Decode DER entitlements when present in `print-signature-info`

[melvyn2]

Showing the decoded DER entitlements of a file alongside the provided plist entitlements would be a useful addition. These two can be out of sync, and being able to spot differences could be useful. Here's an example of a difference:

$ codesign -dvvv --entitlements - targets/lldb
Executable=/.../targets/lldb
Identifier=com.apple.dt.xcode_select.tool-shim
Format=Mach-O universal (x86_64 arm64e)
CodeDirectory v=20400 size=764 flags=0x2(adhoc) hashes=13+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=078a43a515ffaf9aaeb3ce71a9404b8b5be47f5b
CandidateCDHashFull sha256=078a43a515ffaf9aaeb3ce71a9404b8b5be47f5b7ee4d11d2b439e7e38483aa8
Hash choices=sha256
CMSDigest=078a43a515ffaf9aaeb3ce71a9404b8b5be47f5b7ee4d11d2b439e7e38483aa8
CMSDigestType=2
CDHash=078a43a515ffaf9aaeb3ce71a9404b8b5be47f5b
Signature=adhoc
Info.plist entries=17
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12
[Dict]
    [Key] com.apple.application-identifier
    [Value]
        [String] pub.dnsense.dndb

$ rcodesign print-signature-info targets/lldb
- path: targets/lldb
  file_size: 167872
  file_sha256: 44ff3ac1d725da8fb4a4d636f53c7410c0f47efa58638af5fd0dd4a03ca03286
  sub_path: macho-index:0
  entity: !mach_o
    linkedit_segment_file_start_offset: 49152
    linkedit_segment_file_end_offset: 69600
    signature_file_start_offset: 50112
    signature_file_end_offset: 69600
    signature_linkedit_start_offset: 960
    signature_linkedit_end_offset: 20448
    signature:
      superblob_length: 1479
      blob_count: 5
      blobs:
      - slot: CodeDirectory (0)
        magic: fade0c02
        length: 764
        sha1: c72d94dfc0790487a2cba096d938375b2f791730
        sha256: 078a43a515ffaf9aaeb3ce71a9404b8b5be47f5b7ee4d11d2b439e7e38483aa8
      - slot: RequirementSet (2)
        magic: fade0c01
        length: 12
        sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
        sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
      - slot: Entitlements (5)
        magic: fade7171
        length: 339
        sha1: 1261d58ab7544bb7222860ff29decb0ebb3f912f
        sha256: 393df896102e7b0945931ea12f289b541ee99f295f346174c6280743ca807e04
      - slot: DER Entitlements (7)
        magic: fade7172
        length: 304
        sha1: 9d1fb61aa63014940758b483fcbc3f12879e0f00
        sha256: 751f3fda3111339bd0995b3c759239d6923d055a23c35c03e668091e27e405fc
      - slot: CMS Signature (65536)
        magic: fade0b01
        length: 8
        sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
        sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
      code_directory:
        version: '0x20400'
        flags: CodeSignatureFlags(ADHOC)
        identifier: com.apple.dt.xcode_select.tool-shim
        digest_type: sha256
        platform: 0
        signed_entity_size: 50112
        executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
        code_digests_count: 13
        slot_digests:
        - 'Info (1): 5860b12c1dd0ac1128f65e50c2429fcb7957f074bd25f0ae769c8cfa11651fe8'
        - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
        - 'Resources (3): 0000000000000000000000000000000000000000000000000000000000000000'
        - 'Application (4): 0000000000000000000000000000000000000000000000000000000000000000'
        - 'Entitlements (5): 393df896102e7b0945931ea12f289b541ee99f295f346174c6280743ca807e04'
        - 'Rep Specific (6): 0000000000000000000000000000000000000000000000000000000000000000'
        - 'DER Entitlements (7): 751f3fda3111339bd0995b3c759239d6923d055a23c35c03e668091e27e405fc'
      entitlements_plist: |
        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
        <plist version="1.0">
        <dict>
            <key>com.apple.security.get-task-allow</key>
            <true/>
            <key>com.apple.security.cs.allow-dyld-environment-variables</key>
            <true/>
        </dict>
        </plist>
      cms: null
- path: targets/lldb
  file_size: 167872
  file_sha256: 44ff3ac1d725da8fb4a4d636f53c7410c0f47efa58638af5fd0dd4a03ca03286
  sub_path: macho-index:1
  entity: !mach_o
    linkedit_segment_file_start_offset: 49152
    linkedit_segment_file_end_offset: 69568
    signature_file_start_offset: 50080
    signature_file_end_offset: 69568
    signature_linkedit_start_offset: 928
    signature_linkedit_end_offset: 20416
    signature:
      superblob_length: 1479
      blob_count: 5
      blobs:
      - slot: CodeDirectory (0)
        magic: fade0c02
        length: 764
        sha1: d8ce6258090a023205402ec5168f5157cbcd64cb
        sha256: 63b4ba56b0f066779c4ec6d8beb2548ddc13f62b13a9709e8058b806393ffb23
      - slot: RequirementSet (2)
        magic: fade0c01
        length: 12
        sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
        sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
      - slot: Entitlements (5)
        magic: fade7171
        length: 339
        sha1: 1261d58ab7544bb7222860ff29decb0ebb3f912f
        sha256: 393df896102e7b0945931ea12f289b541ee99f295f346174c6280743ca807e04
      - slot: DER Entitlements (7)
        magic: fade7172
        length: 304
        sha1: 9d1fb61aa63014940758b483fcbc3f12879e0f00
        sha256: 751f3fda3111339bd0995b3c759239d6923d055a23c35c03e668091e27e405fc
      - slot: CMS Signature (65536)
        magic: fade0b01
        length: 8
        sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
        sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
      code_directory:
        version: '0x20400'
        flags: CodeSignatureFlags(ADHOC)
        identifier: com.apple.dt.xcode_select.tool-shim
        digest_type: sha256
        platform: 0
        signed_entity_size: 50080
        executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
        code_digests_count: 13
        slot_digests:
        - 'Info (1): 5860b12c1dd0ac1128f65e50c2429fcb7957f074bd25f0ae769c8cfa11651fe8'
        - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
        - 'Resources (3): 0000000000000000000000000000000000000000000000000000000000000000'
        - 'Application (4): 0000000000000000000000000000000000000000000000000000000000000000'
        - 'Entitlements (5): 393df896102e7b0945931ea12f289b541ee99f295f346174c6280743ca807e04'
        - 'Rep Specific (6): 0000000000000000000000000000000000000000000000000000000000000000'
        - 'DER Entitlements (7): 751f3fda3111339bd0995b3c759239d6923d055a23c35c03e668091e27e405fc'
      entitlements_plist: |
        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
        <plist version="1.0">
        <dict>
            <key>com.apple.security.get-task-allow</key>
            <true/>
            <key>com.apple.security.cs.allow-dyld-environment-variables</key>
            <true/>
        </dict>
        </plist>
      cms: null

[indygreg]

I agree this would be a nice feature. Unfortunately, we don't yet have a DER decoder for the entitlements, only an ecoder. However, I would support adding this code. It might even be possible to use the rasn crate to auto derive the (de)serialization code.

[indygreg]

This is now in the main branch.