[bug] Some entitlements break after adding tweaks

[teflocarbon]

have you searched the existing issues?

• [x] this is a unique issue. i agree that if this isn't a unique issue, i'll be BLOCKED from the cyan repo

describe the bug.

Environment

• Cyan Version: v1.2.3
• iOS Version: iOS 18.2b1
• Device: iPhone 16 Pro Max
• Host OS: macOS Sequoia 15.1 Beta (24B5077a)
• Discord Version: 252.0
• Tweak: Revenge v250.0

Description

Push notifications stop working when injecting tweaks using cyan, despite entitlements remaining identical. This occurs even though the signing process completes successfully.

Expected Behavior

Push notifications should work normally after injecting tweaks with cyan.

Actual Behavior

Push notifications fail to arrive when the app is closed, despite proper entitlements and signing.

Steps to Reproduce:

• Get a decrypted ipa, preferably static (I used Discord)
• Get a tweak for Discord (I used Revenge)
• Use cyan to add the tweak to the decrypted ipa.
• Sideload it onto an iDevice with a signing service that supports notifications.
• Trigger a push notification and see if it arrives to the device whilst the app is closed.

When using cyan to add tweaks to a .ipa, it caused the main binary of the application to be modified on some way, causing certain entitlements like push notifications to break.

This was the command that I used. cyan -i com.hammerandchisel.discord-252.0-985746746-869832312_decrypted.ipa -f io.github.revenge-mod.app_1.0.0_iphoneos-arm.deb -o com.hammerandchisel.discord-252.0-985746746-869832312_decrypted_revenge.ipa

To make sure that the issue was not due to the tweak itself, I tested four versions of the app.

• Original statically decrypted version, manually decrypted by myself.
• Output ipa from cyan with tweaks.
• Output ipa from cyan with no tweaks.
• Output ipa from cyan with tweaks and with binary from original statically decrypted version

The original decrypted version had no issues with notifications and neither did the one that had the binary replaced. The output with no tweaks worked fine as well (Pretty sure this is just unpack + repack) The output ipa from cyan after being modified with a tweak did not work though.

The tweak that was used was v250.0 of Revenge but I don't believe it has much relevance. It can be found here though. https://github.com/revenge-mod/revenge-tweak

The signing service that was used was my own Apple Developer account with SignTools CI. I don't notice any particular difference when they were being signed.

I checked the entitlements with ldid and I found no difference between the two.

ldid -e Discord
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.developer.associated-appclip-app-identifiers</key>
    <array>
        <string>53Q6R32WPB.com.hammerandchisel.discord.InviteAppClip</string>
    </array>
    <key>com.apple.developer.avfoundation.multitasking-camera-access</key>
    <true/>
    <key>application-identifier</key>
    <string>53Q6R32WPB.com.hammerandchisel.discord</string>
    <key>com.apple.developer.team-identifier</key>
    <string>53Q6R32WPB</string>
    <key>aps-environment</key>
    <string>production</string>
    <key>com.apple.developer.storekit.request-data</key>
    <true/>
    <key>com.apple.developer.associated-domains</key>
    <array>
        <string>applinks:discord.com</string>
        <string>applinks:discordapp.com</string>
        <string>applinks:discord.gg</string>
        <string>applinks:discord.new</string>
        <string>applinks:discord.gift</string>
        <string>applinks:discord.gifts</string>
        <string>applinks:discord.co</string>
        <string>applinks:*.discord.com</string>
        <string>applinks:*.discordapp.com</string>
        <string>applinks:*.discord.gg</string>
        <string>applinks:*.discord.new</string>
        <string>applinks:*.discord.gift</string>
        <string>applinks:*.discord.gifts</string>
        <string>applinks:*.discord.co</string>
        <string>applinks:discordapp.page.link</string>
        <string>webcredentials:discord.com</string>
        <string>webcredentials:*.discord.com</string>
    </array>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>group.com.hammerandchisel.discord</string>
    </array>
    <key>com.apple.developer.usernotifications.communication</key>
    <true/>
</dict>
</plist>

However, they did both have two different hashes. Original: 3224b6b42fa64831ea56c68d9bbb6ab4c1552240bbc1446fd745f546d87cc757 Discord Cyan: b055e8a0543a37c803148ac812e97370fb3a5edb4fca4f04c876e49f1e8d5f71 Discord

There is also a small file size difference as well. Original: 36562304 bytes Tweaked: 35917504 bytes

Extra Information

Cyan Logs

I didn't notice a verbose option so this is just what it typically says.

[*] extracting ipa..
[*] extracted ipa
[*] extracted io.github.revenge-mod.app_1.0.0_iphoneos-arm.deb
[*] fixed dependency in RevengeTweak.dylib: /Library/Frameworks/Orion.framework/Orion -> @rpath/Orion.framework/Orion
[*] injected RevengeTweak.dylib
[*] injected RevengePatches.bundle
[*] auto-injected CydiaSubstrate.framework
[*] auto-injected Orion.framework
[*] restored entitlements
[*] generating ipa with compression level 6..
[*] generated ipa at com.hammerandchisel.discord-252.0-985746746-869832312_decrypted-revenge.ipa
[*] deleting temporary directory..

[asdfzxcvbn]

hmm... that actually is really strange

could you please see if you can reproduce this with pyzule?

[asdfzxcvbn]

debugged the issue with the author. summary:

• author is using signtools to install the ipa with their own linked developer account.
• signtools internally uses apple's codesign to extract entitlements from app binaries.
• codesign is unable to extract the entitlements only from the main binary (for some reason?) and logs:

b"Executable=/private/var/folders/d3/3v3wd4390c76s9j518cn498c0000gn/T/tmpcz06ndqj/Payload/Discord.app/Discord\n/var/folders/d3/3v3wd4390c76s9j518cn498c0000gn/T/tmpcz06ndqj/Payload/Discord.app: no signature\nwarning: Specifying ':' in the path is deprecated and will not work in a future release\nwarning: binary contains an invalid entitlements blob. The OS will ignore these entitlements.\n"
Failed to dump entitlements, using empty
Original entitlements:
{}
Failed to read old team id
Failed to read old app id prefix

• the issue is fixed after modifying codesign_dump_entitlements() to use ldid like so:

def codesign_dump_entitlements(executable: str) -> Dict[Any, Any]:
    proc = run_process("ldid", "-e", executable)
    return plist_loads(decode_clean(proc.stdout))

• and this line with: old_entitlements = codesign_dump_entitlements(f"{component}/{info['CFBundleExecutable']}")

• the issue is also apparently fixed when the entitlements plist is exported with ldid and then the binary is signed with codesign

this means ldid must be signing the binary incorrectly to cause the "binary contains an invalid entitlements blob" warning. i'll open an issue in the morning (i'm sleepy asf rn)