Initial support for rcodesign

Author: radare

index.ts

@@ -647,9 +647,9 @@ class Applesign {
       res = await tools.pseudoSign(entitlements, file);
     } else {
       const keychain = getKeychain();
-      res = await tools.codesign(identity, entitlements, keychain, file);
+      res = await tools.codesign(identity, entitlements, keychain, file, this.config.codeSign);
       if (res.code !== 0 && codesignHasFailed(config, res.code, res.stderr)) {
-        return this.emit("end", res.stderr);
+        return this.emit('end', res.stderr);
       }
     }
     this.emit("message", "Signed " + file);

lib/config.ts

@@ -61,6 +61,7 @@ const helpMessage = `Usage:
   -k, --keychain [KEYCHAIN]     Specify custom keychain file
   -K, --add-access-group [NAME] Add $(TeamIdentifier).NAME to keychain-access-groups
   -L, --identities              List local codesign identities
+  --codesign-tool=rcodesign     Use rcodesign instead of codesign (EXPERIMENTAL)
   -m, --mobileprovision [FILE]  Specify the mobileprovision file to use
   -s, --single                  Sign a single file instead of an IPA
   -S, --self-sign-provision     Self-sign mobile provisioning (EXPERIMENTAL)
@@ -127,6 +128,7 @@ export interface ConfigOptions {
   bundleIdKeychainGroup: string | false;
   bundleid: string | undefined;
   cloneEntitlements: boolean;
+  codeSign: string | undefined;
   customKeychainGroup: string | undefined;
   debug: any; // opt.d || opt.debug || ""
   deviceProvision: any; // opt.D || opt.deviceProvision || false
@@ -206,6 +208,7 @@ const fromOptions = function (opt: any): ConfigOptions {
     bundleIdKeychainGroup: opt.bundleIdKeychainGroup || false,
     bundleid: opt.bundleid || undefined,
     cloneEntitlements: opt.cloneEntitlements || false,
+    codeSign: opt.codeSign || undefined,
     customKeychainGroup: opt.customKeychainGroup || undefined,
     debug: opt.d || opt.debug || "",
     deviceProvision: opt.D || opt.deviceProvision || false,
@@ -338,6 +341,7 @@ function compile(conf: any) {
     bundleIdKeychainGroup: conf.B || conf["bundleid-access-group"],
     bundleid: conf.bundleid || conf.b,
     cloneEntitlements: conf.c || conf["clone-entitlements"],
+    codeSign: conf["codesign-tool"],
     customKeychainGroup: conf.K || conf["add-access-group"],
     debug: conf.debug || conf.d || "",
     deviceProvision: conf.D || conf.deviceProvision || false,

lib/tools.ts

@@ -141,11 +141,62 @@ async function codesign(
   entitlement: string | undefined,
   keychain: string | undefined,
   file: string,
+  tool?: string,
 ) {
   if (identity === undefined) {
     // XXX: typescript can ensure this at compile time
     throw new Error("--identity is required to sign");
   }
+  if (tool === 'rcodesign') {
+    console.error('WARNING: Signing with the experimental rcodesign tool');
+    const args = [];
+    args.push('sign'); // action
+
+    args.push('-v');
+    args.push('--pem-source'); // action
+    const pemFile = '/Users/pancake/iphone.pem';
+    args.push(pemFile);
+
+    args.push('--code-resources-path');
+    args.push('/tmp/csreq.bin');
+    // rcodesign bug makes this flag to not sign the binary at all
+    args.push('--extra-digest');
+    args.push('sha256');
+    args.push('--extra-digest');
+    args.push('sha384');
+    // args.push('--binary-identifier');
+    // args.push('com.tacobellspain.app');
+    /*
+    args.push('--code-signature-flags');
+    args.push('runtime');
+    */
+    // --p12-file developer-id.p12
+    // --p12-password-file ~/.certificate-password
+    // --code-signature-flags runtime
+    // path/to/executable
+    /*
+    if (typeof entitlement === 'string' && entitlement !== '') {
+      args.push('-e');
+      args.push(entitlement);
+    }
+    args.push('--binary-identifier');
+    args.push(identity);
+    */
+    if (typeof keychain === 'string') {
+      args.push('--keychain-fingerprint');
+      args.push(keychain);
+    }
+    args.push(file); // input
+    args.push(file + '.signed'); // output
+    console.error('rcodesign ' + args.join(' '));
+    const a = await execProgram('rcodesign', args, undefined);
+    if (a.code === 0) {
+      await execProgram('rm', ['-rf', file], undefined);
+      await execProgram('mv', [file + '.signed', file], undefined);
+    }
+    console.log(a.stderr);
+    return execProgram('cp', [file, '/tmp/newsigned'], undefined);
+  }
   /* use the --no-strict to avoid the "resource envelope is obsolete" error */
   const args = ["--no-strict"]; // http://stackoverflow.com/a/26204757
   args.push("-fs", identity);
@@ -181,6 +232,12 @@ async function verifyCodesign(
   file: string,
   keychain?: string,
 ): Promise<ExecResult> {
+  /*
+  if (tool === 'rcodesign') {
+    const args = ['verify', file];
+    return execProgram(getTool('rcodesign'), args, null, cb);
+  }
+  */
   const args = ["-v", "--no-strict"];
   if (typeof keychain === "string") {
     args.push("--keychain=" + keychain);