Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Why Does Productsign Use SHA1 Instead Of SHA256 To Sign The Pkg
32 views
Skip to first unread message
Cherly Pertubal
Dec 26, 2023, 9:35:43 PM12/26/23
to
I have an application which is packed into a pkg file using productbuild and then is signed using productsign. However when I run pkgutil --check-signature only the SHA1 signature is shown. I also tried to create a self-signed certificate using the instructions reported here but the problem is still the same. The only difference is that when the Apple certificate is used (Developer ID Installer: ...) all the chain is dumped to the screen but also for the other certificates only the SHA1 signature is shown.
Here I am wondering: I can timestamp the SHA-1 signature with a SHA-256 timestamp, but does that make sense? I would think that I include the SHA-1 signature only for compatibility, so I guess I should use a SHA-1 timestamp for it.
Why does productsign use SHA1 instead of SHA256 to sign the pkg
Download Zip https://t.co/1nCjwr8qoX
The code-signing bug is that the codesign tool looks at the deployment target of the *native* architecture (the one it's running on) to decide if a backward-compatible SHA-1 code directory should be added. If you run codesign on arm64, it will always see this as 11.*, even when signing the x86_64 slice. (Quinn's comment quoted above fails to account for the fact that code-signing is always a per-architecture thing: in a universal binary, each slice of the Mach-O is signed separately, so there is no reason that the x86_64 slice couldn't get a fallback SHA-1 code directory while the arm64 slice does not. Failing that, Michael's workaround using --digest-algorithm ought to suffice.)
The package-signing bug appears to be that the CMSEncoder (also in the Security framework, and used by productsign) has changed in Big Sur so that the SignerInfo's SignatureAlgorithmIdentifier (c.f. RFC 5652, 10.1.2) is now SHA1-with-RSA (1.2.840.113549.1.1.5) instead of RSA-encryption (1.2.840.113549.1.1.1) as before. I don't claim to understand the difference, but it does appear that on the CMSDecoder side, modern versions of the Security framework (10.12 and newer?) are able to deal with either, but 10.11 and older versions stumble over the newer SHA1-with-RSA algorithm type.
The reason that the approach used by fish-shell works is only because it avoids CMS-style signing altogether. CMS-style signatures were added to packages in 10.8, and were always an optional-but-preferred signature style (preferred, because they support trusted timestamps). For backward-compatibility reasons, the macOS Installer will always fall back on the old "RSA-style" signature if the CMS one isn't there. The "use xar instead" approach is creating only the RSA-style signature, so avoids the CMS issues altogether. (The optional CMS signature scheme [x-signature in the XML xar TOC] is an Apple-only extension to xar that isn't in other xar versions, outside of the one on opensource.apple.com.)
(By the way, code-signing is also based on CMSEncoder/CMSDecoder, but the change that bites productsign doesn't seem to effect the backward compatibility of code signatures [once you hack past the deployment target bug] because code-signing explicitly specifies a SHA-256 signer algorithm [see SecCodeSigner::Signer::signCodeDirectory()], and even though Big Sur CMSEncoder does switch the SignatureAlgorithmIdentifier here too [to SHA256-with-RSA], it doesn't seem to cause the same problems in 10.11's CMSDecoder that I can see.)
Given that dyld's error when trying to run my app under Yosemite always refers to one of the libraries that only has a sha256 hash, my working theory is that OS/X 10.10.x's dyld is ancient enough that it doesn't know about SHA-256 hashes, and that is why it is erroring out when it tries to load a captive shared library that is signed only with an SHA-256 hash.
My question (assuming I'm not completely barking up the wrong tree here) is: how does codesign decide when to stamp a file with sha256 hash alone, vs adding both an sha1 and an sha256 hash? And how can I force codesign to always include both hashes, so that my app can launch under 10.10.x again (like it used to before we upgraded our build machine to OSX/Sierra)?
For the record, here is how I'm invoking codesign in my build script -- the invocation arguments are exactly the same for all libraries (both the Qt framework libraries that end up with sha1,sha256 and the non-Qt libraries that end up with only sha256), e.g.:
Gatekeeper, first introduced in Mountain Lion (10.8, 2012), is a Mac security feature that was designed to protect Apple computers from malicious software. Gatekeeper checks applications against the list of apps that Apple has approved for its App Store or have been code signed by developers who have Apple-issued certificates where the application is not offered through the app store. It does not perform any safety checks by itself, other than that the application wasn't changed since the developer signed it, nor does it offer any guarantees about the developer other than that they are paying Apple $US 99 per year (aka an "Identified Developer").
This is especially important on ARM64 M1 Apple processors which require all native code to be validly signed (if only ad hoc) or the operating system will not execute it, instead killing it on launch. To ad hoc sign an application:
Specifies the string that appears in the subject of the new certificate. This cmdlet prefixes CN= to any value that does not contain an equal sign. For multiple subject relative distinguished names (also known as RDNs), separate each subject relative distinguished name with a comma (,). If the value of the relative distinguished name contains commas, separate each subject relative distinguished name with a semicolon (;).
Tracks the live user sessions coming in over HTTP. Flushing thiscache would cause all users to be signed out immediately, forcingthem to sign-in again. To avoid breaking active users, this cacheis not flushed automatically by gerrit flush-caches --all, butinstead must be explicitly requested.
Git has a configuration option to hide refs from the initialadvertisement (uploadpack.hideRefs). This option can be used to hidethe change refs from the client. As consequence fetching changes bychange ref does not work anymore. However by settinguploadpack.allowTipSha1InWant to true fetching changes by commit IDis possible. If download.checkForHiddenChangeRefs is set to truethe git download commands use the commit ID instead of the change refwhen a project is configured like this.
If kerberos authentication is enabled with sshd.kerberosKeytab,instead use the given principal name instead of the default.If the principal does not begin with host/ a warning message isprinted and may prevent successful authentication.
When saving the return value of Encrypt() function to a field in a table, remember
that Visual FoxPro will append blanks to the end of the string in order to fill the
character field to its designated length. This can cause problems when decrypting
the data as the spaces will be considered part of the encrypted string. To work around
this, I suggest placing a single CHR(0) at the end of the encrypted string when saving
it to the table. Then when decrypting the data just the portion prior to the CHR(0)
can be sent into the Decrypt() function. This does not apply when
using RC4 encryption (nEncryptionType = 1024).
0aad45d008
Here I am wondering: I can timestamp the SHA-1 signature with a SHA-256 timestamp, but does that make sense? I would think that I include the SHA-1 signature only for compatibility, so I guess I should use a SHA-1 timestamp for it.
Why does productsign use SHA1 instead of SHA256 to sign the pkg
Download Zip https://t.co/1nCjwr8qoX
The code-signing bug is that the codesign tool looks at the deployment target of the *native* architecture (the one it's running on) to decide if a backward-compatible SHA-1 code directory should be added. If you run codesign on arm64, it will always see this as 11.*, even when signing the x86_64 slice. (Quinn's comment quoted above fails to account for the fact that code-signing is always a per-architecture thing: in a universal binary, each slice of the Mach-O is signed separately, so there is no reason that the x86_64 slice couldn't get a fallback SHA-1 code directory while the arm64 slice does not. Failing that, Michael's workaround using --digest-algorithm ought to suffice.)
The package-signing bug appears to be that the CMSEncoder (also in the Security framework, and used by productsign) has changed in Big Sur so that the SignerInfo's SignatureAlgorithmIdentifier (c.f. RFC 5652, 10.1.2) is now SHA1-with-RSA (1.2.840.113549.1.1.5) instead of RSA-encryption (1.2.840.113549.1.1.1) as before. I don't claim to understand the difference, but it does appear that on the CMSDecoder side, modern versions of the Security framework (10.12 and newer?) are able to deal with either, but 10.11 and older versions stumble over the newer SHA1-with-RSA algorithm type.
The reason that the approach used by fish-shell works is only because it avoids CMS-style signing altogether. CMS-style signatures were added to packages in 10.8, and were always an optional-but-preferred signature style (preferred, because they support trusted timestamps). For backward-compatibility reasons, the macOS Installer will always fall back on the old "RSA-style" signature if the CMS one isn't there. The "use xar instead" approach is creating only the RSA-style signature, so avoids the CMS issues altogether. (The optional CMS signature scheme [x-signature in the XML xar TOC] is an Apple-only extension to xar that isn't in other xar versions, outside of the one on opensource.apple.com.)
(By the way, code-signing is also based on CMSEncoder/CMSDecoder, but the change that bites productsign doesn't seem to effect the backward compatibility of code signatures [once you hack past the deployment target bug] because code-signing explicitly specifies a SHA-256 signer algorithm [see SecCodeSigner::Signer::signCodeDirectory()], and even though Big Sur CMSEncoder does switch the SignatureAlgorithmIdentifier here too [to SHA256-with-RSA], it doesn't seem to cause the same problems in 10.11's CMSDecoder that I can see.)
Given that dyld's error when trying to run my app under Yosemite always refers to one of the libraries that only has a sha256 hash, my working theory is that OS/X 10.10.x's dyld is ancient enough that it doesn't know about SHA-256 hashes, and that is why it is erroring out when it tries to load a captive shared library that is signed only with an SHA-256 hash.
My question (assuming I'm not completely barking up the wrong tree here) is: how does codesign decide when to stamp a file with sha256 hash alone, vs adding both an sha1 and an sha256 hash? And how can I force codesign to always include both hashes, so that my app can launch under 10.10.x again (like it used to before we upgraded our build machine to OSX/Sierra)?
For the record, here is how I'm invoking codesign in my build script -- the invocation arguments are exactly the same for all libraries (both the Qt framework libraries that end up with sha1,sha256 and the non-Qt libraries that end up with only sha256), e.g.:
Gatekeeper, first introduced in Mountain Lion (10.8, 2012), is a Mac security feature that was designed to protect Apple computers from malicious software. Gatekeeper checks applications against the list of apps that Apple has approved for its App Store or have been code signed by developers who have Apple-issued certificates where the application is not offered through the app store. It does not perform any safety checks by itself, other than that the application wasn't changed since the developer signed it, nor does it offer any guarantees about the developer other than that they are paying Apple $US 99 per year (aka an "Identified Developer").
This is especially important on ARM64 M1 Apple processors which require all native code to be validly signed (if only ad hoc) or the operating system will not execute it, instead killing it on launch. To ad hoc sign an application:
Specifies the string that appears in the subject of the new certificate. This cmdlet prefixes CN= to any value that does not contain an equal sign. For multiple subject relative distinguished names (also known as RDNs), separate each subject relative distinguished name with a comma (,). If the value of the relative distinguished name contains commas, separate each subject relative distinguished name with a semicolon (;).
Tracks the live user sessions coming in over HTTP. Flushing thiscache would cause all users to be signed out immediately, forcingthem to sign-in again. To avoid breaking active users, this cacheis not flushed automatically by gerrit flush-caches --all, butinstead must be explicitly requested.
Git has a configuration option to hide refs from the initialadvertisement (uploadpack.hideRefs). This option can be used to hidethe change refs from the client. As consequence fetching changes bychange ref does not work anymore. However by settinguploadpack.allowTipSha1InWant to true fetching changes by commit IDis possible. If download.checkForHiddenChangeRefs is set to truethe git download commands use the commit ID instead of the change refwhen a project is configured like this.
If kerberos authentication is enabled with sshd.kerberosKeytab,instead use the given principal name instead of the default.If the principal does not begin with host/ a warning message isprinted and may prevent successful authentication.
When saving the return value of Encrypt() function to a field in a table, remember
that Visual FoxPro will append blanks to the end of the string in order to fill the
character field to its designated length. This can cause problems when decrypting
the data as the spaces will be considered part of the encrypted string. To work around
this, I suggest placing a single CHR(0) at the end of the encrypted string when saving
it to the table. Then when decrypting the data just the portion prior to the CHR(0)
can be sent into the Decrypt() function. This does not apply when
using RC4 encryption (nEncryptionType = 1024).
0aad45d008
0 new messages