-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MachoStandalone should strip code signatures #11
Comments
Original comment by Ronald Oussoren (Bitbucket: ronaldoussoren, GitHub: ronaldoussoren). I've attached a patch that does some of the work. The patch is not complete though, the code signature is stored in the LINKEDIT segment, not just in the macho headers:
The patch only removes the linkedit_data load command, but doesn't adjust the LINKEDIT segment and that confuses other tools (like strip(1)). |
Argh, the patch is not included. Anyway, the comment sounds a bit more complicated than it should? AFAIK, the code signature is appended to a binary, so truncating plus a bit of offset adjustments elsewhere should work? Or am I missing something? If the worst comes to the worst, one can just copy and recreate all the mach-o sections, and dropping the LC_CODE_SIGNATURE part on the way? I am about to embark on exactly this task. The context is that mono (C# stuff)'s runtime loader has the ability of looking at itself, and loading extract .net dll's appended to the end of it, and one can sign afterwards the result. But this process breaks if the main loader's binary is already signed (which it is, on officially distributed binary); people cross-compiling mono for mac os x from elsewhere does not have this problem since the loader binary would then be unsigned. Anyway, I am going to go ahead to see if I can write a script to strip code signature with machollib. |
I have finished my remove-code-signature script, https://github.com/HinTak/mono-modification/blob/macosx-10.13/remove-code-signature.py , and tested successfully on a signed binary which I already kept the pre-signed version. FYI. @ronaldoussoren yes, after finishing the script, I realise that your "adjust the LINKEDIT segment" is just my "a bit of offset adjustments elsewhere" :-). Since my script allows me to recover the pre-signed version (which the signing tool was happy to sign), I believe my script is correct and complete. And thanks for the library! It makes these sort of binary manipulation straight-forward. |
My current plan is to resign binaries using an ad-hoc signature, especially because macOS/arm64 requires code signatures. |
Original report by Ronald Oussoren (Bitbucket: ronaldoussoren, GitHub: ronaldoussoren).
MachoStandalone changes binaries, which break code signatures. The command should therefore remove code signatures.
The text was updated successfully, but these errors were encountered: