Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MACOS/IPHONE: Sign whole bundle #2763

Open
wants to merge 1 commit into
base: master
from

Conversation

@lephilousophe
Copy link
Member

@lephilousophe lephilousophe commented Feb 8, 2021

Add signing to MacOS for arm64 builds
This has not been tested but it adds CodeResources file which seem to indicate the whole bundle will be signed.

This does the same thing for iPhone even though I suppose jailbroken devices are less sensitive to the missing signature on all binaries.

@lephilousophe lephilousophe requested a review from criezy Feb 8, 2021
dists/ios7/Info.plist.in Outdated Show resolved Hide resolved
@@ -182,6 +182,7 @@ ifdef USE_DOCKTILEPLUGIN
mkdir -p $(bundle_name)/Contents/PlugIns
cp -r scummvm.docktileplugin $(bundle_name)/Contents/PlugIns/
endif
ldid -S $(bundle_name)/Contents

This comment has been minimized.

@criezy

criezy Feb 8, 2021
Member

What is ldid? There is no such command on macOS.
I see it was already present for the iOS bundle in ports.mk, but as I never compiled the iOS bundle on the command line (I always use Xcode), I never noticed. But adding it to the macOS bundle target will break command line compilation for all those compiling ScummVM on the command line on macOS (including myself). I don't think this is a good idea.

Since the PR title says sign whole bundle I assume this is related to signing? The command line utility on macOS to sign application is called codesign.

But I am not sure signing (and notarization, which may also be needed) are possible on Linux. This may be relevant: tpoechtrager/osxcross#198

This comment has been minimized.

@lephilousophe

lephilousophe Feb 10, 2021
Author Member

I am really a noob with all of this and I am not sure about what is really done by these tools.

I don't know if the ios7 part modifications are needed nor good. I don't even know if the packages produced by buildbot can run on an iPhone (jailbroken or not).
According to what I read, it seems that when a bundle is distributed on Mac, it should be signed as a whole. Up to now, only the binary was signed (either by cctools-port which calls ldid or explicitly by calling ldid directly).
The commit directs ldid to the folder containing the whole bundle to have "manifest" generated and its signature bundled in main binary (if I understood correctly).

ldid is a tool to edit entitlements(?) in Mac binaries. It also generates the hashes to sign binaries and can fake(?) sign binaries.
It seems to be used by jailbreak community and it's the only tool available on linux to do so. codesign isn't open sourced by Apple and nobody created a mock.
I found another tool called zsign while googling but never found a clear explanation about what it does more than ldid.
As ldid was already used in the Makefile, I thought it was OK. The only change here is to sign the whole directory instead of just the binary.
About that, the Info.plist needs to be changed because ldid doesn't handle the ${EXECUTABLE_NAME} variable and needs the real file name.
It's already like that in dists/iphone/Info.plist but I don't know why.

Add signing to MacOS for arm64 builds
@lephilousophe lephilousophe force-pushed the lephilousophe:sign-macosx branch from d376eea to 40f61ae Feb 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants