codesign

package
v0.0.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 28, 2025 License: MIT Imports: 26 Imported by: 0

README

iOS Code Signing in Pure Go

This package implements iOS IPA re-signing entirely in Go, without requiring external tools like codesign or macOS. It produces signatures compatible with iOS 15+ devices.

Table of Contents

Overview

iOS code signing serves two purposes:

  1. Integrity: Ensures the app hasn't been modified since signing
  2. Identity: Proves the app was signed by a trusted developer

Every executable in an iOS app bundle contains an embedded code signature that iOS validates before allowing the app to run. This package handles:

  • Signing Mach-O executables (main binary, frameworks, dylibs)
  • Generating _CodeSignature/CodeResources (resource hashes)
  • Building entitlements (XML and DER formats)
  • Creating CMS/PKCS#7 signatures with Apple-specific attributes

Requirements

To re-sign an IPA, you need:

  1. Signing Certificate (.p12 file)

    • An Apple Developer certificate exported from Keychain
    • Contains your private key and certificate chain
    • Must include intermediate certificates (WWDR G3, Apple Root CA)

  2. Provisioning Profile (.mobileprovision file)

    • Links your certificate to specific app IDs and devices
    • Contains entitlements the app is allowed to use
    • Must match the certificate's Team ID

  3. The IPA file

    • The app to be re-signed

Usage

import "github.com/danielpaulus/go-ios/ios/resign"

// Load signing identity from P12
identity, err := resign.LoadSigningIdentity("certificate.p12", "password")

// Load provisioning profile
profile, err := resign.ParseProvisioningProfile("profile.mobileprovision")

// Re-sign the IPA
opts := resign.ResignOptions{
    InputIPA:    "app.ipa",
    OutputIPA:   "resigned.ipa",
    Identity:    identity,
    Profile:     profile,
    NewBundleID: "com.example.newbundleid", // optional
}
err = resign.ResignIPA(opts)

Code Signing Internals

The SuperBlob Structure

The code signature is embedded at the end of a Mach-O binary as a "SuperBlob" - a container holding multiple signature components:

┌─────────────────────────────────────────┐
│ SuperBlob Header                        │
│   magic: 0xfade0cc0                     │
│   length: total size                    │
│   count: number of blobs                │
├─────────────────────────────────────────┤
│ Blob Index (array of slot+offset pairs) │
│   [0] CodeDirectory SHA1    → offset    │
│   [1] Requirements          → offset    │
│   [2] Entitlements          → offset    │
│   [3] Entitlements DER      → offset    │
│   [4] CodeDirectory SHA256  → offset    │
│   [5] CMS Signature         → offset    │
├─────────────────────────────────────────┤
│ CodeDirectory (SHA1)                    │
├─────────────────────────────────────────┤
│ Requirements                            │
├─────────────────────────────────────────┤
│ Entitlements (XML plist)                │
├─────────────────────────────────────────┤
│ Entitlements (DER encoded)              │
├─────────────────────────────────────────┤
│ CodeDirectory (SHA256)                  │
├─────────────────────────────────────────┤
│ CMS Signature (PKCS#7)                  │
└─────────────────────────────────────────┘
CodeDirectory

The CodeDirectory is the heart of code signing. It contains:

  1. Metadata: Bundle ID, Team ID, version, flags
  2. Special Slot Hashes: Hashes of Info.plist, entitlements, requirements, CodeResources
  3. Code Page Hashes: Hash of every 4KB page of the executable
CodeDirectory Structure (v0x20400):
┌────────────────────────────────────┐
│ Header (88 bytes)                  │
│   magic: 0xfade0c02                │
│   length, version, flags           │
│   hashOffset, identOffset          │
│   nSpecialSlots, nCodeSlots        │
│   codeLimit, hashSize, hashType    │
│   pageSize (4KB = 12 bits)         │
│   teamOffset                       │
│   execSegBase, execSegLimit        │
├────────────────────────────────────┤
│ Identifier String                  │
│   "com.example.app\0"              │
├────────────────────────────────────┤
│ Team ID String                     │
│   "ABCD1234XY\0"                   │
├────────────────────────────────────┤
│ Special Slot Hashes (negative)     │
│   [-7] Entitlements DER hash       │
│   [-6] (unused)                    │
│   [-5] Entitlements XML hash       │
│   [-4] (unused)                    │
│   [-3] CodeResources hash          │
│   [-2] Requirements hash           │
│   [-1] Info.plist hash             │
├────────────────────────────────────┤
│ Code Page Hashes (positive)        │
│   [0] Hash of bytes 0-4095         │
│   [1] Hash of bytes 4096-8191      │
│   [2] ...                          │
└────────────────────────────────────┘

Why two CodeDirectories?

Modern iOS requires both SHA1 and SHA256 CodeDirectories:

  • SHA1 CodeDirectory (slot 0): Legacy compatibility, also used for CMS signing
  • SHA256 CodeDirectory (slot 0x1000): Used by modern iOS for validation
Special Slots

Special slots contain hashes of auxiliary signing data:

Slot Name Content
-1 Info.plist Hash of the app's Info.plist
-2 Requirements Hash of the requirements blob
-3 CodeResources Hash of _CodeSignature/CodeResources
-4 (reserved) Unused
-5 Entitlements Hash of XML entitlements blob
-6 (reserved) Unused
-7 Entitlements DER Hash of DER-encoded entitlements
CMS Signature

The CMS (Cryptographic Message Syntax) signature is a PKCS#7 detached signature that:

  1. Signs the SHA1 CodeDirectory (not SHA256!)
  2. Uses SHA256 as the digest algorithm
  3. Includes the full certificate chain
  4. Contains Apple-specific signed attributes:

Apple Signed Attributes:

OID Name Content
1.2.840.113635.100.9.1 CDHashes Plist with array of truncated CD hashes
1.2.840.113635.100.9.2 CDHashes2 ASN.1 SEQUENCE with full SHA256 hash

The CDHashes plist contains:

{
    cdhashes = (
        <sha1-hash-of-sha1-codedirectory>,      // 20 bytes
        <truncated-sha256-hash-of-sha256-cd>    // 20 bytes (truncated from 32)
    );
}
CodeResources

The _CodeSignature/CodeResources file is a plist containing hashes of all non-executable resources in the app bundle:

<?xml version="1.0" encoding="UTF-8"?>
<plist version="1.0">
<dict>
    <key>files</key>
    <dict>
        <!-- SHA1 hashes for legacy iOS -->
        <key>[email protected]</key>
        <data>BASE64_SHA1_HASH</data>
        <key>Info.plist</key>
        <data>BASE64_SHA1_HASH</data>
    </dict>
    <key>files2</key>
    <dict>
        <!-- Both SHA1 and SHA256 for modern iOS -->
        <key>[email protected]</key>
        <dict>
            <key>hash</key>
            <data>BASE64_SHA1_HASH</data>
            <key>hash2</key>
            <data>BASE64_SHA256_HASH</data>
        </dict>
    </dict>
    <key>rules</key>
    <dict><!-- Matching rules for files section --></dict>
    <key>rules2</key>
    <dict><!-- Matching rules for files2 section --></dict>
</dict>
</plist>

Important rules:

  • Info.plist and PkgInfo appear in files but NOT in files2
  • .lproj/ directories are marked as optional
  • .DS_Store files are omitted
  • Nested bundles (frameworks) include their own _CodeSignature/CodeResources
Entitlements

Entitlements declare capabilities and permissions the app requires. They're embedded in two formats:

1. XML Plist (slot 5)

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "...">
<plist version="1.0">
<dict>
    <key>application-identifier</key>
    <string>TEAMID.com.example.app</string>
    <key>get-task-allow</key>
    <true/>
    <key>keychain-access-groups</key>
    <array>
        <string>TEAMID.com.example.app</string>
    </array>
</dict>
</plist>

2. DER Encoded (slot 7)

iOS 15+ also requires DER-encoded entitlements using a proprietary Apple format:

  • Uses tag 0x30 (SEQUENCE) at the root
  • Keys are context-specific tag [0] with UTF8String
  • Values use context-specific tag [1]
  • Booleans: 0x01 0x01 0x01 (true) or 0x01 0x01 0x00 (false)
  • Strings: UTF8String (0x0C)
  • Arrays: SEQUENCE of values

Certificate Chain

A valid signing identity requires the complete certificate chain:

┌─────────────────────────────────────┐
│ Apple Root CA                       │
│   Subject: Apple Root CA            │
│   Issuer: Apple Root CA (self)      │
└─────────────┬───────────────────────┘
              │ signs
              ▼
┌─────────────────────────────────────┐
│ Apple WWDR G3                       │
│   Subject: Apple Worldwide Dev...   │
│   Issuer: Apple Root CA             │
└─────────────┬───────────────────────┘
              │ signs
              ▼
┌─────────────────────────────────────┐
│ Your Signing Certificate            │
│   Subject: iPhone Developer: ...    │
│   Issuer: Apple Worldwide Dev...    │
│   + Your Private Key                │
└─────────────────────────────────────┘

When exporting from Keychain, ensure you include the certificate chain. The P12 should contain:

  1. Your signing certificate
  2. Apple Worldwide Developer Relations G3
  3. Apple Root CA

Troubleshooting

Error: "A valid provisioning profile for this executable was not found"
  • The provisioning profile doesn't include the device UDID
  • The bundle ID doesn't match the profile's app ID
  • The profile has expired
Error: "The signature is invalid" or AMFI errors
  • Certificate chain is incomplete (missing WWDR or Root CA)
  • CodeDirectory hashes don't match actual file contents
  • Special slot hashes are incorrect
  • CMS signature was created incorrectly
Error: "Entitlements are not valid"
  • Entitlements in the signature don't match the provisioning profile
  • DER-encoded entitlements have incorrect format
  • Missing required entitlements (like application-identifier)
Debugging Tips

  1. Compare with a known-good signature:

    codesign -d --verbose=4 GoodApp.app
codesign -d --verbose=4 YourApp.app

  2. Extract and examine the signature:

    # Extract signature blob
codesign -d --blob=sig.bin YourApp.app

# Parse CMS signature
openssl asn1parse -inform DER -in sig.bin

  3. Verify CodeResources:

    plutil -p YourApp.app/_CodeSignature/CodeResources

  4. Check entitlements:

    codesign -d --entitlements :- YourApp.app

References

Documentation

Overview

Package codesign provides iOS code signing functionality.

This package implements Apple's code signing format natively in Go, allowing you to resign IPA files and .app bundles on any platform without requiring macOS or Apple's codesign tool.

Basic Usage

To resign an app: 

signer, err := codesign.NewSigner(p12Data, password, profileData)
if err != nil {
    log.Fatal(err)
}
err = signer.SignApp(appPath)

Features

  • Cross-platform: Works on Linux, macOS, and Windows
  • IPA and .app support: Resign both IPA files and extracted .app bundles
  • Nested bundle signing: Automatically signs frameworks, plugins, and extensions
  • Bundle ID modification: Change the app's bundle identifier during resign

Index

Constants

View Source 
const (
	MachOHeader32Size = 28
	MachOHeader64Size = 32
)

Mach-O header sizes

View Source 
const (
	MH_MAGIC     = 0xfeedface // 32-bit little-endian
	MH_MAGIC_64  = 0xfeedfacf // 64-bit little-endian
	FAT_MAGIC    = 0xcafebabe // Fat binary (big-endian)
	FAT_MAGIC_64 = 0xcafebabf // Fat binary 64 (big-endian)
)

Mach-O magic numbers

View Source 
const (
	PageSizeBits = 12
	PageSize     = 1 << PageSizeBits // 4096 bytes
)

Page size for code signing (4KB)

View Source 
const (
	CSMAGIC_REQUIREMENT               = 0xfade0c00
	CSMAGIC_REQUIREMENTS              = 0xfade0c01
	CSMAGIC_CODEDIRECTORY             = 0xfade0c02
	CSMAGIC_EMBEDDED_SIGNATURE        = 0xfade0cc0
	CSMAGIC_EMBEDDED_ENTITLEMENTS     = 0xfade7171
	CSMAGIC_EMBEDDED_DER_ENTITLEMENTS = 0xfade7172
	CSMAGIC_BLOBWRAPPER               = 0xfade0b01
)

Code signature magic numbers (from Apple's cs_blobs.h)

View Source 
const (
	CSSLOT_CODEDIRECTORY             = 0
	CSSLOT_INFOSLOT                  = 1
	CSSLOT_REQUIREMENTS              = 2
	CSSLOT_RESOURCEDIR               = 3
	CSSLOT_APPLICATION               = 4
	CSSLOT_ENTITLEMENTS              = 5
	CSSLOT_DER_ENTITLEMENTS          = 7
	CSSLOT_ALTERNATE_CODEDIRECTORIES = 0x1000
	CSSLOT_SIGNATURESLOT             = 0x10000
)

Code signature slot indices

View Source 
const (
	CS_HASHTYPE_SHA1   = 1
	CS_HASHTYPE_SHA256 = 2
)

Code directory hash types

View Source 
const (
	CS_SHA1_LEN   = 20
	CS_SHA256_LEN = 32
	CS_CDHASH_LEN = 20 // Truncated hash length for CDHashes
)

Hash sizes

View Source 
const (
	CS_EXECSEG_MAIN_BINARY    = 0x1
	CS_EXECSEG_ALLOW_UNSIGNED = 0x10
)

Executable segment flags

View Source 
const (
	LC_CODE_SIGNATURE      = 0x1d
	LC_CODE_SIGNATURE_SIZE = 16
)

Load commands

View Source 
const (
	AppleRootCAURL = "https://www.apple.com/appleca/AppleIncRootCertificate.cer"
	AppleWWDRG3URL = "https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer"
)

Apple certificate URLs

View Source 
const FatArchAlignment = 0x4000 // 16KB

Fat binary alignment

Variables

This section is empty.

Functions

func Base64Hash 

func Base64Hash(hash []byte) string

Base64Hash returns base64-encoded hash for plist

func ComputeCDHash 

func ComputeCDHash(sigData []byte, blobOffset, blobSize uint32, hashType uint8) []byte

ComputeCDHash computes the CDHash for a CodeDirectory

func CopyAppBundle 

func CopyAppBundle(src, dst string) error

CopyAppBundle copies a .app bundle directory from src to dst

func EntitlementsToDER 

func EntitlementsToDER(entitlements map[string]interface{}) ([]byte, error)

EntitlementsToDER converts entitlements map to DER-encoded ASN.1 format This is required for iOS code signing alongside the XML plist format The format follows Apple's specific plist-to-DER encoding: - Top-level: APPLICATION 16 { INTEGER 1, WrappedValue } - Dictionary: [16] SEQUENCE { SEQUENCE { UTF8String key, WrappedValue }... } - Array: SEQUENCE { WrappedValue... } - Boolean: BOOLEAN - Integer: INTEGER - String: UTF8String

func EntitlementsToXML 

func EntitlementsToXML(entitlements map[string]interface{}) ([]byte, error)

EntitlementsToXML converts entitlements map to XML plist bytes

func ExtractCDHashes 

func ExtractCDHashes(binaryPath string) (sha1Hash, sha256Hash []byte, err error)

ExtractCDHashes extracts CDHashes from signature data

func ExtractEntitlements 

func ExtractEntitlements(profile *ProvisioningProfile) ([]byte, error)

ExtractEntitlements extracts entitlements from a provisioning profile as XML plist bytes

func ExtractIPA 

func ExtractIPA(ipaPath string) (string, error)

ExtractIPA extracts an IPA file to a temporary directory Returns the path to the temp directory

func FindAppBundle 

func FindAppBundle(extractedDir string) (string, error)

FindAppBundle finds the .app bundle inside an extracted IPA Returns the full path to the .app directory

func GenerateCodeResources 

func GenerateCodeResources(appPath string) ([]byte, error)

GenerateCodeResources generates the _CodeSignature/CodeResources plist This hashes ALL files recursively, including those inside nested bundles (.framework, .xctest, etc.)

func GetAppBundleID 

func GetAppBundleID(appPath string) (string, error)

GetAppBundleID reads the bundle ID from an app's Info.plist

func GetAppExecutableName 

func GetAppExecutableName(appPath string) (string, error)

GetAppExecutableName reads the executable name from an app's Info.plist

func GetBundleIDFromPlist 

func GetBundleIDFromPlist(plistPath string) (string, error)

GetBundleIDFromPlist reads CFBundleIdentifier from an Info.plist

func HashData 

func HashData(data []byte) []byte

HashData hashes arbitrary data with SHA256

func MergeEntitlements 

func MergeEntitlements(base, override map[string]interface{}) map[string]interface{}

MergeEntitlements merges override entitlements into base entitlements Override values take precedence

func NativeSignAppBundle 

func NativeSignAppBundle(appPath string, identity *SigningIdentity, entitlements []byte, bundleID string) error

NativeSignAppBundle signs all Mach-O binaries in an app bundle

func NativeSignMachO 

func NativeSignMachO(path string, identity *SigningIdentity, entitlements []byte, bundleID string) error

NativeSignMachO signs a Mach-O binary using our native implementation

func NativeSignMachOWithContext 

func NativeSignMachOWithContext(path string, identity *SigningIdentity, entitlements []byte, bundleID string, bundleCtx *BundleSigningContext) error

NativeSignMachOWithContext signs a Mach-O binary with optional bundle context

func ParseEntitlementsXML 

func ParseEntitlementsXML(data []byte) (map[string]interface{}, error)

ParseEntitlementsXML parses XML plist entitlements into a map

func PrintSignatureDiff 

func PrintSignatureDiff(diff *SignatureDiff, w io.Writer)

PrintSignatureDiff prints a signature diff to a writer

func PrintSignatureInfo 

func PrintSignatureInfo(info *SignatureInfo, w io.Writer, bundlePath string)

PrintSignatureInfo prints signature information to a writer

func RepackageIPA 

func RepackageIPA(extractedDir, outputPath string) error

RepackageIPA creates an IPA file from an extracted directory

func Resign 

func Resign(opts ResignOptions) error

Resign resigns a .app bundle with a new signing identity (in-place)

func ResignApp 

func ResignApp(appPath string, identity *SigningIdentity, profile *ProvisioningProfile, newBundleID string) error

ResignApp resigns an already extracted .app bundle in place

func UpdateEntitlementsForBundleID 

func UpdateEntitlementsForBundleID(entitlements map[string]interface{}, teamID, newBundleID string) map[string]interface{}

UpdateEntitlementsForBundleID updates the entitlements with a new bundle ID It updates application-identifier and keychain-access-groups

func VerifySignatureFromCerts 

func VerifySignatureFromCerts(info *SignatureInfo, certs []*x509.Certificate) bool

VerifySignatureFromCerts verifies that the CMS signature was made by one of the provided certificates

func WriteCodeResources 

func WriteCodeResources(appPath string) error

WriteCodeResources generates and writes the CodeResources file

Types

type BlobIndexEntry 

type BlobIndexEntry struct {
	Type   uint32
	Offset uint32
	Size   uint32
	Magic  uint32
}

BlobIndexEntry represents a single blob in the SuperBlob index

type BundleDiff 

type BundleDiff struct {
	RelativePath     string
	SuperBlobDiff    FieldDiff
	CodeDirDiffs     []CodeDirDiff
	RequirementsDiff FieldDiff
	EntitlementsDiff EntitlementsDiff
	CMSDiff          FieldDiff

	// Only in one app
	OnlyIn1 bool
	OnlyIn2 bool
}

BundleDiff represents differences for a single bundle

func CompareSignatures 

func CompareSignatures(info1, info2 *SignatureInfo) *BundleDiff

CompareSignatures compares two SignatureInfo structures

type BundleSigningContext 

type BundleSigningContext struct {
	InfoPlistPath     string // Path to Info.plist (for special slot 1)
	CodeResourcesPath string // Path to CodeResources (for special slot 3)
	TeamID            string // Team ID to embed in CodeDirectory
}

BundleSigningContext contains context needed for signing a bundle's main executable

type CMSInfo 

type CMSInfo struct {
	Size         uint32
	CDHashSHA1   []byte
	CDHashSHA256 []byte
	SignerCN     string
	SignerTeamID string
	RawData      []byte
}

CMSInfo contains CMS signature details

type CodeDirDiff 

type CodeDirDiff struct {
	Slot             uint32
	HashType         string
	VersionDiff      FieldDiff
	FlagsDiff        FieldDiff
	IdentifierDiff   FieldDiff
	TeamIDDiff       FieldDiff
	PageSizeDiff     FieldDiff
	CodeLimitDiff    FieldDiff
	SpecialSlotDiffs []FieldDiff
	CodeHashesSame   bool
	CodeHashesCount1 int
	CodeHashesCount2 int
}

CodeDirDiff represents CodeDirectory differences

type CodeDirectoryInfo 

type CodeDirectoryInfo struct {
	Slot          uint32
	Version       uint32
	Flags         uint32
	HashType      uint8
	HashSize      uint8
	Identifier    string
	TeamID        string
	PageSize      uint32
	CodeLimit     uint32
	ExecSegBase   uint64
	ExecSegLimit  uint64
	ExecSegFlags  uint64
	NSpecialSlots uint32
	NCodeSlots    uint32
	SpecialHashes map[int][]byte // slot number (negative) -> hash
	CodeHashes    [][]byte
}

CodeDirectoryInfo contains CodeDirectory details

type CodeResourcesRules 

type CodeResourcesRules struct {
	// Files that should be omitted (not hashed)
	Omit []string
	// Files that are optional (hash if present)
	Optional []string
	// Files that must be nested (e.g., frameworks)
	Nested bool
	// Weight for rule priority
	Weight int
}

CodeResourcesRules defines the rules for hashing resources

type EntitlementsDiff 

type EntitlementsDiff struct {
	Same    bool
	Added   map[string]interface{}    // In 2 but not in 1
	Removed map[string]interface{}    // In 1 but not in 2
	Changed map[string][2]interface{} // Different values
}

EntitlementsDiff represents entitlements differences

type EntitlementsInfo 

type EntitlementsInfo struct {
	Size   uint32
	XML    string
	Parsed map[string]interface{}
}

EntitlementsInfo contains entitlements details

type FieldDiff 

type FieldDiff struct {
	Name    string
	Same    bool
	Value1  string
	Value2  string
	Details string
}

FieldDiff represents a simple field comparison

type ProvisioningProfile 

type ProvisioningProfile struct {
	Name                        string                 `plist:"Name"`
	TeamName                    string                 `plist:"TeamName"`
	TeamIdentifier              []string               `plist:"TeamIdentifier"`
	AppIDName                   string                 `plist:"AppIDName"`
	ApplicationIdentifierPrefix []string               `plist:"ApplicationIdentifierPrefix"`
	Entitlements                map[string]interface{} `plist:"Entitlements"`
	DeveloperCertificates       [][]byte               `plist:"DeveloperCertificates"`
	ProvisionedDevices          []string               `plist:"ProvisionedDevices"`
	ProvisionsAllDevices        bool                   `plist:"ProvisionsAllDevices"`
	CreationDate                time.Time              `plist:"CreationDate"`
	ExpirationDate              time.Time              `plist:"ExpirationDate"`
	UUID                        string                 `plist:"UUID"`
	Platform                    []string               `plist:"Platform"`
}

ProvisioningProfile represents a parsed .mobileprovision file

func ParseProvisioningProfile 

func ParseProvisioningProfile(data []byte) (*ProvisioningProfile, error)

ParseProvisioningProfile parses a .mobileprovision file The file is a CMS (PKCS#7) signed container with a plist payload

func (*ProvisioningProfile) GetApplicationIdentifier 

func (p *ProvisioningProfile) GetApplicationIdentifier() string

GetApplicationIdentifier returns the application identifier from entitlements

func (*ProvisioningProfile) GetCertificates 

func (p *ProvisioningProfile) GetCertificates() ([]*x509.Certificate, error)

GetCertificates parses and returns the developer certificates from the profile

func (*ProvisioningProfile) GetTeamID 

func (p *ProvisioningProfile) GetTeamID() string

GetTeamID returns the team identifier from the profile

func (*ProvisioningProfile) IsDeviceAllowed 

func (p *ProvisioningProfile) IsDeviceAllowed(udid string) bool

IsDeviceAllowed checks if a specific device UDID is allowed by this profile

func (*ProvisioningProfile) IsExpired 

func (p *ProvisioningProfile) IsExpired() bool

IsExpired checks if the provisioning profile has expired

func (*ProvisioningProfile) MatchesCertificate 

func (p *ProvisioningProfile) MatchesCertificate(cert *x509.Certificate) bool

MatchesCertificate checks if the given certificate matches any certificate in the profile

type RequirementsInfo 

type RequirementsInfo struct {
	Size       uint32
	Expression string // Human-readable requirements expression (best effort)
	RawData    []byte
}

RequirementsInfo contains requirements blob details

type ResignOptions 

type ResignOptions struct {
	AppPath             string // Path to the .app bundle
	P12Data             []byte
	P12Password         string
	ProvisioningProfile []byte
	NewBundleID         string // Optional: if set, changes the bundle ID
}

ResignOptions contains all options for resigning a .app bundle

type SignatureDiff 

type SignatureDiff struct {
	Path1       string
	Path2       string
	BundleDiffs []BundleDiff
}

SignatureDiff represents the differences between two signatures

func CompareBundles 

func CompareBundles(path1, path2 string, recursive bool) (*SignatureDiff, error)

CompareBundles compares signatures of two bundles (and optionally nested bundles)

type SignatureInfo 

type SignatureInfo struct {
	BinaryPath      string
	BundlePath      string
	RelativePath    string // Relative path from the root bundle (e.g., "PlugIns/Foo.xctest/Frameworks/Bar.framework")
	SuperBlob       SuperBlobInfo
	CodeDirs        []CodeDirectoryInfo
	Requirements    RequirementsInfo
	Entitlements    EntitlementsInfo
	EntitlementsDER []byte
	CMSSignature    CMSInfo
}

SignatureInfo holds parsed code signature details

func GetBundleSignatureInfo 

func GetBundleSignatureInfo(bundlePath string, recursive bool) ([]*SignatureInfo, error)

GetBundleSignatureInfo gets signature info for a bundle and optionally its nested bundles

func ParseSignature 

func ParseSignature(binaryPath string) (*SignatureInfo, error)

ParseSignature parses the code signature from a Mach-O binary

func ParseSignatureFromData 

func ParseSignatureFromData(data []byte, binaryPath, bundlePath string) (*SignatureInfo, error)

ParseSignatureFromData parses code signature from binary data

type SigningIdentity 

type SigningIdentity struct {
	Certificate *x509.Certificate
	PrivateKey  crypto.PrivateKey
	CertChain   []*x509.Certificate
	TeamID      string
}

SigningIdentity represents a code signing identity (certificate + private key)

func LoadSigningIdentity 

func LoadSigningIdentity(p12Data []byte, password string) (*SigningIdentity, error)

LoadSigningIdentity loads a signing identity from a PKCS#12 file or PEM key

func LoadSigningIdentityWithProfile 

func LoadSigningIdentityWithProfile(keyData []byte, password string, profile *ProvisioningProfile) (*SigningIdentity, error)

LoadSigningIdentityWithProfile loads a signing identity using a PEM key and extracts the matching certificate from the provisioning profile

type SuperBlobInfo 

type SuperBlobInfo struct {
	Magic     uint32
	Length    uint32
	BlobCount uint32
	Blobs     []BlobIndexEntry
}

SuperBlobInfo contains SuperBlob header information

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.