Reconsider Xcode re-signing instruction.
r-plus opened this issue · 3 comments
Current re-signing Xcode step is for disable "Library Validation" feature since Xcode 8.
This is codesing information original Xcode and re-signed Xcode.
original 12.4
Executable=/Applications/Xcode_12.4.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20200 size=722 flags=0x2000(library-validation) hashes=15+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=89179fda01d07ba9862d293b896020a0b3516de6
CandidateCDHashFull sha256=89179fda01d07ba9862d293b896020a0b3516de69e03f4885f58239c24ea6a40
Hash choices=sha256
CMSDigest=89179fda01d07ba9862d293b896020a0b3516de69e03f4885f58239c24ea6a40
CMSDigestType=2
CDHash=89179fda01d07ba9862d293b896020a0b3516de6
Signature size=4547
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=44
TeamIdentifier=59GAB85EFG
Sealed Resources version=2 rules=13 files=478483
Internal requirements count=1 size=68
re-signed 12.4
$ codesign -dvvv /Applications/Xcode.app
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=683 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=4d8e4e0d729d83a8afe1da4155560c764b23a821
CandidateCDHashFull sha256=4d8e4e0d729d83a8afe1da4155560c764b23a82128ad61e11d8d1b863b230742
Hash choices=sha256
CMSDigest=4d8e4e0d729d83a8afe1da4155560c764b23a82128ad61e11d8d1b863b230742
CMSDigestType=2
CDHash=4d8e4e0d729d83a8afe1da4155560c764b23a821
Signature size=1604
Authority=XcodeSigner
Signed Time=Apr 20, 2021 10:04:14
Info.plist entries=44
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=478483
Internal requirements count=1 size=96
original old versions
7.3.1 has 0x0(none) flags
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=387 flags=0x0(none) hashes=7+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6
CandidateCDHashFull sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6
CandidateCDHash sha256=3dc708c9c3e773179aa3b58523a94706f83d176a
CandidateCDHashFull sha256=3dc708c9c3e773179aa3b58523a94706f83d176aeed06e3d3b025079e6fc18ff
Hash choices=sha1,sha256
CMSDigest=63c87bc3848fa4ffec5cadabf519ccd0d9a69253e12ae2f3a17ef16c95ffc320
CMSDigestType=2
CDHash=3dc708c9c3e773179aa3b58523a94706f83d176a
Signature size=4658
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Oct 5, 2019 9:36:14
Info.plist entries=34
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=401974
Internal requirements count=1 size=68
CodeDirectory flags changed to 0x0(none)
from flags=0x2000(library-validation)
.
and TeamIdentifier will be not set
.
In this case, I'm thinking that re-sign with self signed cert and simply removing signature are equivalent.
Both Xcode (re-sign and remove) no longer prevent malicious plugin like XcodeGhost, thus removing codesign signature is same risk.
Removing codesign signature from Xcode is simple, faster and no expire period.
NOTE: not resolve sign-in to Apple ID via Xcode on BigSur.
tested on Intel mac.
TBD for M1 mac.
xcode | env | load system | x64 | arm64 |
---|---|---|---|---|
re-signed | any | Xcode Plugin | ✅ | ✅ |
remove codesign (don't use! this occur `tccd` problem) | any | Xcode Plugin | ✅ | TBD |
original | disable library-validation | Xcode Plugin | TBD | TBD |
disable library-validation and SIP | Xcode Plugin | ✅ | TBD | |
SIMBL | ✅ | MacForge 1.1.0 not yet support M1 |
hmm, is re-signing for tccd
process performance...?
in my use case, could not run app on iOS simulator.
I learned why unsign is not good.
stuck something via tccd
process issue. inket/update_xcode_plugins#51
$ sudo codesign -f -s - /Applications/Xcode.app
command will codesign as adhoc.
$ codesign -dvvv /Applications/Xcode.app
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=651 flags=0x2(adhoc) hashes=14+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=b869b3d9079c8b2ceb427f94a0eb2660470f4073
CandidateCDHashFull sha256=b869b3d9079c8b2ceb427f94a0eb2660470f40733c9c53a63314685f7e631449
Hash choices=sha256
CMSDigest=b869b3d9079c8b2ceb427f94a0eb2660470f40733c9c53a63314685f7e631449
CMSDigestType=2
CDHash=b869b3d9079c8b2ceb427f94a0eb2660470f4073
Signature=adhoc
Info.plist entries=44
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=477681
Internal requirements count=0 size=12
If this way have not any problem, we can skip create self signed cert (XcodeSigner) for re-codesign step.
I'll test it for a few days...
NOTE: yes, this will not resolve login to Apple ID via Xcode issue on BigSur.
adhoc re-codesigning is no problem in my daily use case.