1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
.\"-
.\" Copyright (c) 2021-2022 Procursus Team <team@procurs.us>
.\" SPDX-License-Identifier: AGPL-3.0-or-later
.\"
.Dd January 20, 2022
.Dt LDID 1
.Os
.Sh NAME
.Nm ldid
.Nd Link Identity Editor
.Sh SYNOPSIS
.Nm
.Op Fl A Ns Ar cputype : Ns Ar subtype
.Op Fl a
.Op Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime
.Op Fl D
.Op Fl d
.Op Fl E Ns Ar num : Ns Ar file
.Op Fl e
.Op Fl H Ns Op Ar sha1 | Ar sha256
.Op Fl h
.Op Fl I Ns Ar name
.Op Fl K Ns Ar key.p12 Op Fl U Ns Ar password
.Op Fl M
.Op Fl P
.Op Fl Q Ns Ar requirements.xml
.Op Fl q
.Op Fl r | Fl S Ns Ar file.xml | Fl s
.Op Fl T Ns Ar timestamp
.Op Fl u
.Op Fl arch Ar arch_type
.Ar
.Sh DESCRIPTION
.Nm
adds SHA1 and SHA256 hashes to a Mach-O file so that they can be run
on a system that has validation but not signature verification.
.Bl -tag -width -indent
.It Fl A Ns Ar cputype : Ns Ar subtype
When used with
.Fl a , Fl D , Fl e , Fl h , Fl q ,
or
.Fl u ,
only act on the slice specified by
.Ar cputype
and
.Ar subtype .
.Ar cputype
and
.Ar subtype
should both be integers.
.It Fl a
Print the CPU types and subtypes in hexadecimal.
.It Fl arch Ar arch_type
The same as
.Fl A ,
except the name of the architecture is used.
The list of currently known
.Ar arch_type Ns s
can be found in
.Xr arch 3 .
This is a Procursus extension.
.It Fl C Ns Op Ar adhoc | Ar enforcement | Ar expires | Ar hard | Ar host | Ar kill | Ar library-validation | Ar restrict | Ar runtime
Specify the option flags to embed in the code signature.
See
.Xr codesign 1
for details about these options.
.It Fl D
Reset the cryptid.
.It Fl d
Print the cryptid in the binaries if it exists.
For compatibility reasons it also acts as
.Fl h ,
but this will be removed in the future.
.It Fl E Ns Ar num : Ns Ar file
Embed the hashes of
.Ar file
in the special codesign slot at
.Ar num .
.It Fl e
Print the entitlements in each slice, or the slice specified by
.Fl A ,
to
.Ar stdout .
.It Fl H Ns Op Ar sha1 | Ar sha256
Disable the hash not specified.
This is useful to replicate the default behavior of
.Xr codesign 1 ,
which only provides an sha256 signature.
.It Fl h
Print information about the signature, such as
hash types, flags, CDHash, and CodeDirectory version to
.Ar stdout .
.It Fl I Ns Ar name
Set the identifier used in the binaries signature to
.Ar name .
If not specified, the basename of the binary is used.
.It Fl K Ns Ar key.p12
Sign using the identity in
.Ar key.p12 .
This will give the binary a valid signature so that it can be run
on a system with signature validation.
If
.Ar key.p12
has a password you will be prompted for it,
or you can specify from the command line with
.Fl U .
.It Fl M
When used with
.Fl S ,
merge the new and existing entitlements instead of replacing the existing
entitlements, this is useful for adding a few specific entitlements to a
handful of binaries.
.It Fl P
Mark the Mach-O as a platform binary.
.It Fl Q Ns Ar requirements.xml
Embed the requirements found in
.Ar requirements.xml .
.It Fl q
Print embedded requirements of the binaries.
.It Fl r
Remove the signature from the Mach-O.
.It Fl S Ns Op Ar file.xml
Pseudo-sign the Mach-O binaries.
If
.Ar file.xml
is specified then the entitlements found in
.Ar file.xml
will be embedded in the Mach-O.
.It Fl s
Resign the Mach-O binaries while keeping the existing entitlements.
.It Fl T Ns Ar timestamp
When signing a dylib, set the timestamp to
.Ar timestamp .
.Ar timestamp
should be an UNIX timestamp in seconds, if
.Ar timestamp
is a single dash
.Pq Sq Fl ,
the timestamp will be set to a hash of the Mach-O header.
.It Fl U Ns Ar password
Use
.Ar password
as the password for the p12 certificate instead of prompting.
This is a Procursus extension.
.It Fl u
If the binary was linked against UIKit, then print the UIKit version that the
Mach-O binaries were linked against.
.El
.Sh EXAMPLES
The command:
.Pp
.Dl "ldid -S file"
.Pp
will fakesign
.Ar file
with no entitlements.
.Pp
The command:
.Pp
.Dl "ldid -Cadhoc -K/path/to/key.p12 -Sent.xml file"
.Pp
will sign
.Ar file
using the key in
.Ar /path/to/key.p12
with the entitlements found in
.Ar ent.xml ,
and mark it as an adhoc signature.
.Pp
The command:
.Pp
.Dl "ldid -Sent.xml -M file"
.Pp
will add the entitlements in
.Ar ent.xml
to the entitlements already in
.Ar file .
.Pp
The command:
.Pp
.Dl "ldid -e file > ent.xml"
.Pp
will save the entitlements found in each slice of
.Ar file
to
.Ar ent.xml .
.Sh SEE ALSO
.Xr codesign 1
.Sh HISTORY
The
.Nm
utility was written by
.An Jay \*qSaurik\*q Freeman .
iPhoneOS 1.2.0 and 2.0 support was added on April 6, 2008.
.Fl S
was added on June 13, 2008.
SHA256 support was added on August 25, 2016, fixing iOS 11 support.
iOS 14 support was added on July 31, 2020 by
.An Kabir Oberai .
iOS 15 support was added on June 11, 2021.
|
