archify
archify copied to clipboard
Oct4Pie
Difference with my own script?
I'm currently using this script:
cd /path/to/application/bundle/
for i in ** ; lipo -extract arm64 $i -o $i.1 ; mv $i.1 $i ; end
It preserves the code signature but is very slow.
It seems like your script tries to do the same. But I'm confused about the part about ldid and signing. Since arm64 and x86_64 are separately signed, removing one wouldn't invalidate the signature.
I see what you mean. It depends on how code signing verification is enforced on your system
When you extract a single arch, the code signature becomes invalid because the signature was created for the entire universal binary. When you extract just one architecture, the binary changes, and the original signature no longer matches the modified file. The code signature also includes various metadata, cryptographic hashes, etc.
I use ldid to include the entitlements of the original binary to ensure they are recognized as valid executables on the system. You can try and see how the signature changes for the modified binary
Use codesign and otool to locate the segments and offsets of the signature
codesign -dvvv /path/to/binary
otool -l /path/to/binary
Then, use dd to extract them
dd if=/path/to/binary of=extracted_signature bs=1 skip=<offset> count=<size>
Also, take a look at the entitlements (in XML):
ldid -e /path/to/binary
jin@Joy-MBP ~/signtest [1]> file Texifier.app/Contents/MacOS/Texifier
Texifier.app/Contents/MacOS/Texifier: Mach-O universal binary with 2 architectures: [x86_64:Mach-O 64-bit executable x86_64
- Mach-O 64-bit executable x86_64] [arm64]
Texifier.app/Contents/MacOS/Texifier (for architecture x86_64): Mach-O 64-bit executable x86_64
Texifier.app/Contents/MacOS/Texifier (for architecture arm64): Mach-O 64-bit executable arm64
jin@Joy-MBP ~/signtest> sign Google\ Chrome.app/^C
jin@Joy-MBP ~/signtest> sign Texifier.app/
--prepared:/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
--validated:/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
Texifier.app/: valid on disk
Texifier.app/: satisfies its Designated Requirement
-----------------------------------------------------------------------------
Executable=/Users/jin/signtest/Texifier.app/Contents/MacOS/Texifier
Identifier=com.vallettaventures.Texpad
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=80423 flags=0x10000(runtime) hashes=2502+7 location=embedded
Signature size=9002
Authority=Developer ID Application: Valletta Ventures (UK) Ltd (4R4V82SR58)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Feb 1, 2024 at 8:04:57 AM
Info.plist entries=36
TeamIdentifier=4R4V82SR58
Runtime Version=14.2.0
Sealed Resources version=2 rules=13 files=906
Internal requirements count=1 size=220
-----------------------------------------------------------------------------
Texifier.app/: accepted
source=Notarized Developer ID
jin@Joy-MBP ~/signtest> for ^C
jin@Joy-MBP ~/signtest> cd Texifier.app/Contents/
jin@Joy-MBP ~/s/T/Contents> for i in ** ; lipo -extract arm64 $i -o $i.1bk 2>/dev/null ; mv $i.1bk $i ; end
jin@Joy-MBP ~/signtest> sign Texifier.app/
--prepared:/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/Current/.
Texifier.app/: a sealed resource is missing or invalid
In subcomponent: /Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework
file modified: /Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Autoupdate.app/Contents/MacOS/fileop
file modified: /Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/Current/Resources/Autoupdate.app/Contents/MacOS/Autoupdate
-----------------------------------------------------------------------------
Executable=/Users/jin/signtest/Texifier.app/Contents/MacOS/Texifier
Identifier=com.vallettaventures.Texpad
Format=app bundle with Mach-O universal (arm64)
CodeDirectory v=20500 size=80423 flags=0x10000(runtime) hashes=2502+7 location=embedded
Signature size=9002
Authority=Developer ID Application: Valletta Ventures (UK) Ltd (4R4V82SR58)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Feb 1, 2024 at 8:04:57 AM
Info.plist entries=36
TeamIdentifier=4R4V82SR58
Runtime Version=14.2.0
Sealed Resources version=2 rules=13 files=906
Internal requirements count=1 size=220
-----------------------------------------------------------------------------
Texifier.app/: a sealed resource is missing or invalid
jin@Joy-MBP ~/signtest [1]> sign /Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app
--prepared:/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop
--validated:/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/fileop
/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app: valid on disk
/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app: satisfies its Designated Requirement
-----------------------------------------------------------------------------
Executable=/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate
Identifier=org.sparkle-project.Sparkle.Autoupdate
Format=app bundle with Mach-O universal (arm64)
CodeDirectory v=20500 size=1522 flags=0x10000(runtime) hashes=36+7 location=embedded
Signature size=9001
Authority=Developer ID Application: Valletta Ventures (UK) Ltd (4R4V82SR58)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Feb 1, 2024 at 8:04:56 AM
Info.plist entries=24
TeamIdentifier=4R4V82SR58
Runtime Version=14.2.0
Sealed Resources version=2 rules=13 files=35
Internal requirements count=1 size=232
-----------------------------------------------------------------------------
/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app: accepted
source=Notarized Developer ID
jin@Joy-MBP ~/signtest> file /Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate
/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate: Mach-O universal binary with 1 architecture: [arm64:Mach-O 64-bit executable arm64
- Mach-O 64-bit executable arm64]
/Users/jin/signtest/Texifier.app/Contents/Frameworks/Sparkle.framework/Versions/A/Resources/Autoupdate.app/Contents/MacOS/Autoupdate (for architecture arm64): Mach-O 64-bit executable arm64
jin@Joy-MBP ~/signtest>
It used to work with most apps but apparently this no longer works with apps that have embedded apps.
But for a simple app removing the x86_64 part should not invalidate its signature.
https://eclecticlight.co/2020/07/30/instant-weight-loss-how-to-strip-universal-apps/
And although this does not pass the command line test, when I actually try to open them (even with quarantine flags) they usually work.
sorry for the late response. Yes, that is the case mostly, so that is why resigning is optional. It will depend on the privacy settings of where you allow the apps if you have further questions, please let me know