itsnebulalol
commented
2 years ago We merge the entitlements with the original ones. Dylibs and frameworks can’t be signed with entitlements.
Closed superrnovae closed 2 years ago
itsnebulalol
commented
2 years ago We merge the entitlements with the original ones. Dylibs and frameworks can’t be signed with entitlements.
superrnovae
commented
2 years ago I know that. What I meant is that the output youtube deb is missing some entitlements that it originally had. Which makes it impossible for it to stay logged in or open links from other apps.
Here's an example of what I'm talking about, I only included the missing keys, values, and strings that are missing.
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:www.youtube.com</string>
<string>applinks:youtu.be</string>
<string>applinks:youtube.com</string>
<string>applinks:m.youtube.com</string>
</array>
<key>com.apple.developer.coremedia.allow-alternate-video-decoder-selection</key>
<true/>
<key>com.apple.developer.networking.multicast</key>
<true/>
<key>com.apple.developer.networking.wifi-info</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.google.YouTube</string>
<string>group.com.google.common</string>
</array>
<key>keychain-access-groups</key>
<array>
<string>com.google.ios.youtube</string>
<string>com.google.common.SSO</string>
</array>And here are the entitlements from the resulted deb:
<key>keychain-access-groups</key>
<array>
<string>com.google.ios.youtube</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.google.ios.youtube</string>
</array>
That’s probably something Sideloadly or AltStore, or whatever you use to sideload injects. If you use ldid, I’ve passed through the option to merge current entitlements from the binary with our own. I’m going to do some more testing and see how Signulous pulls it off, because i know it fixes the YouTube bug.
superrnovae
commented
2 years ago Well, I got my ipa from appdb. I haven't touched it with neither altstore nor sideloadly.
itsnebulalol
commented
2 years ago It doesn’t seem like ldid is properly merging the entitlements, check entitlements.xml
superrnovae
commented
2 years ago I don't find the code where it merges the entitlements. All I see is the replacement of {APP_BUNDLE} followed with signing of application.
itsnebulalol
commented
2 years ago ./ldid -S{tmpfolder}/entitlements.plist -M -Kdev_certificate.p12 '{full_path}'
-M combined with -S merges the entitlements
superrnovae
commented
2 years ago Oh, I was wrong. Nevermind, I'm just dumb. I forgot my ipa was missing the entitlements in the first place.
superrnovae
commented
2 years ago I just checked with the signed binary this time, and it doesn't seem to merge with the existing ones. Here are the outputs:
Before:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.wifi-info</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>EQHXZ8M8AV.com.google.ios.youtube</string>
<string>EQHXZ8M8AV.com.google.common.SSO</string>
</array>
<key>com.apple.developer.networking.multicast</key>
<true/>
<key>application-identifier</key>
<string>EQHXZ8M8AV.com.google.ios.youtube</string>
<key>aps-environment</key>
<string>production</string>
<key>com.apple.developer.coremedia.allow-alternate-video-decoder-selection</key>
<true/>
<key>com.apple.developer.usernotifications.time-sensitive</key>
<true/>
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:www.youtube.com</string>
<string>applinks:youtu.be</string>
<string>applinks:youtube.com</string>
<string>applinks:m.youtube.com</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.google.YouTube</string>
<string>group.com.google.common</string>
</array>
</dict>
</plist>After:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.iokit-user-client-class</key>
<array>
<string>IOUserClient</string>
</array>
<key>platform-application</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>com.google.ios.youtube</string>
</array>
<key>application-identifier</key>
<string>com.google.ios.youtube</string>
<key>aps-environment</key>
<string>production</string>
<key>com.apple.developer.usernotifications.time-sensitive</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.google.ios.youtube</string>
</array>
</dict>
</plist>
Yep, i see, I'll get this checked out by the procursus team. Also, is this using Procursus ldid?
superrnovae
commented
2 years ago It does, it's v2.1.5-procursus3. Thank you!
itsnebulalol
commented
2 years ago After some testing, entitlements are merged fine for me.
nebula@Apple-Thing ~ % cd /Users/nebula/Downloads/Payload/YouTube.app
nebula@Apple-Thing YouTube.app % ldid -e YouTube
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.wifi-info</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>EQHXZ8M8AV.com.google.ios.youtube</string>
<string>EQHXZ8M8AV.com.google.common.SSO</string>
</array>
<key>com.apple.developer.networking.multicast</key>
<true/>
<key>application-identifier</key>
<string>EQHXZ8M8AV.com.google.ios.youtube</string>
<key>aps-environment</key>
<string>production</string>
<key>com.apple.developer.coremedia.allow-alternate-video-decoder-selection</key>
<true/>
<key>com.apple.developer.usernotifications.time-sensitive</key>
<true/>
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:www.youtube.com</string>
<string>applinks:youtu.be</string>
<string>applinks:youtube.com</string>
<string>applinks:m.youtube.com</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.google.YouTube</string>
<string>group.com.google.common</string>
</array>
</dict>
</plist>%
nebula@Apple-Thing YouTube.app % cp YouTube Test
nebula@Apple-Thing YouTube.app % ldid -S/Users/nebula/Code/permasign/entitlements.plist -M -K/Users/nebula/Code/permasign/dev_certificate.p12 Test
nebula@Apple-Thing YouTube.app % ldid -e Test
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.wifi-info</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>{APP_BUNDLE}</string>
</array>
<key>com.apple.developer.networking.multicast</key>
<true/>
<key>application-identifier</key>
<string>{APP_BUNDLE}</string>
<key>aps-environment</key>
<string>production</string>
<key>com.apple.developer.coremedia.allow-alternate-video-decoder-selection</key>
<true/>
<key>com.apple.developer.usernotifications.time-sensitive</key>
<true/>
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:www.youtube.com</string>
<string>applinks:youtu.be</string>
<string>applinks:youtube.com</string>
<string>applinks:m.youtube.com</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.{APP_BUNDLE}</string>
</array>
<key>com.apple.security.iokit-user-client-class</key>
<array>
<string>IOUserClient</string>
</array>
<key>platform-application</key>
<true/>
<key>get-task-allow</key>
<true/>
</dict>
</plist>
nebula@Apple-Thing YouTube.app %So this is not a problem with ldid. I'm going to do some more testing with the script and see what the problem is.
superrnovae
commented
2 years ago Seems like it is being merged on macOS, so probably a Linux issue.
Another thing is keychain-access-groups key is broken now and so is the com.apple.security.application-groups key too. So YouTube won't stay logged in as a result. It won't be able to persist the credentials.
itsnebulalol
commented
2 years ago I’m using macOS. It might be a better idea to just use -s to keep the original entitlements.
I cannot get uYou+ to run on my device when permasigned, but i know it works for other people.
superrnovae
commented
2 years ago So this is not a problem with ldid. I'm going to do some more testing with the script and see what the problem is.
It works because you're passing an executable to ldid, and not the app directory like the script does. When the directory is passed it replaces the entitlements, instead of merging them.
superrnovae
commented
2 years ago It was fixed upstream.
itsnebulalol
commented
2 years ago Just waiting on the ldid release I guess? It will also have -P support.
superrnovae
commented
2 years ago Just waiting on the ldid release I guess? It will also have -P support.
Yup, we won't have to sign dylibs and frameworks on macos and linux anymore.
itsnebulalol
commented
2 years ago Yep, do you have a discord account by the way? If so, what is the tag?
superrnovae
commented
2 years ago Yep, do you have a discord account by the way? If so, what is the tag?
I do, it's supernova#2142
itsnebulalol
commented
2 years ago Closing this as ldid procursus5 was released.
itsnebulalol
commented
2 years ago I do, it's supernova#2142
I’ve sent you a friend request
Instead of signing everything with the same entitlements, we could dump the original ones using ldid. We would also need to check if the uppercase team id is present in some keys, and if it does remove it to get stock values.