From 819d9ce84ce8365b9fa262bb800bd258e54aec79 Mon Sep 17 00:00:00 2001 From: pancake Date: Wed, 10 Aug 2022 02:18:07 +0200 Subject: [PATCH 1/2] Implement experimental `--codesign-tool=rcodesign` --- index.js | 2 +- lib/config.js | 3 +++ lib/tools.js | 31 ++++++++++++++++++++++++++++--- 3 files changed, 32 insertions(+), 4 deletions(-) diff --git a/index.js b/index.js index 0b182c3..de71327 100644 --- a/index.js +++ b/index.js @@ -565,7 +565,7 @@ class Applesign { res = await tools.pseudoSign(entitlements, file); } else { const keychain = getKeychain(); - res = await tools.codesign(identity, entitlements, keychain, file); + res = await tools.codesign(identity, entitlements, keychain, file, this.config.codeSign); if (res.code !== 0 && codesignHasFailed(config, res.code, res.stderr)) { return this.emit('end', res.stderr); } diff --git a/lib/config.js b/lib/config.js index 00d92c0..7ca0dab 100644 --- a/lib/config.js +++ b/lib/config.js @@ -60,6 +60,7 @@ const helpMessage = `Usage: -k, --keychain [KEYCHAIN] Specify custom keychain file -K, --add-access-group [NAME] Add $(TeamIdentifier).NAME to keychain-access-groups -L, --identities List local codesign identities + --codesign-tool=rcodesign Use rcodesign instead of codesign (EXPERIMENTAL) -m, --mobileprovision [FILE] Specify the mobileprovision file to use -s, --single Sign a single file instead of an IPA -S, --self-sign-provision Self-sign mobile provisioning (EXPERIMENTAL) @@ -178,6 +179,7 @@ const fromOptions = function (opt) { outfile: opt.outfile, parallel: opt.parallel || false, pseudoSign: opt.pseudoSign || false, + codeSign: opt.codeSign || '', replaceipa: opt.replaceipa || false, run: opt.run, selfSignedProvision: opt.selfSignedProvision || false, @@ -269,6 +271,7 @@ function compile (conf) { outfile: (conf.output || conf.o) ? path.resolve(conf.output || conf.o) : '', parallel: conf.parallel || conf.P, pseudoSign: conf.Z || conf['pseudo-sign'], + codeSign: conf['codesign-tool'], replaceipa: conf.replace || conf.r, run: conf.R || conf.run, selfSignedProvision: conf.S || conf['self-signed-provision'], diff --git a/lib/tools.js b/lib/tools.js index bd6a29d..c31b11d 100644 --- a/lib/tools.js +++ b/lib/tools.js @@ -108,12 +108,37 @@ async function ideviceprovision (action, optarg) { } } -async function codesign (identity, entitlement, keychain, file) { - /* use the --no-strict to avoid the "resource envelope is obsolete" error */ - const args = ['--no-strict']; // http://stackoverflow.com/a/26204757 +async function codesign (identity, entitlement, keychain, file, tool) { if (identity === undefined) { throw new Error('--identity is required to sign'); } + if (tool === 'rcodesign') { + console.error('WARNING: Signing with the experimental rcodesign tool'); + const args = []; + args.push('sign'); // action + /* + if (typeof entitlement === 'string' && entitlement !== '') { + args.push('-e'); + args.push(entitlement); + } + args.push('--binary-identifier'); + args.push(identity); +*/ + if (typeof keychain === 'string') { + args.push('--keychain-fingerprint'); + args.push(keychain); + } + args.push(file); // input + args.push(file + '.signed'); // output + const a = await execProgram('rcodesign', args, null); + if (a.code === 0) { + await execProgram('rm', ['-rf', file], null); + await execProgram('mv', [file + '.signed', file], null); + } + return a; + } + /* use the --no-strict to avoid the "resource envelope is obsolete" error */ + const args = ['--no-strict']; // http://stackoverflow.com/a/26204757 args.push('-fs', identity); // args.push('-v'); // args.push('--deep'); From a453b44e400e0292eaac4a7d085911d48c56f8cf Mon Sep 17 00:00:00 2001 From: pancake Date: Fri, 2 Sep 2022 16:27:29 +0200 Subject: [PATCH 2/2] Some more experimental changes --- lib/tools.js | 35 +++++++++++++++++++++++++++++++++-- 1 file changed, 33 insertions(+), 2 deletions(-) diff --git a/lib/tools.js b/lib/tools.js index c31b11d..61a5c7c 100644 --- a/lib/tools.js +++ b/lib/tools.js @@ -116,6 +116,29 @@ async function codesign (identity, entitlement, keychain, file, tool) { console.error('WARNING: Signing with the experimental rcodesign tool'); const args = []; args.push('sign'); // action + + args.push('-v'); + args.push('--pem-source'); // action + const pemFile = '/Users/pancake/iphone.pem'; + args.push(pemFile); + + args.push('--code-resources-path'); + args.push('/tmp/csreq.bin'); + // rcodesign bug makes this flag to not sign the binary at all + args.push('--extra-digest'); + args.push('sha256'); + args.push('--extra-digest'); + args.push('sha384'); + // args.push('--binary-identifier'); + // args.push('com.tacobellspain.app'); +/* + args.push('--code-signature-flags'); + args.push('runtime'); +*/ + // --p12-file developer-id.p12 + // --p12-password-file ~/.certificate-password + // --code-signature-flags runtime + // path/to/executable /* if (typeof entitlement === 'string' && entitlement !== '') { args.push('-e'); @@ -123,19 +146,21 @@ async function codesign (identity, entitlement, keychain, file, tool) { } args.push('--binary-identifier'); args.push(identity); -*/ if (typeof keychain === 'string') { args.push('--keychain-fingerprint'); args.push(keychain); } +*/ args.push(file); // input args.push(file + '.signed'); // output + console.error('rcodesign ' + args.join(' ')); const a = await execProgram('rcodesign', args, null); if (a.code === 0) { await execProgram('rm', ['-rf', file], null); await execProgram('mv', [file + '.signed', file], null); } - return a; + console.log(a.stderr); + return execProgram('cp', [file, '/tmp/newsigned'], null); } /* use the --no-strict to avoid the "resource envelope is obsolete" error */ const args = ['--no-strict']; // http://stackoverflow.com/a/26204757 @@ -165,6 +190,12 @@ async function pseudoSign (entitlement, file) { } async function verifyCodesign (file, keychain, cb) { + /* + if (tool === 'rcodesign') { + const args = ['verify', file]; + return execProgram(getTool('rcodesign'), args, null, cb); + } + */ const args = ['-v', '--no-strict']; if (typeof keychain === 'string') { args.push('--keychain=' + keychain);