3a17ef16c95ffc320 CMSDigestType=2 CDHash=3dc708c9c3e773179aa3b58523a94706f83d176a Signature size=4658 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Signed Time=Oct 5, 2019 9:36:14 Info.plist entries=34 TeamIdentifier=not set Sealed Resources version=2 rules=13 files=401974 Internal requirements count=1 size=68 ```CodeDirectory flags changed to
0x0(none)
fromflags=0x2000(library-validation)
. and TeamIdentifier will benot set
.In this case, I'm thinking that re-sign with self signed cert and simply removing signature are equivalent. Both Xcode (re-sign and remove) no longer prevent malicious plugin like XcodeGhost, thus removing codesign signature is same risk.
Removing codesign signature from Xcode is simple, faster and no expire period. NOTE: not resolve sign-in to Apple ID via Xcode on BigSur.
tested on Intel mac. TBD for M1 mac.
hmm, is re-signing for
tccd
process performance...? in my use case, could not run app on iOS simulator.