Closed amsam0 closed 10 months ago
indygreg
commented
1 year ago A SignerSettings mechanism to specify a bundle identifier for a given scope seems very reasonable. We already have a binary_identifier API which is very similar.
I also like the idea of a default pattern to derive a bundle identifier if it is missing.
amsam0
commented
1 year ago I made an implementation of the .app Info.plist dummy bundle ID finder here: https://github.com/SideStore/apple-private-apis/blob/master/apple-codesign-wrapper/src/dummy_bundle_id.rs
It could probably be optimized more by using ignore's API to only include Info.plist files instead of checking ourselves.
It's decently fast on 100+ MB .app's but the code could definitely be cleaned up as the error handling is very verbose.
indygreg
commented
10 months ago YouTube.app isn't a great test case for rcodesign because it appears to be using custom CodeResources rules, which fail codesign verification (at least when using a modern codesign). But I'm willing to entertain the idea of supporting it.
There's definitely some wonkiness with Info.plist causing directories to be signed as bundles when they shouldn't be. I'm actively looking at this as it is one of the last big bugs with bundle signing. It seems to affect iOS more than macOS.
indygreg
commented
10 months ago I think this bug report has more to do with rcodesign's over-eager detection of a path as a bundle than on CFBundleIdentifier behavior.
The latest code in the main branch is much more conservative about bundle detection and signing. And I have plans to tweak it further.
So I'm going to close this out as fixed.
If you still see issues in the main branch, please reopen or file a new issue.
I was trying out rcodesign sign on an iOS .app (a tweaked version of YouTube, 100+ MB) and it was working great until it ran into a deeply nested framework with an Info.plist with no bundle identifier. Turns out the bundle has a lot of these, and I actually got to fully signing bundle app, as I gave up on manually adding a dummy bundle identifier after a few frameworks.
I was wondering if there is any possibility of a command line option (or SignerSettings property as I plan to use apple-codesign as a library) to skip these bundles, or give it a dummy bundle identifier if it runs into that error. While we could do this beforehand, I think it would be more efficient to do it while signing.
I may be able to implement this (and possibly the optional features to reduce dependencies mentioned in #70) if you think it would be a good feature.