ProcursusTeam · CRKatri · Nov 29, 2022 · Nov 26, 2022 · Nov 26, 2022 · Nov 26, 2022
diff --git a/_ldid b/_ldid
@@ -8,7 +8,7 @@ _arguments \
 	'-q[Print requirements]' \
 	'-e[Print entitlements]' \
 	'-M[Merge entitlements]' \
-	'*-C-[Flags]:flags:(adhoc enforcement expires hard host kill library-validation restrict runtime)' \
+	'*-C-[Flags]:flags:(adhoc enforcement expires hard host kill library-validation restrict runtime linker-signed)' \
 	'-H-[Hash type]:hash:(sha1 sha256)' \
 	'-I-[Set identifier]:identifier' \
 	'-K-[Signing private key]:key:_files' \

diff --git a/docs/ldid.1 b/docs/ldid.1
@@ -58,7 +58,7 @@ The list of currently known
 can be found in
 .Xr arch 3 .
 This is a Procursus extension.
-.It Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime
+.It Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime | Ar linker-signed
 Specify the option flags to embed in the code signature.
 See
 .Xr codesign 1
@@ -165,6 +165,14 @@ and mark it as an adhoc signature.
 .Pp
 The command:
 .Pp
+.Dl "ldid -S -Cadhoc,linker-signed file"
+.Pp
+will fakesign
+.Ar file
+with no entitlements, and mark it as adhoc and linker-signed signature.
+.Pp
+The command:
+.Pp
 .Dl "ldid -Sent.xml -M file"
 .Pp
 will add the entitlements in

diff --git a/docs/ldid.zh_CN.1 b/docs/ldid.zh_CN.1
@@ -12,7 +12,7 @@
 .Nm
 .Op Fl A Ns Ar 处理器类型 : Ns Ar 亚类型
 .Op Fl a
-.Op Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime
+.Op Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime | Ar linker-signed
 .Op Fl D
 .Op Fl d
 .Op Fl E Ns Ar 数字 : Ns Ar 档案
@@ -176,6 +176,14 @@
 .Pp
 指令：
 .Pp
+.Dl "ldid -S -Cadhoc,linker-signed 档案"
+.Pp
+会伪签署
+.Ar 档案
+而且不嵌入任何权限, 同时会把签署标示为特别用途 (adhoc,linker-signed) 签署。
+.Pp
+指令：
+.Pp
 .Dl "ldid -S权限.xml -M 档案"
 .Pp
 会把

diff --git a/docs/ldid.zh_TW.1 b/docs/ldid.zh_TW.1
@@ -68,7 +68,7 @@
 .Xr arch 3
 中找到。
 這是一個Procursus擴展。
-.It Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime
+.It Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime | Ar linker-signed
 設定要在檔案中包含的程式碼簽署選項。
 請看
 .Xr codesign 1
@@ -176,6 +176,14 @@
 .Pp
 指令：
 .Pp
+.Dl "ldid -S -Cadhoc,linker-signed 檔案"
+.Pp
+會偽簽署
+.Ar 檔案
+而且不嵌入任何權限, 同时会把簽署標示為特別用途 (adhoc,linker-signed) 簽署。
+.Pp
+指令：
+.Pp
 .Dl "ldid -S權限.xml -M 檔案"
 .Pp
 會把

diff --git a/ldid.cpp b/ldid.cpp
@@ -1085,6 +1085,7 @@ enum CodeSignatureFlags {
     kSecCodeSignatureEnforcement = 0x1000,
     kSecCodeSignatureLibraryValidation = 0x2000,
     kSecCodeSignatureRuntime = 0x10000,
+    kSecCodeSignatureLinkerSigned = 0x20000,
 };
 
 enum Kind : uint32_t {
@@ -3285,7 +3286,7 @@ std::string Hex(const uint8_t *data, size_t size) {
 static void usage(const char *argv0) {
     fprintf(stderr, "Link Identity Editor %s\n\n", LDID_VERSION);
     fprintf(stderr, "Usage: %s [-Acputype:subtype] [-a] [-C[adhoc | enforcement | expires | hard |\n", argv0);
-    fprintf(stderr, "            host | kill | library-validation | restrict | runtime]] [-D] [-d]\n");
+    fprintf(stderr, "            host | kill | library-validation | restrict | runtime | linker-signed]] [-D] [-d]\n");
     fprintf(stderr, "            [-Enum:file] [-e] [-H[sha1 | sha256]] [-h] [-Iname]\n");
     fprintf(stderr, "            [-Kkey.p12 [-Upassword]] [-M] [-P[num]] [-Qrequirements.xml] [-q]\n");
     fprintf(stderr, "            [-r | -Sfile.xml | -s] [-u] [-arch arch_type] file ...\n");
@@ -3478,27 +3479,33 @@ int main(int argc, char *argv[]) {
 
             case 'C': {
                 const char *name = argv[argi] + 2;
-                if (strcmp(name, "host") == 0)
-                    flags |= kSecCodeSignatureHost;
-                else if (strcmp(name, "adhoc") == 0)
-                    flags |= kSecCodeSignatureAdhoc;
-                else if (strcmp(name, "hard") == 0)
-                    flags |= kSecCodeSignatureForceHard;
-                else if (strcmp(name, "kill") == 0)
-                    flags |= kSecCodeSignatureForceKill;
-                else if (strcmp(name, "expires") == 0)
-                    flags |= kSecCodeSignatureForceExpiration;
-                else if (strcmp(name, "restrict") == 0)
-                    flags |= kSecCodeSignatureRestrict;
-                else if (strcmp(name, "enforcement") == 0)
-                    flags |= kSecCodeSignatureEnforcement;
-                else if (strcmp(name, "library-validation") == 0)
-                    flags |= kSecCodeSignatureLibraryValidation;
-                else if (strcmp(name, "runtime") == 0)
-                    flags |= kSecCodeSignatureRuntime;
-                else {
-                    fprintf(stderr, "ldid: -C: Unsupported option\n");
-                    exit(1);
+                std::istringstream signtypess(name);
+                std::string signtype;
+                while (std::getline(signtypess, signtype, ',')) {
+                    if (signtype == "host")
+                        flags |= kSecCodeSignatureHost;
+                    else if (signtype == "adhoc")
+                        flags |= kSecCodeSignatureAdhoc;
+                    else if (signtype == "hard")
+                        flags |= kSecCodeSignatureForceHard;
+                    else if (signtype == "kill")
+                        flags |= kSecCodeSignatureForceKill;
+                    else if (signtype == "expires")
+                        flags |= kSecCodeSignatureForceExpiration;
+                    else if (signtype == "restrict")
+                        flags |= kSecCodeSignatureRestrict;
+                    else if (signtype == "enforcement")
+                        flags |= kSecCodeSignatureEnforcement;
+                    else if (signtype == "library-validation")
+                        flags |= kSecCodeSignatureLibraryValidation;
+                    else if (signtype == "runtime")
+                        flags |= kSecCodeSignatureRuntime;
+                    else if (signtype == "linker-signed")
+                        flags |= kSecCodeSignatureLinkerSigned;
+                    else {
+                        fprintf(stderr, "ldid: -C: Unsupported option\n");
+                        exit(1);
+                    }
                 }
             } break;
 
@@ -3770,6 +3777,8 @@ int main(int argc, char *argv[]) {
                     names += ",library-validation";
                 if (flags & kSecCodeSignatureRuntime)
                     names += ",runtime";
+                if (flags & kSecCodeSignatureLinkerSigned)
+                    names += ",linker-signed";
 
                 printf("CodeDirectory v=%x size=%zd flags=0x%x(%s) hashes=%d+%d location=embedded\n",
                     Swap(directory->version), best->second.size_, flags, names.empty() ? "none" : names.c_str() + 1, Swap(directory->nCodeSlots), Swap(directory->nSpecialSlots));