diff options
| -rw-r--r-- | .github/workflows/build.yml | 242 | ||||
| -rw-r--r-- | .gitignore | 7 | ||||
| -rw-r--r-- | .gitmodules | 3 | ||||
| -rw-r--r-- | Makefile | 44 | ||||
| -rw-r--r-- | README.md | 6 | ||||
| -rw-r--r-- | control | 12 | ||||
| -rwxr-xr-x | control.sh | 5 | ||||
| -rwxr-xr-x | deb.sh | 10 | ||||
| -rw-r--r-- | docs/ldid.1 | 177 | ||||
| -rw-r--r-- | docs/ldid.zh_CN.1 | 176 | ||||
| -rw-r--r-- | docs/ldid.zh_TW.1 | 176 | ||||
| -rwxr-xr-x | ios.sh | 2 | ||||
| -rw-r--r-- | ldid.cpp | 66 | ||||
| m--------- | libplist | 0 | ||||
| -rwxr-xr-x | make.sh | 90 | ||||
| -rwxr-xr-x | plist.sh | 2 | ||||
| -rw-r--r-- | sha1.h | 64 | ||||
| -rwxr-xr-x | sysroot.sh | 31 | ||||
| -rwxr-xr-x | version.sh | 2 |
19 files changed, 876 insertions, 239 deletions
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml new file mode 100644 index 0000000..7e5090e --- /dev/null +++ b/.github/workflows/build.yml @@ -0,0 +1,242 @@ +name: build +on: + push: + paths: + - '*.c' + - '*.cpp' + - '.github/workflows/*' + - 'Makefile' + pull_request: + paths: + - '*.c' + - '*.cpp' + - '.github/workflows/*' + - 'Makefile' + workflow_dispatch: + release: + types: + - created + +env: + LIBPLIST_VERSION: 2.2.0 + OPENSSL_VERSION: 3.0.1 + SCCACHE_VERSION: 0.2.15 + +jobs: + build-linux: + runs-on: ubuntu-latest + strategy: + matrix: + triple: + - arm-linux-musleabi + - aarch64-linux-musl + - i486-linux-musl + - riscv64-linux-musl + - x86_64-linux-musl + env: + TOOLCHAIN: ${{ matrix.triple }}-cross + TRIPLE: ${{ matrix.triple }} + + steps: + - uses: actions/checkout@v1 + with: + submodules: recursive + + - uses: actions/cache@v2 + with: + path: | + ~/.cache/sccache + ~/dep_src + key: build-linux-${{ matrix.triple }}-${{ env.GITHUB_SHA }} + restore-keys: | + build-linux-${{ matrix.triple }} + + - name: setup environment + run: | + export DOWNLOAD_PATH=${HOME}/dep_src + export DEP_PATH=${HOME}/build + mkdir -p ${DOWNLOAD_PATH} ${DEP_PATH} + echo "DOWNLOAD_PATH=${DOWNLOAD_PATH}" >> $GITHUB_ENV + echo "DEP_PATH=${DEP_PATH}" >> $GITHUB_ENV + echo "ARCH=$(echo ${{ matrix.triple }} | cut -d- -f 1)" >> $GITHUB_ENV + + - name: setup toolchain + run: | + # Download Toolchain + wget -q -nc -P ${DOWNLOAD_PATH} https://musl.cc/${TOOLCHAIN}.tgz + tar xf ${DOWNLOAD_PATH}/${TOOLCHAIN}.tgz -C ${HOME} + + # Download sccache + wget -q -nc -P ${DOWNLOAD_PATH} \ + https://github.com/mozilla/sccache/releases/download/v${SCCACHE_VERSION}/sccache-v${SCCACHE_VERSION}-x86_64-unknown-linux-musl.tar.gz + tar xf ${DOWNLOAD_PATH}/sccache-v${SCCACHE_VERSION}-x86_64-unknown-linux-musl.tar.gz -C ${HOME} + mv ${HOME}/sccache-v${SCCACHE_VERSION}-x86_64-unknown-linux-musl/sccache ${HOME}/${TOOLCHAIN}/bin + chmod +x ${HOME}/${TOOLCHAIN}/bin/sccache + + echo "${HOME}/${TOOLCHAIN}/bin" >> $GITHUB_PATH + echo "CC=sccache ${TRIPLE}-gcc" >> $GITHUB_ENV + echo "CXX=sccache ${TRIPLE}-g++" >> $GITHUB_ENV + echo "AR=${TRIPLE}-gcc-ar" >> $GITHUB_ENV + echo "NM=${TRIPLE}-gcc-nm" >> $GITHUB_ENV + echo "RANLIB=${TRIPLE}-gcc-ranlib" >> $GITHUB_ENV + echo "CFLAGS=-Os -fPIC -fno-pie -no-pie -static -flto -ffunction-sections -fdata-sections" >> $GITHUB_ENV + echo "LDFLAGS=-Wl,--gc-sections -Wl,-strip-all -flto" >> $GITHUB_ENV + + - name: build libplist + run: | + wget -q -nc -P ${DOWNLOAD_PATH} https://github.com/libimobiledevice/libplist/releases/download/${LIBPLIST_VERSION}/libplist-${LIBPLIST_VERSION}.tar.bz2 + tar xf ${DOWNLOAD_PATH}/libplist-${LIBPLIST_VERSION}.tar.bz2 -C ${DEP_PATH} + cd ${DEP_PATH}/libplist-${LIBPLIST_VERSION} + ./configure --host=${TRIPLE} --prefix=/usr --without-cython --enable-static --disable-shared + make -j$(nproc) + + echo "CPPFLAGS=${CPPFLAGS} -I${DEP_PATH}/libplist-${LIBPLIST_VERSION}/include" >> $GITHUB_ENV + echo "LIBPLIST_LIB=${DEP_PATH}/libplist-${LIBPLIST_VERSION}/src/.libs/libplist-2.0.a" >> $GITHUB_ENV + + - name: build openssl + run: | + export PLATFORM="linux-${ARCH}" + case ${ARCH} in + arm) + export PLATFORM="linux-generic32" + ;; + i486) + export PLATFORM="linux-x86" + ;; + riscv64) + export PLATFORM="linux64-riscv64" + ;; + esac + + wget -q -nc -P ${DOWNLOAD_PATH} https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz + tar xf ${DOWNLOAD_PATH}/openssl-${OPENSSL_VERSION}.tar.gz -C ${DEP_PATH} + cd ${DEP_PATH}/openssl-${OPENSSL_VERSION} + ./config --prefix=/usr --static -static ${PLATFORM} + make -j$(nproc) build_generated libcrypto.a + + echo "CPPFLAGS=${CPPFLAGS} -I${DEP_PATH}/openssl-${OPENSSL_VERSION}/include" >> $GITHUB_ENV + echo "LIBCRYPTO_LIB=${DEP_PATH}/openssl-${OPENSSL_VERSION}/libcrypto.a" >> $GITHUB_ENV + + - name: build + run: | + export LDID_VERSION=$(echo "$(git describe --tags --abbrev=0)") + make -j$(nproc) \ + VERSION="${LDID_VERSION}" \ + LDFLAGS="-static -static-libstdc++ ${LDFLAGS}" \ + LIBS="${LIBPLIST_LIB} ${LIBCRYPTO_LIB}" + ${TRIPLE}-strip ldid + + - uses: actions/upload-artifact@v1 + with: + name: ldid_linux_${{ env.ARCH }} + path: ldid + + - name: Upload Release Asset Linux + uses: actions/upload-release-asset@v1 + if: ${{ github.event_name == 'release' }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: ldid + asset_name: ldid_linux_${{ env.ARCH }} + asset_content_type: application/octet-stream + + build-macos: + runs-on: macos-11 + strategy: + matrix: + arch: + - x86_64 + - arm64 + env: + ARCH: ${{ matrix.arch }} + steps: + - uses: actions/checkout@v1 + with: + submodules: recursive + + - uses: actions/cache@v2 + with: + path: | + ~/Library/Caches/Mozilla.sccache + ~/dep_src + key: build-macos-${{ matrix.arch }}-${ { env.GITHUB_SHA } } + restore-keys: | + build-macos-${{ matrix.arch }}- + + - name: setup environment + run: | + export DOWNLOAD_PATH=${HOME}/dep_src + export DEP_PATH=${HOME}/build + mkdir -p ${DOWNLOAD_PATH} ${DEP_PATH} + echo "DOWNLOAD_PATH=${DOWNLOAD_PATH}" >> $GITHUB_ENV + echo "DEP_PATH=${DEP_PATH}" >> $GITHUB_ENV + + if [ "${ARCH}" = "arm64" ]; then + echo "HOST_ARCH=aarch64" >> $GITHUB_ENV + else + echo "HOST_ARCH=${ARCH}" >> $GITHUB_ENV + fi + + - name: setup toolchain + run: | + brew install libtool autoconf automake + + # Download sccache + wget -nc -P ${DOWNLOAD_PATH} \ + https://github.com/mozilla/sccache/releases/download/v${SCCACHE_VERSION}/sccache-v${SCCACHE_VERSION}-x86_64-apple-darwin.tar.gz + tar xf ${DOWNLOAD_PATH}/sccache-v${SCCACHE_VERSION}-x86_64-apple-darwin.tar.gz -C ${HOME} + chmod +x ${HOME}/sccache-v${SCCACHE_VERSION}-x86_64-apple-darwin/sccache + + echo "${HOME}/sccache-v${SCCACHE_VERSION}-x86_64-apple-darwin" >> $GITHUB_PATH + echo "CC=sccache clang -arch ${ARCH} -mmacosx-version-min=10.13" >> $GITHUB_ENV + echo "CXX=sccache clang++ -arch ${ARCH} -mmacosx-version-min=10.13" >> $GITHUB_ENV + echo "CFLAGS=-Os" >> $GITHUB_ENV + + - name: build libplist + run: | + wget -q -nc -P ${DOWNLOAD_PATH} https://github.com/libimobiledevice/libplist/releases/download/${LIBPLIST_VERSION}/libplist-${LIBPLIST_VERSION}.tar.bz2 + tar xf ${DOWNLOAD_PATH}/libplist-${LIBPLIST_VERSION}.tar.bz2 -C ${DEP_PATH} + cd ${DEP_PATH}/libplist-${LIBPLIST_VERSION} + ./configure --host=${HOST_ARCH}-apple-darwin --without-cython --enable-static --disable-shared + make -j$(sysctl -n hw.ncpu) + + echo "CFLAGS=${CFLAGS} -I${DEP_PATH}/libplist-${LIBPLIST_VERSION}/include" >> $GITHUB_ENV + echo "LIBPLIST_LIB=${DEP_PATH}/libplist-${LIBPLIST_VERSION}/src/.libs/libplist-2.0.a" >> $GITHUB_ENV + + - name: build openssl + run: | + wget -q -nc -P ${DOWNLOAD_PATH} https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz + tar xf ${DOWNLOAD_PATH}/openssl-${OPENSSL_VERSION}.tar.gz -C ${DEP_PATH} + cd ${DEP_PATH}/openssl-${OPENSSL_VERSION} + ./config --prefix=/usr no-shared darwin64-${ARCH} + make -j$(sysctl -n hw.ncpu) build_generated libcrypto.a + + echo "CFLAGS=${CFLAGS} -I${DEP_PATH}/openssl-${OPENSSL_VERSION}/include" >> $GITHUB_ENV + echo "LIBCRYPTO_LIB=${DEP_PATH}/openssl-${OPENSSL_VERSION}/libcrypto.a" >> $GITHUB_ENV + + - name: build + run: | + export LDID_VERSION=$(echo "$(git describe --tags --abbrev=0)") + make -j$(sysctl -n hw.ncpu) \ + CFLAGS="${CFLAGS} -flto=thin" \ + VERSION="${LDID_VERSION}" \ + LIBS="${LIBPLIST_LIB} ${LIBCRYPTO_LIB}" + strip ldid + + - uses: actions/upload-artifact@v1 + with: + name: ldid_macos_${{ matrix.arch }} + path: ldid + + - name: Upload Release Asset Linux + uses: actions/upload-release-asset@v1 + if: ${{ github.event_name == 'release' }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ github.event.release.upload_url }} + asset_path: ldid + asset_name: ldid_macos_${{ matrix.arch }} + asset_content_type: application/octet-stream @@ -1,9 +1,2 @@ -ios -out ldid -ldid.deb -debs *.o -_ -sysroot32 -sysroot64 diff --git a/.gitmodules b/.gitmodules deleted file mode 100644 index 5b41a81..0000000 --- a/.gitmodules +++ /dev/null @@ -1,3 +0,0 @@ -[submodule "libplist"] - path = libplist - url = https://github.com/libimobiledevice/libplist.git diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..437aaee --- /dev/null +++ b/Makefile @@ -0,0 +1,44 @@ +VERSION ?= 2.1.5 + +CC ?= cc +CXX ?= c++ +INSTALL ?= install +LN ?= ln + +CFLAGS ?= -O2 -pipe +CXXFLAGS ?= $(CFLAGS) -std=c++11 +LDFLAGS ?= + +PREFIX ?= /usr/local + +BINDIR ?= $(PREFIX)/bin +MANDIR ?= $(PREFIX)/share/man + +SRC := $(wildcard *.c) $(wildcard *.cpp) +LIBS ?= -lcrypto -lplist-2.0 + +MANPAGE_LANGS := zh_TW zh_CN + +all: ldid + +%.c.o: %.c + $(CC) -c $(CFLAGS) $(CPPFLAGS) -I. $< -o $@ + +%.cpp.o: %.cpp + $(CXX) -c $(CXXFLAGS) $(CPPFLAGS) -I. -DLDID_VERSION=\"$(VERSION)\" $< -o $@ + +ldid: $(SRC:%=%.o) + $(CXX) $(CXXFLAGS) -o ldid $^ $(LDFLAGS) $(LIBS) + +install: all + $(INSTALL) -D -m755 ldid $(DESTDIR)$(BINDIR)/ldid + $(LN) -sf ldid $(DESTDIR)$(BINDIR)/ldid2 + $(INSTALL) -D -m644 docs/ldid.1 $(DESTDIR)$(MANDIR)/man1/ldid.1 + for lang in $(MANPAGE_LANGS); do \ + $(INSTALL) -D -m644 docs/ldid.$$lang.1 $(DESTDIR)$(MANDIR)/$$lang/man1/ldid.1; \ + done + +clean: + rm -rf ldid *.o + +.PHONY: all clean install diff --git a/README.md b/README.md new file mode 100644 index 0000000..b4063f6 --- /dev/null +++ b/README.md @@ -0,0 +1,6 @@ +# ldid + +Changes from https://git.saurik.com/ldid.git: +- Add manpages (`en`, `zh_TW` and `zh_CN`) (@CRKatri & @asdfugil) +- Support OpenSSL 3 (@sunflsks) +- Allow p12 keys to have a password (@sunflsks) diff --git a/control b/control deleted file mode 100644 index 73136be..0000000 --- a/control +++ /dev/null @@ -1,12 +0,0 @@ -Package: ldid -Priority: optional -Section: Development -Maintainer: Jay Freeman (saurik) <saurik@saurik.com> -Architecture: iphoneos-arm -Version: -Description: pseudo-codesign Mach-O files -Name: Link Identity Editor -Author: Jay Freeman (saurik) <saurik@saurik.com> -Depiction: http://cydia.saurik.com/info/ldid/ -Depends: libplist (>= 2.0.0), openssl -Tag: purpose::console, role::developer diff --git a/control.sh b/control.sh deleted file mode 100755 index 7a11d56..0000000 --- a/control.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash -dir=$1 -dir=${dir:=_} -sed -e "s@^\(Version:.*\)@\1$(./version.sh)@" control -echo "Installed-Size: $(du -s "${dir}" | cut -f 1)" @@ -1,10 +0,0 @@ -#!/bin/bash -rm -rf _ -mkdir -p _/usr/bin -cp -a ios/ldid _/usr/bin/ldid -mkdir -p _/DEBIAN -./control.sh _ >_/DEBIAN/control -mkdir -p debs -ln -sf debs/ldid_$(./version.sh)_iphoneos-arm.deb ldid.deb -dpkg-deb -b _ ldid.deb -readlink ldid.deb diff --git a/docs/ldid.1 b/docs/ldid.1 new file mode 100644 index 0000000..0f0e2c6 --- /dev/null +++ b/docs/ldid.1 @@ -0,0 +1,177 @@ +.\"- +.\" Copyright (c) 2021-2022 Procursus Team <team@procurs.us> +.\" SPDX-License-Identifier: AGPL-3.0-or-later +.\" +.Dd January 20, 2022 +.Dt LDID 1 +.Os +.Sh NAME +.Nm ldid +.Nd Link Identity Editor +.Sh SYNOPSIS +.Nm +.Op Fl A Ns Ar cputype : Ns Ar subtype +.Op Fl a +.Op Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime +.Op Fl D +.Op Fl d +.Op Fl E Ns Ar num : Ns Ar file +.Op Fl e +.Op Fl h +.Op Fl K Ns Ar key.p12 Op Fl U Ns Ar password +.Op Fl M +.Op Fl P +.Op Fl q +.Op Fl r | Fl S Ns Ar file.xml | Fl s +.Op Fl T Ns Ar timestamp +.Op Fl u +.Ar +.Sh DESCRIPTION +.Nm +adds SHA1 and SHA256 hashes to a Mach-O file so that they can be run +on a system that has validation but not signature verification. +.Bl -tag -width -indent +.It Fl a +Print the CPU types and subtypes in hexadecimal. +.It Fl A Ns Ar cputype : Ns Ar subtype +When used with +.Fl a , Fl D , Fl e , Fl h , Fl q , +or +.Fl u , +only act on the slice specified by +.Ar cputype +and +.Ar subtype . +.Ar cputype +and +.Ar subtype +should both be integers. +.It Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime +Specify the option flags to embed in the code signature. +See +.Xr codesign 1 +for details about these options. +.It Fl D +Reset the cryptid. +.It Fl d +Print the cryptid in the binaries if it exists. +For compatibility reasons it also acts as +.Fl h , +but this will be removed in the future. +.It Fl E Ns Ar num : Ns Ar file +Embed the hashes of +.Ar file +in the special codesign slot at +.Ar num . +.It Fl e +Print the entitlements in each slice, or the slice specified by +.Fl A , +to +.Ar stdout . +.It Fl h +Print information about the signature, such as +hash types, flags, CDHash, and CodeDirectory version to +.Ar stdout . +.It Fl K Ns Ar key.p12 +Sign using the identity in +.Ar key.p12 . +This will give the binary a valid signature so that it can be run +on a system with signature validation. +If +.Ar key.p12 +has a password you will be prompted for it, +or you can specify from the command line with +.Fl U . +.It Fl M +When used with +.Fl S , +merge the new and existing entitlements instead of replacing the existing +entitlements, this is useful for adding a few specific entitlements to a +handful of binaries. +.It Fl P +Mark the Mach-O as a platform binary. +.It Fl Q Ns Ar file +Embed the requirements found in +.Ar file . +.It Fl q +Print embedded requirements of the binaries. +.It Fl r +Remove the signature from the Mach-O. +.It Fl S Ns Op Ar file.xml +Pseudo-sign the Mach-O binaries. +If +.Ar file.xml +is specified then the entitlements found in +.Ar file.xml +will be embedded in the Mach-O. +.It Fl s +Resign the Mach-O binaries while keeping the existing entitlements. +.It Fl T Ns Ar timestamp +When signing a dylib, set the timestamp to +.Ar timestamp . +.Ar timestamp +should be an UNIX timestamp in seconds, if +.Ar timestamp +is a single dash +.Pq Sq Fl , +the timestamp will be set to a hash of the Mach-O header. +.It Fl U Ns Ar password +Use +.Ar password +as the password for the p12 certificate instead of prompting. +.It Fl u +If the binary was linked against UIKit, then print the UIKit version that the +Mach-O binaries were linked against. +.El +.Sh EXAMPLES +The command: +.Pp +.Dl "ldid -S file" +.Pp +will fakesign +.Ar file +with no entitlements. +.Pp +The command: +.Pp +.Dl "ldid -Cadhoc -K/path/to/key.p12 -Sent.xml file" +.Pp +will sign +.Ar file +using the key in +.Ar /path/to/key.p12 +with the entitlements found in +.Ar ent.xml , +and mark it as an adhoc signature. +.Pp +The command: +.Pp +.Dl "ldid -Sent.xml -M file" +.Pp +will add the entitlements in +.Ar ent.xml +to the entitlements already in +.Ar file . +.Pp +The command: +.Pp +.Dl "ldid -e file > ent.xml" +.Pp +will save the entitlements found in each slice of +.Ar file +to +.Ar ent.xml . +.Sh SEE ALSO +.Xr codesign 1 +.Sh HISTORY +The +.Nm +utility was written by +.An Jay \*qSaurik\*q Freeman . +iPhoneOS 1.2.0 and 2.0 support was added on April 6, 2008. +.Fl S +was added on June 13, 2008. +SHA256 support was added on August 25, 2016, fixing iOS 11 support. +iOS 14 support was added on July 31, 2020 by +.An Kabir Oberai . +iOS 15 support was added on June 11, 2021. diff --git a/docs/ldid.zh_CN.1 b/docs/ldid.zh_CN.1 new file mode 100644 index 0000000..b220d8d --- /dev/null +++ b/docs/ldid.zh_CN.1 @@ -0,0 +1,176 @@ +.\"- +.\" Copyright (c) 2021-2022 Procursus Team <team@procurs.us> +.\" SPDX-License-Identifier: AGPL-3.0-or-later +.\" +.Dd January 20, 2022 +.Dt LDID 1 +.Os +.Sh 名称 +.Nm ldid +.Nd 链接身份编辑器 +.Sh 语法 +.Nm +.Op Fl A Ns Ar cputype : Ns Ar subtype +.Op Fl a +.Op Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime +.Op Fl D +.Op Fl d +.Op Fl E Ns Ar 数字 : Ns Ar 档案 +.Op Fl e +.Op Fl h +.Op Fl K Ns Ar key.p12 Op Fl U Ns Ar password +.Op Fl M +.Op Fl P +.Op Fl q +.Op Fl r | Fl S Ns Ar 档案.xml | Fl s +.Op Fl T Ns Ar timestamp +.Op Fl u +.Ar +.Sh 描述 +.Nm +把SHA1和SHA256杂凑值加入到Mach-O档案中,让它们能在有验证但没有签署验证的系统上运行。 +.Bl -tag -width -indent +.It Fl a +以十六进制印出处理器类型和亚类型。 +.It Fl A Ns Ar cputype : Ns Ar subtype +当和 +.Fl a , Fl D , Fl e , Fl h , Fl q , +或 +.Fl u , +一起被使用时,只作用在被 +.Ar cputype +和 +.Ar subtype . +.Ar cputype +和 +.Ar subtype +指定的部分。 它们都应该是整数。 +.It Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime +设定要在档案中包含的程式码签署选项。 +请看 +.Xr codesign 1 +来获得关于这些选项的更多资讯。 +.It Fl D +重设加密码 (cryptid)。 +.It Fl d +输出在二进位档案中的加密码。 +由于兼容性原因,这也能作为 +.Fl h , +工作,但在将来这会被移除。 +.It Fl E Ns Ar 数字 : Ns Ar 档案 +将 +.Ar 档案 +的杂凑值嵌入到位于 +.Ar 数字 +的特殊代码签署位置中。 +.It Fl e +把每一部分的权限印出, 或印出 +.Fl A , +所指定的部分的权限 +.Ar 到标准输出。 +.It Fl h +印出关于签署的资讯,包括杂凑值的 +类型,选项,CDHash, 和 CodeDirectory 版本到 +.Ar 标准输出。 +.It Fl K Ns Ar key.p12 +用在 +.Ar key.p12 . +的身份签署。 这会给二进位档案有一个有效的签署,令它能够在有签署验证的系统上运行。 +如果 +.Ar key.p12 +有密码的话,你会被询问。 你也可以用 +.Fl U . +.Ar 选项来提供密码。 . +.It Fl M +当和 +.Fl S , +一起使用时,和现有的权限合并而不是取代它。 这在加入权限时有用。 +.It Fl P +将这个Mach-O二进位档案标示为系统二进位档案。 +.It Fl Q Ns Ar 档案 +把需求嵌入到 +.Ar 档案 . +中。 +.It Fl q +印出被嵌入在二进位档案中的需求。 +.It Fl r +从Mach-O档案中删除签署。 +.It Fl S Ns Op Ar 档案.xml +伪签署Mach-O档案。 +如果提供了 +.Ar 档案.xml +那么在 +.Ar 档案.xml +中的权限会被嵌入到Mach-O中。 +.It Fl s +重新签署Mach-O档案但保留现有权限。 +.It Fl T Ns Ar 时间印章 +当签署一个动态链结函式库时,把时间印章设定为 +.Ar 时间印章 . +.Ar 时间印章 +应该是一个以秒作为单位的UNIX时间印章,如果 +.Ar +是一个连字号的话 +.Pq Sq Fl , +时间印章会被设定为Mach-O头中的时间印章。 +.It Fl U Ns Ar 密码 +使用 +.Ar 密码 +作为p12证书的密码,而不是询问。 +.It Fl u +如果Mach-O档案有和UIKit链结,印出被链结的UIKit版本。 +.El +.Sh 例子 +指令: +.Pp +.Dl "ldid -S 档案" +.Pp +会伪签署 +.Ar 档案 +而且不嵌入任何权限。 +.Pp +指令: +.Pp +.Dl "ldid -Cadhoc -K/path/to/key.p12 -Sent.xml 档案" +.Pp +会使用 +.Ar /path/to/key.p12 +中的私錀来签署 +.Ar 档案 +也会使用在 +.Ar ent.xml , +中的权限并把签署标示为特别用途 (adhoc) 签署。 . +.Pp +指令: +.Pp +.Dl "ldid -Sent.xml -M 档案" +.Pp +会把 +.Ar ent.xml +中的权限加入到已经在 +.Ar 档案 . +中的权限。 +.Pp +指令: +.Pp +.Dl "ldid -e 档案 > ent.xml" +.Pp +会把在 +.Ar 档案 +中每一部分的权限储存到 +.Ar ent.xml . +.Sh 另见 +.Xr codesign 1 +.Sh 历史 +这个 +.Nm +工具程式是由 +.An Jay \*qSaurik\*q Freeman . 所编写的。 +对iPhoneOS 1.2.0 和 2.0 的支援在2008年4月6号被加入。 +.Fl S +在2008年6月13日被加入。 . +SHA256 支援在2016年8月25日被加入,修正iOS 11支援。 +iOS 14支援在2020年7月31日由 +.An Kabir Oberai . +加入。 +iOS 15支援在2021年6月11日被加入。 diff --git a/docs/ldid.zh_TW.1 b/docs/ldid.zh_TW.1 new file mode 100644 index 0000000..c735523 --- /dev/null +++ b/docs/ldid.zh_TW.1 @@ -0,0 +1,176 @@ +.\"- +.\" Copyright (c) 2021-2022 Procursus Team <team@procurs.us> +.\" SPDX-License-Identifier: AGPL-3.0-or-later +.\" +.Dd January 20, 2022 +.Dt LDID 1 +.Os +.Sh 名稱 +.Nm ldid +.Nd 鏈接身份編輯器 +.Sh 語法 +.Nm +.Op Fl A Ns Ar cputype : Ns Ar subtype +.Op Fl a +.Op Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime +.Op Fl D +.Op Fl d +.Op Fl E Ns Ar 數字 : Ns Ar 檔案 +.Op Fl e +.Op Fl h +.Op Fl K Ns Ar key.p12 Op Fl U Ns Ar password +.Op Fl M +.Op Fl P +.Op Fl q +.Op Fl r | Fl S Ns Ar 檔案.xml | Fl s +.Op Fl T Ns Ar timestamp +.Op Fl u +.Ar +.Sh 描述 +.Nm +把SHA1和SHA256雜湊值加入到Mach-O檔案中,讓它們能在有驗證但沒有簽署驗證的系統上運行。 +.Bl -tag -width -indent +.It Fl a +以十六進制印出處理器類型和亞類型。 +.It Fl A Ns Ar cputype : Ns Ar subtype +當和 +.Fl a , Fl D , Fl e , Fl h , Fl q , +或 +.Fl u , +一起被使用時,只作用在被 +.Ar cputype +和 +.Ar subtype . +.Ar cputype +和 +.Ar subtype +指定的部分。它們都應該是整數。 +.It Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime +設定要在檔案中包含的程式碼簽署選項。 +請看 +.Xr codesign 1 +來獲得關於這些選項的更多資訊。 +.It Fl D +重設加密碼 (cryptid)。 +.It Fl d +輸出在二進位檔案中的加密碼。 +由於兼容性原因,這也能作為 +.Fl h , +工作,但在將來這會被移除。 +.It Fl E Ns Ar 數字 : Ns Ar 檔案 +將 +.Ar 檔案 +的雜湊值嵌入到位於 +.Ar 數字 +的特殊代碼簽署位置中。 +.It Fl e +把每一部分的權限印出, 或印出 +.Fl A , +所指定的部分的權限 +.Ar 到標準輸出。 +.It Fl h +印出關於簽署的資訊,包括雜湊值的 +類型,選項,CDHash, 和 CodeDirectory 版本到 +.Ar 標準輸出。 +.It Fl K Ns Ar key.p12 +用在 +.Ar key.p12 . +的身份簽署。這會給二進位檔案有一個有效的簽署,令它能夠在有簽署驗證的系統上運行。 +如果 +.Ar key.p12 +有密碼的話,你會被詢問。你也可以用 +.Fl U . +.Ar 選項來提供密碼。 . +.It Fl M +當和 +.Fl S , +一起使用時,和現有的權限合併而不是取代它。 這在加入權限時有用。 +.It Fl P +將這個Mach-O二進位檔案標示為系統二進位檔案。 +.It Fl Q Ns Ar 檔案 +把需求嵌入到 +.Ar 檔案 . +中。 +.It Fl q +印出被嵌入在二進位檔案中的需求。 +.It Fl r +從Mach-O檔案中刪除簽署。 +.It Fl S Ns Op Ar 檔案.xml +偽簽署Mach-O檔案。 +如果提供了 +.Ar 檔案.xml +那麼在 +.Ar 檔案.xml +中的權限會被嵌入到Mach-O中。 +.It Fl s +重新簽署Mach-O檔案但保留現有權限。 +.It Fl T Ns Ar 時間印章 +當簽署一個動態鏈結函式庫時,把時間印章設定為 +.Ar 時間印章 . +.Ar 時間印章 +應該是一個以秒作為單位的UNIX時間印章,如果 +.Ar +是一個連字號的話 +.Pq Sq Fl , +時間印章會被設定為Mach-O頭中的時間印章。 +.It Fl U Ns Ar 密碼 +使用 +.Ar 密碼 +作為p12證書的密碼,而不是詢問。 +.It Fl u +如果Mach-O檔案有和UIKit鏈結,印出被鏈結的UIKit版本。 +.El +.Sh 例子 +指令: +.Pp +.Dl "ldid -S 檔案" +.Pp +會偽簽署 +.Ar 檔案 +而且不嵌入任何權限。 +.Pp +指令: +.Pp +.Dl "ldid -Cadhoc -K/path/to/key.p12 -Sent.xml 檔案" +.Pp +會使用 +.Ar /path/to/key.p12 +中的私錀來簽署 +.Ar 檔案 +也會使用在 +.Ar ent.xml , +中的權限並把簽署標示為特別用途 (adhoc) 簽署。. +.Pp +指令: +.Pp +.Dl "ldid -Sent.xml -M 檔案" +.Pp +會把 +.Ar ent.xml +中的權限加入到已經在 +.Ar 檔案 . +中的權限。 +.Pp +指令: +.Pp +.Dl "ldid -e 檔案 > ent.xml" +.Pp +會把在 +.Ar 檔案 +中每一部分的權限儲存到 +.Ar ent.xml . +.Sh 另見 +.Xr codesign 1 +.Sh 歷史 +這個 +.Nm +工具程式是由 +.An Jay \*qSaurik\*q Freeman . 所編寫的。 +對iPhoneOS 1.2.0 和 2.0 的支援在2008年4月6號被加入。 +.Fl S +在2008年6月13日被加入。. +SHA256 支援在2016年8月25日被加入,修正iOS 11支援。 +iOS 14支援在2020年7月31日由 +.An Kabir Oberai . +加入。 +iOS 15支援在2021年6月11日被加入。 @@ -1,2 +0,0 @@ -#!/bin/bash -./make.sh true @@ -43,10 +43,15 @@ #include <sys/types.h> #ifndef LDID_NOSMIME +#include <openssl/opensslv.h> +# if OPENSSL_VERSION_MAJOR >= 3 +# include <openssl/provider.h> +# endif #include <openssl/err.h> #include <openssl/pem.h> #include <openssl/pkcs7.h> #include <openssl/pkcs12.h> +#include <openssl/ui.h> #endif #ifdef __APPLE__ @@ -141,6 +146,10 @@ #define _packed \ __attribute__((packed)) +#ifndef LDID_NOSMIME +std::string password; +#endif + template <typename Type_> struct Iterator_ { typedef typename Type_::const_iterator Result; @@ -187,8 +196,9 @@ Scope<Function_> _scope(const Function_ &function) { #define _scope(function) \ _scope_(__COUNTER__, function) -#define CPU_ARCH_MASK uint32_t(0xff000000) -#define CPU_ARCH_ABI64 uint32_t(0x01000000) +#define CPU_ARCH_MASK uint32_t(0xff000000) +#define CPU_ARCH_ABI64 uint32_t(0x01000000) +#define CPU_ARCH_ABI64_32 uint32_t(0x02000000) #define CPU_TYPE_ANY uint32_t(-1) #define CPU_TYPE_VAX uint32_t( 1) @@ -207,6 +217,7 @@ Scope<Function_> _scope(const Function_ &function) { #define CPU_TYPE_ARM64 (CPU_ARCH_ABI64 | CPU_TYPE_ARM) #define CPU_TYPE_POWERPC64 (CPU_ARCH_ABI64 | CPU_TYPE_POWERPC) #define CPU_TYPE_X86_64 (CPU_ARCH_ABI64 | CPU_TYPE_X86) +#define CPU_TYPE_ARM64_32 (CPU_TYPE_ARM | CPU_ARCH_ABI64_32) struct fat_header { uint32_t magic; @@ -1242,10 +1253,10 @@ static const std::vector<Algorithm *> &GetAlgorithms() { static std::vector<Algorithm *> algorithms; if (algorithms.empty()) { - if (do_sha1) - algorithms.push_back(&sha1); if (do_sha256) algorithms.push_back(&sha256); + if (do_sha1) + algorithms.push_back(&sha1); } return algorithms; @@ -1474,6 +1485,7 @@ static void Allocate(const void *idata, size_t isize, std::streambuf &output, co break; case CPU_TYPE_ARM: case CPU_TYPE_ARM64: + case CPU_TYPE_ARM64_32: align = 0xe; break; default: @@ -1501,6 +1513,9 @@ static void Allocate(const void *idata, size_t isize, std::streambuf &output, co case CPU_TYPE_ARM64: arch = "arm64"; break; + case CPU_TYPE_ARM64_32: + arch = "arm64_32"; + break; } offset = Align(offset, 1 << align); @@ -1786,8 +1801,14 @@ class Stuff { ca_(NULL) { _assert(value_ != NULL); - _assert(PKCS12_parse(value_, "", &key_, &cert_, &ca_) != 0); + if (!PKCS12_verify_mac(value_, "", 0) && password.empty()) { + char passbuf[2048]; + UI_UTIL_read_pw_string(passbuf, 2048, "Enter password: ", 0); + password = passbuf; + } + + _assert(PKCS12_parse(value_, password.c_str(), &key_, &cert_, &ca_) != 0); _assert(key_ != NULL); _assert(cert_ != NULL); @@ -2019,7 +2040,7 @@ static void get(std::string &value, X509_NAME *name, int nid) { _assert(entry != NULL); auto asn(X509_NAME_ENTRY_get_data(entry)); _assert(asn != NULL); - value.assign(reinterpret_cast<char *>(ASN1_STRING_data(asn)), ASN1_STRING_length(asn)); + value.assign(reinterpret_cast<const char *>(ASN1_STRING_get0_data(asn)), ASN1_STRING_length(asn)); } #endif @@ -2716,7 +2737,7 @@ struct Rule { Mode mode_; std::string code_; - mutable std::auto_ptr<Expression> regex_; + mutable std::unique_ptr<Expression> regex_; Rule(unsigned weight, Mode mode, const std::string &code) : weight_(weight), @@ -3089,16 +3110,28 @@ std::string Hex(const uint8_t *data, size_t size) { } static void usage(const char *argv0) { - fprintf(stderr, "usage: %s -S[entitlements.xml] <binary>\n", argv0); - fprintf(stderr, " %s -e MobileSafari\n", argv0); - fprintf(stderr, " %s -S cat\n", argv0); - fprintf(stderr, " %s -Stfp.xml gdb\n", argv0); + fprintf(stderr, "Link Identity Editor %s\n\n", LDID_VERSION); + fprintf(stderr, "usage: %s [-Acputype:subtype] [-a] [-C[adhoc | enforcement | expires | hard |\n", argv0); + fprintf(stderr, " host | kill | library-validation | restrict | runtime]] [-D] [-d]\n"); + fprintf(stderr, " [-Enum:file] [-e] [-h] [-Kkey.p12 [-Upassword]] [-M] [-P] [-q]\n"); + fprintf(stderr, " [-r | -Sfile | -s] [-Ttimestamp] [-u] file ...\n\n"); + fprintf(stderr, "Options:\n"); + fprintf(stderr, " -S[file.xml] Pseudo-sign using the entitlements in file.xml\n"); + fprintf(stderr, " -Kkey.p12 Sign using private key in key.p12\n"); + fprintf(stderr, " -Upassword Use password to unlock key.p12\n"); + fprintf(stderr, " -M Merge entitlements with any existing\n"); + fprintf(stderr, " -h Print CDHash of file\n\n"); + fprintf(stderr, "More information: 'man ldid'\n"); } #ifndef LDID_NOTOOLS int main(int argc, char *argv[]) { #ifndef LDID_NOSMIME OpenSSL_add_all_algorithms(); +# if OPENSSL_VERSION_MAJOR >= 3 + OSSL_PROVIDER *legacy = OSSL_PROVIDER_load(NULL, "legacy"); + OSSL_PROVIDER *deflt = OSSL_PROVIDER_load(NULL, "default"); +# endif #endif union { @@ -3280,6 +3313,10 @@ int main(int argc, char *argv[]) { flag_M = true; break; + case 'U': + password = argv[argi] + 2; + break; + case 'K': if (argv[argi][2] != '\0') key.open(argv[argi] + 2, O_RDONLY, PROT_READ, MAP_PRIVATE); @@ -3573,6 +3610,13 @@ int main(int argc, char *argv[]) { ++filei; } +#ifndef LDID_NOSMIME +# if OPENSSL_VERSION_MAJOR >= 3 + OSSL_PROVIDER_unload(legacy); + OSSL_PROVIDER_unload(deflt); +# endif +#endif + return filee; } #endif diff --git a/libplist b/libplist deleted file mode 160000 -Subproject 9ca25d293fe7f8aca8d952fc7bb91464fe2d34a diff --git a/make.sh b/make.sh deleted file mode 100755 index 9c5361b..0000000 --- a/make.sh +++ /dev/null @@ -1,90 +0,0 @@ -#!/bin/bash - -set -e -shopt -s extglob - -if [[ $# == 0 ]]; then - ios=false -else - ios=$1 - shift -fi - -export DEVELOPER_DIR=/Applications/Xcode-5.1.1.app - -os=() - -if "${ios}"; then - -out=ios -flags=(cycc -- -miphoneos-version-min=2.0 -arch armv6 -arch arm64) - -flags+=(-Xarch_armv6 -Isysroot32/usr/include) -flags+=(-Xarch_arm64 -Isysroot64/usr/include) - -flags+=(-Xarch_armv6 -Lsysroot32/usr/lib) -flags+=(-Xarch_arm64 -Lsysroot64/usr/lib) - -static=false -flags+=(-framework CoreFoundation) - -flags+=(-lplist) -flags+=(-lcrypto) - -else - -out=out - -if which xcrun &>/dev/null; then - flags=(xcrun -sdk macosx g++) - flags+=(-mmacosx-version-min=10.4) - - for arch in i386 x86_64; do - flags+=(-arch "${arch}") - done -else - flags=(g++) -fi - -#flags+=(-L../../lib-osx/openssl) - -# XXX: cannot redistribute -static=true -flags+=(-Isysroot64/usr/include) -flags+=(-lcrypto) -#flags+=(-Wl,/usr/lib/libcrypto.42.dylib) - -fi - -sdk=$(xcodebuild -sdk iphoneos -version Path) - -flags+=(-I.) - -if ${static}; then - -flags+=(-I"${sdk}"/usr/include/libxml2) -flags+=(-Ilibplist/include) -flags+=(-Ilibplist/libcnary/include) - -for c in libplist/libcnary/!(cnary).c libplist/src/*.c; do - o=${c%.c}.o - o="${out}"/${o##*/} - os+=("${o}") - if [[ "${c}" -nt "${o}" ]]; then - "${flags[@]}" -c -o "${o}" -x c "${c}" - fi -done - -fi - -flags+=("$@") - -mkdir -p "${out}" -set -x - -"${flags[@]}" -O3 -g0 -c -std=c++11 -o "${out}"/ldid.o ldid.cpp -"${flags[@]}" -O3 -g0 -o "${out}"/ldid "${out}"/ldid.o "${os[@]}" -x c lookup2.c -lxml2 -framework Security - -if ! "${ios}"; then - ln -sf out/ldid . -fi diff --git a/plist.sh b/plist.sh deleted file mode 100755 index bda6327..0000000 --- a/plist.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -./configure CC='clang -mmacosx-version-min=10.4 -arch i386 -arch x86_64' CXX='clang++ -mmacosx-version-min=10.4 -arch i386 -arch x86_64' CPP='clang -E' CXXCPP='clang++ -E' libxml2_LIBS=-lxml2 libxml2_CFLAGS=-I/usr/include/libxml2 --enable-static --disable-shared @@ -1,64 +0,0 @@ -/*
- * sha1.h
- *
- * Description:
- * This is the header file for code which implements the Secure
- * Hashing Algorithm 1 as defined in FIPS PUB 180-1 published
- * April 17, 1995.
- *
- * Many of the variable names in this code, especially the
- * single character names, were used because those were the names
- * used in the publication.
- *
- * Please read the file sha1.c for more information.
- *
- */
-
-#ifndef _SHA1_H_
-#define _SHA1_H_
-
-#include <stdint.h>
-
-#ifndef _SHA_enum_
-#define _SHA_enum_
-enum
-{
- shaSuccess = 0,
- shaNull, /* Null pointer parameter */
- shaInputTooLong, /* input data too long */
- shaStateError /* called Input after Result */
-};
-#endif
-#define SHA1HashSize 20
-
-/*
- * This structure will hold context information for the SHA-1
- * hashing operation
- */
-typedef struct SHA1Context
-{
- uint32_t Intermediate_Hash[SHA1HashSize/4]; /* Message Digest */
-
- uint32_t Length_Low; /* Message length in bits */
- uint32_t Length_High; /* Message length in bits */
-
- /* Index into message block array */
- int_least16_t Message_Block_Index;
- uint8_t Message_Block[64]; /* 512-bit message blocks */
-
- int Computed; /* Is the digest computed? */
- int Corrupted; /* Is the message digest corrupted? */
-} SHA1Context;
-
-/*
- * Function Prototypes
- */
-
-int SHA1Reset( SHA1Context *);
-int SHA1Input( SHA1Context *,
- const uint8_t *,
- unsigned int);
-int SHA1Result( SHA1Context *,
- uint8_t Message_Digest[SHA1HashSize]);
-
-#endif
diff --git a/sysroot.sh b/sysroot.sh deleted file mode 100755 index e595621..0000000 --- a/sysroot.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/bin/bash -set -e - -rm -rf sysroot32 sysroot64 -mkdir -p sysroot32 sysroot64 - -function merge() { - wget --no-check-certificate "${apt}/$1" - dpkg-deb -x "$1" . -} - -pushd sysroot32 -apt=http://apt.saurik.com/debs -merge openssl_0.9.8zg-13_iphoneos-arm.deb -merge libplist_2.0.0-1_iphoneos-arm.deb -popd - -pushd sysroot64 -apt=https://apt.bingner.com/debs/1443.00 -merge libssl1.0_1.0.2q-1_iphoneos-arm.deb -merge libssl-dev_1.0.2q-1_iphoneos-arm.deb -merge libplist_2.0.0-1_iphoneos-arm.deb -popd - -for lib in libplist libcrypto; do - for dylib in sysroot*/usr/lib/"${lib}".*.dylib; do - echo install_name_tool -id /usr/lib/"${lib}".dylib "${dylib}" - chmod 755 "${dylib}" - install_name_tool -id /usr/lib/"${lib}".dylib "${dylib}" - done -done diff --git a/version.sh b/version.sh deleted file mode 100755 index 19212f3..0000000 --- a/version.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -echo "$(git describe --tags --dirty="+" --match="v*" | sed -e 's@-\([^-]*\)-\([^-]*\)$@+\1.\2@;s@^v@2:@')" |