UNPKG

applesign

Version:

API to resign IPA files

www.nowsecure.com

nowsecure/node-applesign

264 lines (191 loc) 9.6 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
node-applesign =============== NodeJS module and commandline utility for re-signing iOS applications (IPA files). Author ------ Sergi Alvarez Capilla aka pancake @ nowsecure.com Program Dependencies -------------------- * zip - re-create IPA * unzip - decompress IPA (see `npm run unzip-lzfse`) * codesign - sign and verify binary with new entitlements and identity * security - get entitlements from mobileprovision * insert_dylib - only if you want to use the -I,--insert flag Usage ----- When running without arguments we get a short help message ``` $ bin/applesign.js Usage: applesign [--options ...] [target.ipa | Payload/Target.app] -a, --all Resign all binaries, even it unrelated to the app -b, --bundleid [BUNDLEID] Change the bundleid when repackaging -c, --clone-entitlements Clone the entitlements from the provisioning to the bin -f, --force-family Force UIDeviceFamily in Info.plist to be iPhone -h, --help Show verbose help message -H, --allow-http Add NSAppTransportSecurity.NSAllowsArbitraryLoads in plist -i, --identity [1C4D1A..] Specify hash-id of the identity to use -L, --identities List local codesign identities -m, --mobileprovision [FILE] Specify the mobileprovision file to use -o, --output [APP.IPA] Path to the output IPA filename -O, --osversion 9.0 Force specific OSVersion if any in Info.plist -p, --without-plugins Remove plugins (excluding XCTests) from the resigned IPA -w, --without-watchapp Remove the WatchApp from the IPA before resigning -x, --without-xctests Remove the XCTests from the resigned IPA Example: $ applesign -w -c -m embedded.mobileprovision target.ipa ``` The full help is displayed when passing the `--help` flag. ``` $ bin/applesign.js --help Usage: applesign [--options ...] [input-ipafile] Packaging: -7, --use-7zip Use 7zip instead of unzip -A, --all-dirs Archive all directories, not just Payload/ -I, --insert [frida.dylib] Insert a dynamic library to the main executable -l, --lipo [arm64|armv7] Lipo -thin all bins inside the IPA for the given architecture -n, --noclean keep temporary files when signing error happens -o, --output [APP.IPA] Path to the output IPA filename -P, --parallel Run layered signing dependencies in parallel (EXPERIMENTAL) -r, --replace Replace the input IPA file with the resigned one -u, --unfair Resign encrypted applications -z, --ignore-zip-errors Ignore unzip/7z uncompressing errors Stripping: -p, --without-plugins Remove plugins (excluding XCTests) from the resigned IPA -w, --without-watchapp Remove the WatchApp from the IPA before resigning -x, --without-xctests Remove the XCTests from the resigned IPA Signing: --use-openssl Use OpenSSL cms instead of Apple's security tool -a, --all Resign all binaries, even it unrelated to the app -i, --identity [1C4D1A..] Specify hash-id of the identity to use -k, --keychain [KEYCHAIN] Specify alternative keychain file -K, --add-access-group [NAME] Add $(TeamIdentifier).NAME to keychain-access-groups -L, --identities List local codesign identities -m, --mobileprovision [FILE] Specify the mobileprovision file to use -s, --single Sign a single file instead of an IPA -S, --self-sign-provision Self-sign mobile provisioning (EXPERIMENTAL) -v, --verify Verify all the signed files at the end -V, --verify-twice Verify after signing every file and at the end Info.plist -b, --bundleid [BUNDLEID] Change the bundleid when repackaging -B, --bundleid-access-group Add $(TeamIdentifier).bundleid to keychain-access-groups -f, --force-family Force UIDeviceFamily in Info.plist to be iPhone -H, --allow-http Add NSAppTransportSecurity.NSAllowsArbitraryLoads in plist -O, --osversion 9.0 Force specific OSVersion if any in Info.plist Entitlements: -c, --clone-entitlements Clone the entitlements from the provisioning to the bin -e, --entitlements [ENTITL] Specify entitlements file (EXPERIMENTAL) -E, --entry-entitlement Use generic entitlement (EXPERIMENTAL) -M, --massage-entitlements Massage entitlements to remove privileged ones -t, --without-get-task-allow Do not set the get-task-allow entitlement (EXPERIMENTAL) -C, --no-entitlements-file Do not create .entitlements file in the IPA -h, --help Show this help message --version Show applesign version [input-ipafile] Path to the IPA file to resign Examples: $ applesign -L # enumerate codesign identities, grab one and use it with -i $ applesign -m embedded.mobileprovision target.ipa $ applesign -i AD71EB42BC289A2B9FD3C2D5C9F02D923495A23C target.ipa $ applesign -m a.mobileprovision -c --lipo arm64 -w target.ipa Installing in the device: $ ideviceinstaller -i target-resigned.ipa $ ios-deploy -b target-resigned.ipa ``` List local codesign identities: $ bin/applesign -L Resign an IPA with a specific identity: $ bin/applesign -i 1C4D1A442A623A91E6656F74D170A711CB1D257A foo.ipa Change bundleid: $ bin/applesign -b org.nowsecure.testapp path/to/ipa Signing methods --------------- There are different ways to sign an IPA file with applesign for experimental reasons. You may want to check the following options: **-c, --clone-entitlements** put the entitlements embedded inside the signed mobileprovisioning file provided by the user as the default ones to sign all the binaries **-S, --self-sign-provision** creates a custom mobileprovisioning (unsigned for now). installd complains **-E, --entry-entitlement** use the default entitlements plist. useful when troubleshooting The default signing method does as follow: * Grab entitlements from binary * Remove problematic entitlements * Grab entitlements from the provisioning * Adjust application-id and team-id of the binary with the provisioning ones * Copy the original mobileprovisioning inside the IPA * Creates ${AppName}.entitlements and signs all the mach0s After some testing we will probably go for having -c or -E as default. In addition, for performance reasons, applesign supports -p for parallel signing. The order of signing the binaries inside an IPA matters, so applesign creates a dependency list of all the bins and signs them in order. The parallel signing aims to run in parallel as much tasks as possible without breaking the dependency list. Mangling -------- It is possible with `--force-family` to remove the UISupportedDevices from the Info.plist and replace the entitlement information found in the mobileprovisioning and then carefully massage the rest of entitlements to drop the privileged ones (`--massage-entitlements`). Other interesting manipulations that can be done in the IPA are: **-I, --insert [frida.dylib]** Allows to insert a dynamic library in the main executable. This is how Frida can be injected to introspect iOS applications without jailbreak. **-l, --lipo [arm64|armv7]** Thinifies an IPA by removing all fatmach0s to only contain binaries for one specified architecture. Also this is helpful to identify non-arm binaries embedded inside IPA that can be leaked from development or pre-production environments. In order to thinify the final IPA even more, applesign allows to drop the watchapp extensions which would not be necessary for non Apple Watch users. Performance ----------- Sometimes the time required to run the codesigning step matters, so applesign allows to skip some steps and speedup the process. See `--dont-verify` and `--parallel` commandline flags. Enabling those options can result on a 35% speedup on ~60MB IPAs. API usage --------- Here's a simple program that resigns an IPA: ```js const Applesign = require('applesign'); const as = new Applesign({ identity: '81A24300FE2A8EAA99A9601FDA3EA811CD80526A', mobileprovision: '/path/to/dev.mobileprovision', withoutWatchapp: true }); as.events.on('warning', (msg) => { console.log('WARNING', msg); }) .on('message', (msg) => { console.log('msg', msg); }); as.signIPA('/path/to/app.ipa') .then(_ => { console.log('ios-deploy -b', as.config.outfile); }) .catch(e => { console.error(e); process.exitCode = 1; }); ``` To list the developer identities available in the system: ```js try { const ids = await as.getIdentities(); ids.forEach((id) => { console.log(id.hash, id.name); }); } catch (err) { console.error(err, ids); } ``` Bear in mind that the Applesign object can tuned to use different configuration options: ```js const options = { file: '/path/to/app.ipa', outfile: '/path/to/app-resigned.ipa', entitlement: '/path/to/entitlement', bundleid: 'app.company.bundleid', identity: 'hash id of the developer', mobileprovision: '/path/to/mobileprovision file', ignoreVerificationErrors: true, withoutWatchapp: true }; ``` Further reading --------------- See the Wiki: https://github.com/nowsecure/node-applesign/wiki * https://github.com/maciekish/iReSign * https://github.com/saucelabs/isign * https://github.com/phonegap/ios-deploy Pre iOS9 devices will require a developer account: * http://dev.mlsdigital.net/posts/how-to-resign-an-ios-app-from-external-developers/