]> git.cameronkatri.com Git - ldid.git/blobdiff - ldid.cpp
git.ckatri.com / ldid.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix regression on FAT files (from 64-bit support).
[ldid.git] / ldid.cpp
diff --git a/ldid.cpp b/ldid.cpp
index 0a656f8d4b7824365beaa27979b55a104ce74dc4..da4c0c7099ab21ebafb30cf24e90ae369bbe1807 100644 (file)
--- a/ldid.cpp
+++ b/ldid.cpp
@@ -861,6 +861,26 @@ class FatHeader :
 #define CS_HASHTYPE_SHA256_160 3
 #define CS_HASHTYPE_SHA386_386 4
 
 #define CS_HASHTYPE_SHA256_160 3
 #define CS_HASHTYPE_SHA386_386 4
 
+#if 0
+#define CS_EXECSEG_MAIN_BINARY     0x001 /* executable segment denotes main binary */
+#define CS_EXECSEG_ALLOW_UNSIGNED  0x010 /* allow unsigned pages (for debugging) */
+#define CS_EXECSEG_DEBUGGER        0x020 /* main binary is debugger */
+#define CS_EXECSEG_JIT             0x040 /* JIT enabled */
+#define CS_EXECSEG_SKIP_LV         0x080 /* skip library validation */
+#define CS_EXECSEG_CAN_LOAD_CDHASH 0x100 /* can bless cdhash for execution */
+#define CS_EXECSEG_CAN_EXEC_CDHASH 0x200 /* can execute blessed cdhash */
+#else
+enum SecCodeExecSegFlags {
+    kSecCodeExecSegMainBinary = 0x001,
+    kSecCodeExecSegAllowUnsigned = 0x010,
+    kSecCodeExecSegDebugger = 0x020,
+    kSecCodeExecSegJit = 0x040,
+    kSecCodeExecSegSkipLibraryVal = 0x080,
+    kSecCodeExecSegCanLoadCdHash = 0x100,
+    kSecCodeExecSegCanExecCdHash = 0x100,
+};
+#endif
+
 struct BlobIndex {
     uint32_t type;
     uint32_t offset;
 struct BlobIndex {
     uint32_t type;
     uint32_t offset;
@@ -892,8 +912,22 @@ struct CodeDirectory {
     uint32_t spare2;
     uint32_t scatterOffset;
     uint32_t teamIDOffset;
     uint32_t spare2;
     uint32_t scatterOffset;
     uint32_t teamIDOffset;
-    //uint32_t spare3;
-    //uint64_t codeLimit64;
+    uint32_t spare3;
+    uint64_t codeLimit64;
+    uint64_t execSegBase;
+    uint64_t execSegLimit;
+    uint64_t execSegFlags;
+#if 0 // version = 0x20500
+    uint32_t runtime;
+    uint32_t preEncryptOffset;
+#endif
+#if 0 // version = 0x20600
+    uint8_t linkageHashType;
+    uint8_t linkageTruncated;
+    uint16_t spare4;
+    uint32_t linkageOffset;
+    uint32_t linkageSize;
+#endif
 } _packed;
 
 enum CodeSignatureFlags {
 } _packed;
 
 enum CodeSignatureFlags {
@@ -905,6 +939,7 @@ enum CodeSignatureFlags {
     kSecCodeSignatureRestrict = 0x0800,
     kSecCodeSignatureEnforcement = 0x1000,
     kSecCodeSignatureLibraryValidation = 0x2000,
     kSecCodeSignatureRestrict = 0x0800,
     kSecCodeSignatureEnforcement = 0x1000,
     kSecCodeSignatureLibraryValidation = 0x2000,
+    kSecCodeSignatureRuntime = 0x10000,
 };
 
 enum Kind : uint32_t {
 };
 
 enum Kind : uint32_t {
@@ -1061,9 +1096,9 @@ struct Baton {
 
 struct CodesignAllocation {
     FatMachHeader mach_header_;
 
 struct CodesignAllocation {
     FatMachHeader mach_header_;
-    uint32_t offset_;
+    uint64_t offset_;
     uint32_t size_;
     uint32_t size_;
-    uint32_t limit_;
+    uint64_t limit_;
     uint32_t alloc_;
     uint32_t align_;
     const char *arch_;
     uint32_t alloc_;
     uint32_t align_;
     const char *arch_;
@@ -1222,7 +1257,7 @@ std::string Analyze(const void *data, size_t size) {
     return entitlements;
 }
 
     return entitlements;
 }
 
-static void Allocate(const void *idata, size_t isize, std::streambuf &output, const Functor<size_t (const MachHeader &, Baton &, size_t)> &allocate, const Functor<size_t (const MachHeader &, const Baton &, std::streambuf &output, size_t, const std::string &, const char *, const Progress &)> &save, const Progress &progress) {
+static void Allocate(const void *idata, size_t isize, std::streambuf &output, const Functor<size_t (const MachHeader &, Baton &, size_t)> &allocate, const Functor<size_t (const MachHeader &, const Baton &, std::streambuf &output, size_t, size_t, size_t, const std::string &, const char *, const Progress &)> &save, const Progress &progress) {
     FatHeader source(const_cast<void *>(idata), isize);
 
     size_t offset(0);
     FatHeader source(const_cast<void *>(idata), isize);
 
     size_t offset(0);
@@ -1326,14 +1361,27 @@ static void Allocate(const void *idata, size_t isize, std::streambuf &output, co
         put(output, &fat_header, sizeof(fat_header));
         position += sizeof(fat_header);
 
         put(output, &fat_header, sizeof(fat_header));
         position += sizeof(fat_header);
 
+        // XXX: support fat_arch_64 (not in my toolchain)
+        // probably use C++14 generic lambda (not in my toolchain)
+
+        _assert_(![&]() {
+            _foreach (allocation, allocations) {
+                const auto offset(allocation.offset_);
+                const auto size(allocation.limit_ + allocation.alloc_);
+                if (uint32_t(offset) != offset || uint32_t(size) != size)
+                    return true;
+            }
+            return false;
+        }(), "FAT slice >=4GiB not currently supported");
+
         _foreach (allocation, allocations) {
             auto &mach_header(allocation.mach_header_);
 
             fat_arch fat_arch;
             fat_arch.cputype = Swap(mach_header->cputype);
             fat_arch.cpusubtype = Swap(mach_header->cpusubtype);
         _foreach (allocation, allocations) {
             auto &mach_header(allocation.mach_header_);
 
             fat_arch fat_arch;
             fat_arch.cputype = Swap(mach_header->cputype);
             fat_arch.cpusubtype = Swap(mach_header->cpusubtype);
-            fat_arch.offset = Swap(allocation.offset_);
-            fat_arch.size = Swap(allocation.limit_ + allocation.alloc_);
+            fat_arch.offset = Swap(uint32_t(allocation.offset_));
+            fat_arch.size = Swap(uint32_t(allocation.limit_ + allocation.alloc_));
             fat_arch.align = Swap(allocation.align_);
             put(output, &fat_arch, sizeof(fat_arch));
             position += sizeof(fat_arch);
             fat_arch.align = Swap(allocation.align_);
             put(output, &fat_arch, sizeof(fat_arch));
             position += sizeof(fat_arch);
@@ -1347,6 +1395,9 @@ static void Allocate(const void *idata, size_t isize, std::streambuf &output, co
         pad(output, allocation.offset_ - position);
         position = allocation.offset_;
 
         pad(output, allocation.offset_ - position);
         position = allocation.offset_;
 
+        size_t left(-1);
+        size_t right(0);
+
         std::vector<std::string> commands;
 
         _foreach (load_command, mach_header.GetLoadCommands()) {
         std::vector<std::string> commands;
 
         _foreach (load_command, mach_header.GetLoadCommands()) {
@@ -1357,22 +1408,44 @@ static void Allocate(const void *idata, size_t isize, std::streambuf &output, co
                     continue;
                 break;
 
                     continue;
                 break;
 
+                // XXX: this is getting ridiculous: provide a better abstraction
+
                 case LC_SEGMENT: {
                     auto segment_command(reinterpret_cast<struct segment_command *>(&copy[0]));
                 case LC_SEGMENT: {
                     auto segment_command(reinterpret_cast<struct segment_command *>(&copy[0]));
-                    if (strncmp(segment_command->segname, "__LINKEDIT", 16) != 0)
-                        break;
-                    size_t size(mach_header.Swap(allocation.limit_ + allocation.alloc_ - mach_header.Swap(segment_command->fileoff)));
-                    segment_command->filesize = size;
-                    segment_command->vmsize = Align(size, 1 << allocation.align_);
+
+                    if ((segment_command->initprot & 04) != 0) {
+                        auto begin(mach_header.Swap(segment_command->fileoff));
+                        auto end(begin + mach_header.Swap(segment_command->filesize));
+                        if (left > begin)
+                            left = begin;
+                        if (right < end)
+                            right = end;
+                    }
+
+                    if (strncmp(segment_command->segname, "__LINKEDIT", 16) == 0) {
+                        size_t size(mach_header.Swap(allocation.limit_ + allocation.alloc_ - mach_header.Swap(segment_command->fileoff)));
+                        segment_command->filesize = size;
+                        segment_command->vmsize = Align(size, 1 << allocation.align_);
+                    }
                 } break;
 
                 case LC_SEGMENT_64: {
                     auto segment_command(reinterpret_cast<struct segment_command_64 *>(&copy[0]));
                 } break;
 
                 case LC_SEGMENT_64: {
                     auto segment_command(reinterpret_cast<struct segment_command_64 *>(&copy[0]));
-                    if (strncmp(segment_command->segname, "__LINKEDIT", 16) != 0)
-                        break;
-                    size_t size(mach_header.Swap(allocation.limit_ + allocation.alloc_ - mach_header.Swap(segment_command->fileoff)));
-                    segment_command->filesize = size;
-                    segment_command->vmsize = Align(size, 1 << allocation.align_);
+
+                    if ((segment_command->initprot & 04) != 0) {
+                        auto begin(mach_header.Swap(segment_command->fileoff));
+                        auto end(begin + mach_header.Swap(segment_command->filesize));
+                        if (left > begin)
+                            left = begin;
+                        if (right < end)
+                            right = end;
+                    }
+
+                    if (strncmp(segment_command->segname, "__LINKEDIT", 16) == 0) {
+                        size_t size(mach_header.Swap(allocation.limit_ + allocation.alloc_ - mach_header.Swap(segment_command->fileoff)));
+                        segment_command->filesize = size;
+                        segment_command->vmsize = Align(size, 1 << allocation.align_);
+                    }
                 } break;
             }
 
                 } break;
             }
 
@@ -1434,7 +1507,7 @@ static void Allocate(const void *idata, size_t isize, std::streambuf &output, co
         pad(output, allocation.limit_ - allocation.size_);
         position += allocation.limit_ - allocation.size_;
 
         pad(output, allocation.limit_ - allocation.size_);
         position += allocation.limit_ - allocation.size_;
 
-        size_t saved(save(mach_header, allocation.baton_, output, allocation.limit_, overlap, top, progress));
+        size_t saved(save(mach_header, allocation.baton_, output, allocation.limit_, left, right, overlap, top, progress));
         if (allocation.alloc_ > saved)
             pad(output, allocation.alloc_ - saved);
         else
         if (allocation.alloc_ > saved)
             pad(output, allocation.alloc_ - saved);
         else
@@ -1659,11 +1732,6 @@ class NullBuffer :
     }
 };
 
     }
 };
 
-class Digest {
-  public:
-    uint8_t sha1_[LDID_SHA1_DIGEST_LENGTH];
-};
-
 class HashBuffer :
     public std::streambuf
 {
 class HashBuffer :
     public std::streambuf
 {
@@ -1957,17 +2025,51 @@ Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::st
 #endif
 
         return alloc;
 #endif
 
         return alloc;
-    }), fun([&](const MachHeader &mach_header, const Baton &baton, std::streambuf &output, size_t limit, const std::string &overlap, const char *top, const Progress &progress) -> size_t {
+    }), fun([&](const MachHeader &mach_header, const Baton &baton, std::streambuf &output, size_t limit, size_t left, size_t right, const std::string &overlap, const char *top, const Progress &progress) -> size_t {
         Blobs blobs;
 
         if (true) {
             insert(blobs, CSSLOT_REQUIREMENTS, backing);
         }
 
         Blobs blobs;
 
         if (true) {
             insert(blobs, CSSLOT_REQUIREMENTS, backing);
         }
 
+        uint64_t execs(0);
+        if (mach_header.Swap(mach_header->filetype) == MH_EXECUTE)
+            execs |= kSecCodeExecSegMainBinary;
+
         if (!baton.entitlements_.empty()) {
             std::stringbuf data;
             put(data, baton.entitlements_.data(), baton.entitlements_.size());
             insert(blobs, CSSLOT_ENTITLEMENTS, CSMAGIC_EMBEDDED_ENTITLEMENTS, data);
         if (!baton.entitlements_.empty()) {
             std::stringbuf data;
             put(data, baton.entitlements_.data(), baton.entitlements_.size());
             insert(blobs, CSSLOT_ENTITLEMENTS, CSMAGIC_EMBEDDED_ENTITLEMENTS, data);
+
+#ifndef LDID_NOPLIST
+            auto entitlements(plist(baton.entitlements_));
+            _scope({ plist_free(entitlements); });
+            _assert(plist_get_node_type(entitlements) == PLIST_DICT);
+
+            const auto entitled([&](const char *key) {
+                auto item(plist_dict_get_item(entitlements, key));
+                if (plist_get_node_type(item) != PLIST_BOOLEAN)
+                    return false;
+                uint8_t value(0);
+                plist_get_bool_val(item, &value);
+                return value != 0;
+            });
+
+            if (entitled("get-task-allow"))
+                execs |= kSecCodeExecSegAllowUnsigned;
+            if (entitled("run-unsigned-code"))
+                execs |= kSecCodeExecSegAllowUnsigned;
+            if (entitled("com.apple.private.cs.debugger"))
+                execs |= kSecCodeExecSegDebugger;
+            if (entitled("dynamic-codesigning"))
+                execs |= kSecCodeExecSegJit;
+            if (entitled("com.apple.private.skip-library-validation"))
+                execs |= kSecCodeExecSegSkipLibraryVal;
+            if (entitled("com.apple.private.amfi.can-load-cdhash"))
+                execs |= kSecCodeExecSegCanLoadCdHash;
+            if (entitled("com.apple.private.amfi.can-execute-cdhash"))
+                execs |= kSecCodeExecSegCanExecCdHash;
+#endif
         }
 
         Slots posts(slots);
         }
 
         Slots posts(slots);
@@ -1994,10 +2096,10 @@ Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::st
             uint32_t normal((limit + PageSize_ - 1) / PageSize_);
 
             CodeDirectory directory;
             uint32_t normal((limit + PageSize_ - 1) / PageSize_);
 
             CodeDirectory directory;
-            directory.version = Swap(uint32_t(0x00020200));
+            directory.version = Swap(uint32_t(0x00020400));
             directory.flags = Swap(uint32_t(flags));
             directory.nSpecialSlots = Swap(special);
             directory.flags = Swap(uint32_t(flags));
             directory.nSpecialSlots = Swap(special);
-            directory.codeLimit = Swap(uint32_t(limit));
+            directory.codeLimit = Swap(uint32_t(limit > UINT32_MAX ? UINT32_MAX : limit));
             directory.nCodeSlots = Swap(normal);
             directory.hashSize = algorithm.size_;
             directory.hashType = algorithm.type_;
             directory.nCodeSlots = Swap(normal);
             directory.hashSize = algorithm.size_;
             directory.hashType = algorithm.type_;
@@ -2005,8 +2107,11 @@ Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::st
             directory.pageSize = PageShift_;
             directory.spare2 = Swap(uint32_t(0));
             directory.scatterOffset = Swap(uint32_t(0));
             directory.pageSize = PageShift_;
             directory.spare2 = Swap(uint32_t(0));
             directory.scatterOffset = Swap(uint32_t(0));
-            //directory.spare3 = Swap(uint32_t(0));
-            //directory.codeLimit64 = Swap(uint64_t(0));
+            directory.spare3 = Swap(uint32_t(0));
+            directory.codeLimit64 = Swap(uint64_t(limit > UINT32_MAX ? limit : 0));
+            directory.execSegBase = Swap(uint64_t(left));
+            directory.execSegLimit = Swap(uint64_t(right - left));
+            directory.execSegFlags = Swap(execs);
 
             uint32_t offset(sizeof(Blob) + sizeof(CodeDirectory));
 
 
             uint32_t offset(sizeof(Blob) + sizeof(CodeDirectory));
 
@@ -2138,7 +2243,7 @@ Hash Sign(const void *idata, size_t isize, std::streambuf &output, const std::st
 static void Unsign(void *idata, size_t isize, std::streambuf &output, const Progress &progress) {
     Allocate(idata, isize, output, fun([](const MachHeader &mach_header, Baton &baton, size_t size) -> size_t {
         return 0;
 static void Unsign(void *idata, size_t isize, std::streambuf &output, const Progress &progress) {
     Allocate(idata, isize, output, fun([](const MachHeader &mach_header, Baton &baton, size_t size) -> size_t {
         return 0;
-    }), fun([](const MachHeader &mach_header, const Baton &baton, std::streambuf &output, size_t limit, const std::string &overlap, const char *top, const Progress &progress) -> size_t {
+    }), fun([](const MachHeader &mach_header, const Baton &baton, std::streambuf &output, size_t limit, size_t left, size_t right, const std::string &overlap, const char *top, const Progress &progress) -> size_t {
         return 0;
     }), progress);
 }
         return 0;
     }), progress);
 }
@@ -2801,6 +2906,16 @@ Bundle Sign(const std::string &root, Folder &folder, const std::string &key, con
 #endif
 }
 
 #endif
 }
 
+std::string Hex(const uint8_t *data, size_t size) {
+    std::string hex;
+    hex.reserve(size * 2);
+    for (size_t i(0); i != size; ++i) {
+        hex += "0123456789abcdef"[data[i] >> 4];
+        hex += "0123456789abcdef"[data[i] & 0xf];
+    }
+    return hex;
+}
+
 static void usage(const char *argv0) {
     fprintf(stderr, "usage: %s -S[entitlements.xml] <binary>\n", argv0);
     fprintf(stderr, "   %s -e MobileSafari\n", argv0);
 static void usage(const char *argv0) {
     fprintf(stderr, "usage: %s -S[entitlements.xml] <binary>\n", argv0);
     fprintf(stderr, "   %s -e MobileSafari\n", argv0);
@@ -2826,6 +2941,7 @@ int main(int argc, char *argv[]) {
     bool flag_q(false);
 
     bool flag_H(false);
     bool flag_q(false);
 
     bool flag_H(false);
+    bool flag_h(false);
 
 #ifndef LDID_NOFLAGT
     bool flag_T(false);
 
 #ifndef LDID_NOFLAGT
     bool flag_T(false);
@@ -2835,6 +2951,7 @@ int main(int argc, char *argv[]) {
     bool flag_s(false);
 
     bool flag_D(false);
     bool flag_s(false);
 
     bool flag_D(false);
+    bool flag_d(false);
 
     bool flag_A(false);
     bool flag_a(false);
 
     bool flag_A(false);
     bool flag_a(false);
@@ -2916,12 +3033,15 @@ int main(int argc, char *argv[]) {
                 else _assert(false);
             } break;
 
                 else _assert(false);
             } break;
 
+            case 'h': flag_h = true; break;
+
             case 'Q': {
                 const char *xml = argv[argi] + 2;
                 requirements.open(xml, O_RDONLY, PROT_READ, MAP_PRIVATE);
             } break;
 
             case 'D': flag_D = true; break;
             case 'Q': {
                 const char *xml = argv[argi] + 2;
                 requirements.open(xml, O_RDONLY, PROT_READ, MAP_PRIVATE);
             } break;
 
             case 'D': flag_D = true; break;
+            case 'd': flag_d = true; break;
 
             case 'a': flag_a = true; break;
 
 
             case 'a': flag_a = true; break;
 
@@ -2959,6 +3079,8 @@ int main(int argc, char *argv[]) {
                     flags |= kSecCodeSignatureEnforcement;
                 else if (strcmp(name, "library-validation") == 0)
                     flags |= kSecCodeSignatureLibraryValidation;
                     flags |= kSecCodeSignatureEnforcement;
                 else if (strcmp(name, "library-validation") == 0)
                     flags |= kSecCodeSignatureLibraryValidation;
+                else if (strcmp(name, "runtime") == 0)
+                    flags |= kSecCodeSignatureRuntime;
                 else _assert(false);
             } break;
 
                 else _assert(false);
             } break;
 
@@ -3021,6 +3143,11 @@ int main(int argc, char *argv[]) {
     _assert(flag_S || key.empty());
     _assert(flag_S || flag_I == NULL);
 
     _assert(flag_S || key.empty());
     _assert(flag_S || flag_I == NULL);
 
+    if (flag_d && !flag_h) {
+        flag_h = true;
+        fprintf(stderr, "WARNING: -d also (temporarily) does the behavior of -h for compatibility with a fork of ldid\n");
+    }
+
     if (files.empty())
         return 0;
 
     if (files.empty())
         return 0;
 
@@ -3032,8 +3159,8 @@ int main(int argc, char *argv[]) {
         _syscall(stat(path.c_str(), &info));
 
         if (S_ISDIR(info.st_mode)) {
         _syscall(stat(path.c_str(), &info));
 
         if (S_ISDIR(info.st_mode)) {
+            _assert(flag_S);
 #ifndef LDID_NOPLIST
 #ifndef LDID_NOPLIST
-            _assert(!flag_r);
             ldid::DiskFolder folder(path + "/");
             path += "/" + Sign("", folder, key, requirements, ldid::fun([&](const std::string &, const std::string &) -> std::string { return entitlements; }), dummy_).path;
 #else
             ldid::DiskFolder folder(path + "/");
             path += "/" + Sign("", folder, key, requirements, ldid::fun([&](const std::string &, const std::string &) -> std::string { return entitlements; }), dummy_).path;
 #else
@@ -3121,6 +3248,10 @@ int main(int argc, char *argv[]) {
 #endif
             }
 
 #endif
             }
 
+            if (flag_d && encryption != NULL) {
+                printf("cryptid=%d\n", mach_header.Swap(encryption->cryptid));
+            }
+
             if (flag_D) {
                 _assert(encryption != NULL);
                 encryption->cryptid = mach_header.Swap(0);
             if (flag_D) {
                 _assert(encryption != NULL);
                 encryption->cryptid = mach_header.Swap(0);
@@ -3184,6 +3315,84 @@ int main(int argc, char *argv[]) {
                             LDID_SHA1(top + PageSize_ * (pages - 1), ((data - 1) % PageSize_) + 1, hashes[pages - 1]);
                     }
             }
                             LDID_SHA1(top + PageSize_ * (pages - 1), ((data - 1) % PageSize_) + 1, hashes[pages - 1]);
                     }
             }
+
+            if (flag_h) {
+                _assert(signature != NULL);
+
+                auto algorithms(GetAlgorithms());
+
+                uint32_t data = mach_header.Swap(signature->dataoff);
+
+                uint8_t *top = reinterpret_cast<uint8_t *>(mach_header.GetBase());
+                uint8_t *blob = top + data;
+                struct SuperBlob *super = reinterpret_cast<struct SuperBlob *>(blob);
+
+                struct Candidate {
+                    CodeDirectory *directory_;
+                    size_t size_;
+                    Algorithm &algorithm_;
+                    std::string hash_;
+                };
+
+                std::map<uint8_t, Candidate> candidates;
+
+                for (size_t index(0); index != Swap(super->count); ++index) {
+                    auto type(Swap(super->index[index].type));
+                    if ((type == CSSLOT_CODEDIRECTORY || type >= CSSLOT_ALTERNATE) && type != CSSLOT_SIGNATURESLOT) {
+                        uint32_t begin = Swap(super->index[index].offset);
+                        uint32_t end = index + 1 == Swap(super->count) ? Swap(super->blob.length) : Swap(super->index[index + 1].offset);
+                        struct CodeDirectory *directory = reinterpret_cast<struct CodeDirectory *>(blob + begin + sizeof(Blob));
+                        auto type(directory->hashType);
+                        _assert(type > 0 && type <= algorithms.size());
+                        auto &algorithm(*algorithms[type - 1]);
+                        uint8_t hash[algorithm.size_];
+                        algorithm(hash, blob + begin, end - begin);
+                        candidates.insert({type, {directory, end - begin, algorithm, Hex(hash, 20)}});
+                    }
+                }
+
+                _assert(!candidates.empty());
+                auto best(candidates.end());
+                --best;
+
+                const auto directory(best->second.directory_);
+                const auto flags(Swap(directory->flags));
+
+                std::string names;
+                if (flags & kSecCodeSignatureHost)
+                    names += ",host";
+                if (flags & kSecCodeSignatureAdhoc)
+                    names += ",adhoc";
+                if (flags & kSecCodeSignatureForceHard)
+                    names += ",hard";
+                if (flags & kSecCodeSignatureForceKill)
+                    names += ",kill";
+                if (flags & kSecCodeSignatureForceExpiration)
+                    names += ",expires";
+                if (flags & kSecCodeSignatureRestrict)
+                    names += ",restrict";
+                if (flags & kSecCodeSignatureEnforcement)
+                    names += ",enforcement";
+                if (flags & kSecCodeSignatureLibraryValidation)
+                    names += ",library-validation";
+                if (flags & kSecCodeSignatureRuntime)
+                    names += ",runtime";
+
+                printf("CodeDirectory v=%x size=%zd flags=0x%x(%s) hashes=%d+%d location=embedded\n",
+                    Swap(directory->version), best->second.size_, flags, names.empty() ? "none" : names.c_str() + 1, Swap(directory->nCodeSlots), Swap(directory->nSpecialSlots));
+                printf("Hash type=%s size=%d\n", best->second.algorithm_.name(), directory->hashSize);
+
+                std::string choices;
+                for (const auto &candidate : candidates) {
+                    auto choice(candidate.second.algorithm_.name());
+                    choices += ',';
+                    choices += choice;
+                    printf("CandidateCDHash %s=%s\n", choice, candidate.second.hash_.c_str());
+                }
+                printf("Hash choices=%s\n", choices.c_str() + 1);
+
+                printf("CDHash=%s\n", best->second.hash_.c_str());
+            }
         }
 
         ++filei;
         }
 
         ++filei;
Link Identity Editor. Put real or fake signatures in a Mach-O.