[tor-bugs] #20254 [Applications/Quality Assurance and Testing]: Update marsigning-check.sh to cope with signed OS X MAR files
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Jan 26 13:15:49 UTC 2017
#20254: Update marsigning-check.sh to cope with signed OS X MAR files
-------------------------------------------------+-------------------------
Reporter: gk | Owner: tbb-
| team
Type: enhancement | Status: new
Priority: Medium | Milestone:
Component: Applications/Quality Assurance and | Version:
Testing |
Severity: Normal | Resolution:
Keywords: tbb-gitian, TorBrowserTeam201701 | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by gk):
Here comes an update on where I am right now. Input is highly appreciated:
To strip the code signature off a macOS binary the following things must
be done:
1) Adjust the number of commands in the header (- `LC_CODE_SIGNATURE`)
2) Adjust the size of the commands in the header (- 16 as this is the size
of `LC_CODE_SIGNATURE`)
3) Remove the `LC_CODE_SIGNATURE` load command
4) Adapt `__LINKEDIT` segment and respective load command
Doing 1)-3) is not overly complicated but adapting the `__LINKEDIT`
segment properly turns out to be tricky. During code signing the signature
is appended to the `__LINKEDIT` segment. When stripping the signature some
approaches just overwrite the signature with 0-bytes. That's not working
for us as we want to restore the original binary to be able to compare the
SHA256 sums. But, unfortunately, removing the signature from the
`__LINKEDIT` segment is not enough to achieve this. That's because the
segemt is padded to be aligned with `0x10` if needed before the signature
gets added. E.g. here is the relevant part of a library's` __LINKEDIT`
segment without the code signature:
{{{
000034a0: 352f2f3a 35343136 00003234 00000000 ://5614542......
000034b0: 00000000 ....
}}}
While it looks like this after code signing:
{{{
000034a0: 352f2f3a 35343136 00003234 00000000 ://5614542......
000034b0: 00000000 00000000 00000000 00000000 ................
}}}
So, the question is: How do we find out how many padding bytes got added
during the code signing (and need now get removed)? A naive approach
looking at the above hexdump output would be: "Leave 16 0-bytes and remove
the remaining ones as padding bytes". But that does not work as there are
binaries where the `__LINKEDIT` segment ends with less than 16 0-Bytes.
Three ways forward come to mind:
a) Align the files to be code-signed to `0x10` (+ adapt the size of the
symbol table accordingly which is usually the last section in the
`__LINKEDIT` segment) before starting the signing process.
We are doing something similar with our .exe installers (see: #15539)
already which is working pretty well. Additionally, as we need to code-
sign the binaries anyway one could argue it's perfectly fine to do the
padding during the build.
b) Find out if there is the amount of 0-bytes at the end of the
`__LINKEDIT` segment follows a pattern we could use to reliably strip the
padding after removing the signature.
c) Record the size (or laste X bytes or) of all OS X binaries we ship
during the build and make that available. The script removing the
signatures could then consult that information when stripping the
signature. This might not work for incremental MAR files as expected. I
have not checked that yet.
Thoughts? Better alternatives? I find a) scary, have no much hope for b)
and dislike c) so far.
General material about code signing on macOS:
https://developer.apple.com/library/content/technotes/tn2206/_index.html
(This document has the following fun Q&A :) ):
{{{
I wrote some data to the Mach-O file before signing. Is that allowed?
No. Do not tamper with Mach-O files, outside of using macOS build tools
and Xcode workflows.
}}}
Material about the Mach-O file format:
https://lowlevelbits.org/parsing-mach-o-files/
https://github.com/aidansteele/osx-abi-macho-file-format-reference
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/20254#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list