Closed superrnovae closed 2 years ago
We merge the entitlements with the original ones. Dylibs and frameworks can’t be signed with entitlements.
I know that. What I meant is that the output youtube deb is missing some entitlements that it originally had. Which makes it impossible for it to stay logged in or open links from other apps.
Here's an example of what I'm talking about, I only included the missing keys, values, and strings that are missing.
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:www.youtube.com</string>
<string>applinks:youtu.be</string>
<string>applinks:youtube.com</string>
<string>applinks:m.youtube.com</string>
</array>
<key>com.apple.developer.coremedia.allow-alternate-video-decoder-selection</key>
<true/>
<key>com.apple.developer.networking.multicast</key>
<true/>
<key>com.apple.developer.networking.wifi-info</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.google.YouTube</string>
<string>group.com.google.common</string>
</array>
<key>keychain-access-groups</key>
<array>
<string>com.google.ios.youtube</string>
<string>com.google.common.SSO</string>
</array>
And here are the entitlements from the resulted deb:
<key>keychain-access-groups</key>
<array>
<string>com.google.ios.youtube</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.google.ios.youtube</string>
</array>
That’s probably something Sideloadly or AltStore, or whatever you use to sideload injects. If you use ldid, I’ve passed through the option to merge current entitlements from the binary with our own. I’m going to do some more testing and see how Signulous pulls it off, because i know it fixes the YouTube bug.
Well, I got my ipa from appdb. I haven't touched it with neither altstore nor sideloadly.
It doesn’t seem like ldid is properly merging the entitlements, check entitlements.xml
I don't find the code where it merges the entitlements. All I see is the replacement of {APP_BUNDLE} followed with signing of application.
./ldid -S{tmpfolder}/entitlements.plist -M -Kdev_certificate.p12 '{full_path}'
-M combined with -S merges the entitlements
Oh, I was wrong. Nevermind, I'm just dumb. I forgot my ipa was missing the entitlements in the first place.
I just checked with the signed binary this time, and it doesn't seem to merge with the existing ones. Here are the outputs:
Before:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.wifi-info</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>EQHXZ8M8AV.com.google.ios.youtube</string>
<string>EQHXZ8M8AV.com.google.common.SSO</string>
</array>
<key>com.apple.developer.networking.multicast</key>
<true/>
<key>application-identifier</key>
<string>EQHXZ8M8AV.com.google.ios.youtube</string>
<key>aps-environment</key>
<string>production</string>
<key>com.apple.developer.coremedia.allow-alternate-video-decoder-selection</key>
<true/>
<key>com.apple.developer.usernotifications.time-sensitive</key>
<true/>
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:www.youtube.com</string>
<string>applinks:youtu.be</string>
<string>applinks:youtube.com</string>
<string>applinks:m.youtube.com</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.google.YouTube</string>
<string>group.com.google.common</string>
</array>
</dict>
</plist>
After:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.security.iokit-user-client-class</key>
<array>
<string>IOUserClient</string>
</array>
<key>platform-application</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>com.google.ios.youtube</string>
</array>
<key>application-identifier</key>
<string>com.google.ios.youtube</string>
<key>aps-environment</key>
<string>production</string>
<key>com.apple.developer.usernotifications.time-sensitive</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.google.ios.youtube</string>
</array>
</dict>
</plist>
Yep, i see, I'll get this checked out by the procursus team. Also, is this using Procursus ldid?
It does, it's v2.1.5-procursus3. Thank you!
After some testing, entitlements are merged fine for me.
nebula@Apple-Thing ~ % cd /Users/nebula/Downloads/Payload/YouTube.app
nebula@Apple-Thing YouTube.app % ldid -e YouTube
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.wifi-info</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>EQHXZ8M8AV.com.google.ios.youtube</string>
<string>EQHXZ8M8AV.com.google.common.SSO</string>
</array>
<key>com.apple.developer.networking.multicast</key>
<true/>
<key>application-identifier</key>
<string>EQHXZ8M8AV.com.google.ios.youtube</string>
<key>aps-environment</key>
<string>production</string>
<key>com.apple.developer.coremedia.allow-alternate-video-decoder-selection</key>
<true/>
<key>com.apple.developer.usernotifications.time-sensitive</key>
<true/>
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:www.youtube.com</string>
<string>applinks:youtu.be</string>
<string>applinks:youtube.com</string>
<string>applinks:m.youtube.com</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.com.google.YouTube</string>
<string>group.com.google.common</string>
</array>
</dict>
</plist>%
nebula@Apple-Thing YouTube.app % cp YouTube Test
nebula@Apple-Thing YouTube.app % ldid -S/Users/nebula/Code/permasign/entitlements.plist -M -K/Users/nebula/Code/permasign/dev_certificate.p12 Test
nebula@Apple-Thing YouTube.app % ldid -e Test
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.networking.wifi-info</key>
<true/>
<key>keychain-access-groups</key>
<array>
<string>{APP_BUNDLE}</string>
</array>
<key>com.apple.developer.networking.multicast</key>
<true/>
<key>application-identifier</key>
<string>{APP_BUNDLE}</string>
<key>aps-environment</key>
<string>production</string>
<key>com.apple.developer.coremedia.allow-alternate-video-decoder-selection</key>
<true/>
<key>com.apple.developer.usernotifications.time-sensitive</key>
<true/>
<key>com.apple.developer.associated-domains</key>
<array>
<string>applinks:www.youtube.com</string>
<string>applinks:youtu.be</string>
<string>applinks:youtube.com</string>
<string>applinks:m.youtube.com</string>
</array>
<key>com.apple.security.application-groups</key>
<array>
<string>group.{APP_BUNDLE}</string>
</array>
<key>com.apple.security.iokit-user-client-class</key>
<array>
<string>IOUserClient</string>
</array>
<key>platform-application</key>
<true/>
<key>get-task-allow</key>
<true/>
</dict>
</plist>
nebula@Apple-Thing YouTube.app %
So this is not a problem with ldid. I'm going to do some more testing with the script and see what the problem is.
Seems like it is being merged on macOS, so probably a Linux issue.
Another thing is keychain-access-groups key is broken now and so is the com.apple.security.application-groups key too. So YouTube won't stay logged in as a result. It won't be able to persist the credentials.
I’m using macOS. It might be a better idea to just use -s to keep the original entitlements.
I cannot get uYou+ to run on my device when permasigned, but i know it works for other people.
So this is not a problem with ldid. I'm going to do some more testing with the script and see what the problem is.
It works because you're passing an executable to ldid, and not the app directory like the script does. When the directory is passed it replaces the entitlements, instead of merging them.
It was fixed upstream.
Just waiting on the ldid release I guess? It will also have -P support.
Just waiting on the ldid release I guess? It will also have -P support.
Yup, we won't have to sign dylibs and frameworks on macos and linux anymore.
Yep, do you have a discord account by the way? If so, what is the tag?
Yep, do you have a discord account by the way? If so, what is the tag?
I do, it's supernova#2142
Closing this as ldid procursus5 was released.
I do, it's supernova#2142
I’ve sent you a friend request
Instead of signing everything with the same entitlements, we could dump the original ones using ldid. We would also need to check if the uppercase team id is present in some keys, and if it does remove it to get stock values.