docs/ldid.1

   1 .\"-
   2 .\" Copyright (c) 2021-2022 Procursus Team <team@procurs.us>
   3 .\" SPDX-License-Identifier: AGPL-3.0-or-later
   4 .\"
   5 .Dd January 20, 2022
   6 .Dt LDID 1
   7 .Os
   8 .Sh NAME
   9 .Nm ldid
  10 .Nd Link Identity Editor
  11 .Sh SYNOPSIS
  12 .Nm
  13 .Op Fl A Ns Ar cputype : Ns Ar subtype
  14 .Op Fl a
  15 .Op Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime
  16 .Op Fl D
  17 .Op Fl d
  18 .Op Fl E Ns Ar num : Ns Ar file
  19 .Op Fl e
  20 .Op Fl H Ns Op Ar sha1 | Ar sha256
  21 .Op Fl h
  22 .Op Fl I Ns Ar name
  23 .Op Fl K Ns Ar key.p12 Op Fl U Ns Ar password
  24 .Op Fl M
  25 .Op Fl P
  26 .Op Fl Q Ns Ar requirements
  27 .Op Fl q
  28 .Op Fl r | Fl S Ns Ar file.xml | Fl s
  29 .Op Fl u
  30 .Op Fl arch Ar arch_type
  31 .Ar
  32 .Sh DESCRIPTION
  33 .Nm
  34 adds SHA1 and SHA256 hashes to a Mach-O file so that they can be run
  35 on a system that has validation but not signature verification.
  36 .Bl -tag -width -indent
  37 .It Fl A Ns Ar cputype : Ns Ar subtype
  38 When used with
  39 .Fl a , Fl D , Fl e , Fl h , Fl q ,
  40 or
  41 .Fl u ,
  42 only act on the slice specified by
  43 .Ar cputype
  44 and
  45 .Ar subtype .
  46 .Ar cputype
  47 and
  48 .Ar subtype
  49 should both be integers.
  50 .It Fl a
  51 Print the CPU types and subtypes in hexadecimal.
  52 .It Fl arch Ar arch_type
  53 The same as
  54 .Fl A ,
  55 except the name of the architecture is used.
  56 The list of currently known
  57 .Ar arch_type Ns s
  58 can be found in
  59 .Xr arch 3 .
  60 This is a Procursus extension.
  61 .It Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime
  62 Specify the option flags to embed in the code signature.
  63 See
  64 .Xr codesign 1
  65 for details about these options.
  66 .It Fl D
  67 Reset the cryptid.
  68 .It Fl d
  69 Print the cryptid in the binaries if it exists.
  70 For compatibility reasons it also acts as
  71 .Fl h ,
  72 but this will be removed in the future.
  73 .It Fl E Ns Ar num : Ns Ar file
  74 Embed the hashes of
  75 .Ar file
  76 in the special codesign slot at
  77 .Ar num .
  78 .It Fl e
  79 Print the entitlements in each slice, or the slice specified by
  80 .Fl A ,
  81 to
  82 .Ar stdout .
  83 .It Fl H Ns Op Ar sha1 | Ar sha256
  84 Disable the hash not specified.
  85 This is useful to replicate the default behavior of
  86 .Xr codesign 1 ,
  87 which only provides an sha256 signature.
  88 .It Fl h
  89 Print information about the signature, such as
  90 hash types, flags, CDHash, and CodeDirectory version to
  91 .Ar stdout .
  92 .It Fl I Ns Ar name
  93 Set the identifier used in the binaries signature to
  94 .Ar name .
  95 If not specified, the basename of the binary is used.
  96 .It Fl K Ns Ar key.p12
  97 Sign using the identity in
  98 .Ar key.p12 .
  99 This will give the binary a valid signature so that it can be run
 100 on a system with signature validation.
 101 If
 102 .Ar key.p12
 103 has a password you will be prompted for it,
 104 or you can specify from the command line with
 105 .Fl U .
 106 .It Fl M
 107 When used with
 108 .Fl S ,
 109 merge the new and existing entitlements instead of replacing the existing
 110 entitlements, this is useful for adding a few specific entitlements to a
 111 handful of binaries.
 112 .It Fl P
 113 Mark the Mach-O as a platform binary.
 114 .It Fl Q Ns Ar requirements.xml
 115 Embed the requirements found in
 116 .Ar requirements .
 117 .It Fl q
 118 Print embedded requirements of the binaries.
 119 .It Fl r
 120 Remove the signature from the Mach-O.
 121 .It Fl S Ns Op Ar file.xml
 122 Pseudo-sign the Mach-O binaries.
 123 If
 124 .Ar file.xml
 125 is specified then the entitlements found in
 126 .Ar file.xml
 127 will be embedded in the Mach-O.
 128 .It Fl s
 129 Resign the Mach-O binaries while keeping the existing entitlements.
 130 .It Fl U Ns Ar password
 131 Use
 132 .Ar password
 133 as the password for the p12 certificate instead of prompting.
 134 This is a Procursus extension.
 135 .It Fl u
 136 If the binary was linked against UIKit, then print the UIKit version that the
 137 Mach-O binaries were linked against.
 138 .El
 139 .Sh EXAMPLES
 140 The command:
 141 .Pp
 142 .Dl "ldid -S file"
 143 .Pp
 144 will fakesign
 145 .Ar file
 146 with no entitlements.
 147 .Pp
 148 The command:
 149 .Pp
 150 .Dl "ldid -Cadhoc -K/path/to/key.p12 -Sent.xml file"
 151 .Pp
 152 will sign
 153 .Ar file
 154 using the key in
 155 .Ar /path/to/key.p12
 156 with the entitlements found in
 157 .Ar ent.xml ,
 158 and mark it as an adhoc signature.
 159 .Pp
 160 The command:
 161 .Pp
 162 .Dl "ldid -Sent.xml -M file"
 163 .Pp
 164 will add the entitlements in
 165 .Ar ent.xml
 166 to the entitlements already in
 167 .Ar file .
 168 .Pp
 169 The command:
 170 .Pp
 171 .Dl "ldid -e file > ent.xml"
 172 .Pp
 173 will save the entitlements found in each slice of
 174 .Ar file
 175 to
 176 .Ar ent.xml .
 177 .Sh SEE ALSO
 178 .Xr codesign 1
 179 .Sh HISTORY
 180 The
 181 .Nm
 182 utility was written by
 183 .An Jay \*qSaurik\*q Freeman .
 184 iPhoneOS 1.2.0 and 2.0 support was added on April 6, 2008.
 185 .Fl S
 186 was added on June 13, 2008.
 187 SHA256 support was added on August 25, 2016, fixing iOS 11 support.
 188 iOS 14 support was added on July 31, 2020 by
 189 .An Kabir Oberai .
 190 iOS 15 support was added on June 11, 2021.