codesign.cpp 53 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574
  1. /**************************************************************************/
  2. /* codesign.cpp */
  3. /**************************************************************************/
  4. /* This file is part of: */
  5. /* GODOT ENGINE */
  6. /* https://godotengine.org */
  7. /**************************************************************************/
  8. /* Copyright (c) 2014-present Godot Engine contributors (see AUTHORS.md). */
  9. /* Copyright (c) 2007-2014 Juan Linietsky, Ariel Manzur. */
  10. /* */
  11. /* Permission is hereby granted, free of charge, to any person obtaining */
  12. /* a copy of this software and associated documentation files (the */
  13. /* "Software"), to deal in the Software without restriction, including */
  14. /* without limitation the rights to use, copy, modify, merge, publish, */
  15. /* distribute, sublicense, and/or sell copies of the Software, and to */
  16. /* permit persons to whom the Software is furnished to do so, subject to */
  17. /* the following conditions: */
  18. /* */
  19. /* The above copyright notice and this permission notice shall be */
  20. /* included in all copies or substantial portions of the Software. */
  21. /* */
  22. /* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, */
  23. /* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF */
  24. /* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. */
  25. /* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY */
  26. /* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, */
  27. /* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE */
  28. /* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. */
  29. /**************************************************************************/
  30. #include "codesign.h"
  31. #include "lipo.h"
  32. #include "macho.h"
  33. #include "core/io/plist.h"
  34. #include "core/os/os.h"
  35. #include "editor/editor_paths.h"
  36. #include "editor/editor_settings.h"
  37. #include "modules/modules_enabled.gen.h" // For regex.
  38. #include <ctime>
  39. #ifdef MODULE_REGEX_ENABLED
  40. /*************************************************************************/
  41. /* CodeSignCodeResources */
  42. /*************************************************************************/
  43. String CodeSignCodeResources::hash_sha1_base64(const String &p_path) {
  44. Ref<FileAccess> fa = FileAccess::open(p_path, FileAccess::READ);
  45. ERR_FAIL_COND_V_MSG(fa.is_null(), String(), vformat("CodeSign/CodeResources: Can't open file: \"%s\".", p_path));
  46. CryptoCore::SHA1Context ctx;
  47. ctx.start();
  48. unsigned char step[4096];
  49. while (true) {
  50. uint64_t br = fa->get_buffer(step, 4096);
  51. if (br > 0) {
  52. ctx.update(step, br);
  53. }
  54. if (br < 4096) {
  55. break;
  56. }
  57. }
  58. unsigned char hash[0x14];
  59. ctx.finish(hash);
  60. return CryptoCore::b64_encode_str(hash, 0x14);
  61. }
  62. String CodeSignCodeResources::hash_sha256_base64(const String &p_path) {
  63. Ref<FileAccess> fa = FileAccess::open(p_path, FileAccess::READ);
  64. ERR_FAIL_COND_V_MSG(fa.is_null(), String(), vformat("CodeSign/CodeResources: Can't open file: \"%s\".", p_path));
  65. CryptoCore::SHA256Context ctx;
  66. ctx.start();
  67. unsigned char step[4096];
  68. while (true) {
  69. uint64_t br = fa->get_buffer(step, 4096);
  70. if (br > 0) {
  71. ctx.update(step, br);
  72. }
  73. if (br < 4096) {
  74. break;
  75. }
  76. }
  77. unsigned char hash[0x20];
  78. ctx.finish(hash);
  79. return CryptoCore::b64_encode_str(hash, 0x20);
  80. }
  81. void CodeSignCodeResources::add_rule1(const String &p_rule, const String &p_key, int p_weight, bool p_store) {
  82. rules1.push_back(CRRule(p_rule, p_key, p_weight, p_store));
  83. }
  84. void CodeSignCodeResources::add_rule2(const String &p_rule, const String &p_key, int p_weight, bool p_store) {
  85. rules2.push_back(CRRule(p_rule, p_key, p_weight, p_store));
  86. }
  87. CodeSignCodeResources::CRMatch CodeSignCodeResources::match_rules1(const String &p_path) const {
  88. CRMatch found = CRMatch::CR_MATCH_NO;
  89. int weight = 0;
  90. for (int i = 0; i < rules1.size(); i++) {
  91. RegEx regex = RegEx(rules1[i].file_pattern);
  92. if (regex.search(p_path).is_valid()) {
  93. if (rules1[i].key == "omit") {
  94. return CRMatch::CR_MATCH_NO;
  95. } else if (rules1[i].key == "nested") {
  96. if (weight <= rules1[i].weight) {
  97. found = CRMatch::CR_MATCH_NESTED;
  98. weight = rules1[i].weight;
  99. }
  100. } else if (rules1[i].key == "optional") {
  101. if (weight <= rules1[i].weight) {
  102. found = CRMatch::CR_MATCH_OPTIONAL;
  103. weight = rules1[i].weight;
  104. }
  105. } else {
  106. if (weight <= rules1[i].weight) {
  107. found = CRMatch::CR_MATCH_YES;
  108. weight = rules1[i].weight;
  109. }
  110. }
  111. }
  112. }
  113. return found;
  114. }
  115. CodeSignCodeResources::CRMatch CodeSignCodeResources::match_rules2(const String &p_path) const {
  116. CRMatch found = CRMatch::CR_MATCH_NO;
  117. int weight = 0;
  118. for (int i = 0; i < rules2.size(); i++) {
  119. RegEx regex = RegEx(rules2[i].file_pattern);
  120. if (regex.search(p_path).is_valid()) {
  121. if (rules2[i].key == "omit") {
  122. return CRMatch::CR_MATCH_NO;
  123. } else if (rules2[i].key == "nested") {
  124. if (weight <= rules2[i].weight) {
  125. found = CRMatch::CR_MATCH_NESTED;
  126. weight = rules2[i].weight;
  127. }
  128. } else if (rules2[i].key == "optional") {
  129. if (weight <= rules2[i].weight) {
  130. found = CRMatch::CR_MATCH_OPTIONAL;
  131. weight = rules2[i].weight;
  132. }
  133. } else {
  134. if (weight <= rules2[i].weight) {
  135. found = CRMatch::CR_MATCH_YES;
  136. weight = rules2[i].weight;
  137. }
  138. }
  139. }
  140. }
  141. return found;
  142. }
  143. bool CodeSignCodeResources::add_file1(const String &p_root, const String &p_path) {
  144. CRMatch found = match_rules1(p_path);
  145. if (found != CRMatch::CR_MATCH_YES && found != CRMatch::CR_MATCH_OPTIONAL) {
  146. return true; // No match.
  147. }
  148. CRFile f;
  149. f.name = p_path;
  150. f.optional = (found == CRMatch::CR_MATCH_OPTIONAL);
  151. f.nested = false;
  152. f.hash = hash_sha1_base64(p_root.path_join(p_path));
  153. print_verbose(vformat("CodeSign/CodeResources: File(V1) %s hash1:%s", f.name, f.hash));
  154. files1.push_back(f);
  155. return true;
  156. }
  157. bool CodeSignCodeResources::add_file2(const String &p_root, const String &p_path) {
  158. CRMatch found = match_rules2(p_path);
  159. if (found == CRMatch::CR_MATCH_NESTED) {
  160. return add_nested_file(p_root, p_path, p_root.path_join(p_path));
  161. }
  162. if (found != CRMatch::CR_MATCH_YES && found != CRMatch::CR_MATCH_OPTIONAL) {
  163. return true; // No match.
  164. }
  165. CRFile f;
  166. f.name = p_path;
  167. f.optional = (found == CRMatch::CR_MATCH_OPTIONAL);
  168. f.nested = false;
  169. f.hash = hash_sha1_base64(p_root.path_join(p_path));
  170. f.hash2 = hash_sha256_base64(p_root.path_join(p_path));
  171. print_verbose(vformat("CodeSign/CodeResources: File(V2) %s hash1:%s hash2:%s", f.name, f.hash, f.hash2));
  172. files2.push_back(f);
  173. return true;
  174. }
  175. bool CodeSignCodeResources::add_nested_file(const String &p_root, const String &p_path, const String &p_exepath) {
  176. #define CLEANUP() \
  177. if (files_to_add.size() > 1) { \
  178. for (int j = 0; j < files_to_add.size(); j++) { \
  179. da->remove(files_to_add[j]); \
  180. } \
  181. }
  182. Ref<DirAccess> da = DirAccess::create(DirAccess::ACCESS_FILESYSTEM);
  183. ERR_FAIL_COND_V(da.is_null(), false);
  184. Vector<String> files_to_add;
  185. if (LipO::is_lipo(p_exepath)) {
  186. String tmp_path_name = EditorPaths::get_singleton()->get_temp_dir().path_join("_lipo");
  187. Error err = da->make_dir_recursive(tmp_path_name);
  188. ERR_FAIL_COND_V_MSG(err != OK, false, vformat("CodeSign/CodeResources: Failed to create \"%s\" subfolder.", tmp_path_name));
  189. LipO lip;
  190. if (lip.open_file(p_exepath)) {
  191. for (int i = 0; i < lip.get_arch_count(); i++) {
  192. if (!lip.extract_arch(i, tmp_path_name.path_join("_rqexe_" + itos(i)))) {
  193. CLEANUP();
  194. ERR_FAIL_V_MSG(false, "CodeSign/CodeResources: Failed to extract thin binary.");
  195. }
  196. files_to_add.push_back(tmp_path_name.path_join("_rqexe_" + itos(i)));
  197. }
  198. }
  199. } else if (MachO::is_macho(p_exepath)) {
  200. files_to_add.push_back(p_exepath);
  201. }
  202. CRFile f;
  203. f.name = p_path;
  204. f.optional = false;
  205. f.nested = true;
  206. for (int i = 0; i < files_to_add.size(); i++) {
  207. MachO mh;
  208. if (!mh.open_file(files_to_add[i])) {
  209. CLEANUP();
  210. ERR_FAIL_V_MSG(false, "CodeSign/CodeResources: Invalid executable file.");
  211. }
  212. PackedByteArray hash = mh.get_cdhash_sha256(); // Use SHA-256 variant, if available.
  213. if (hash.size() != 0x20) {
  214. hash = mh.get_cdhash_sha1(); // Use SHA-1 instead.
  215. if (hash.size() != 0x14) {
  216. CLEANUP();
  217. ERR_FAIL_V_MSG(false, "CodeSign/CodeResources: Unsigned nested executable file.");
  218. }
  219. }
  220. hash.resize(0x14); // Always clamp to 0x14 size.
  221. f.hash = CryptoCore::b64_encode_str(hash.ptr(), hash.size());
  222. PackedByteArray rq_blob = mh.get_requirements();
  223. String req_string;
  224. if (rq_blob.size() > 8) {
  225. CodeSignRequirements rq = CodeSignRequirements(rq_blob);
  226. Vector<String> rqs = rq.parse_requirements();
  227. for (int j = 0; j < rqs.size(); j++) {
  228. if (rqs[j].begins_with("designated => ")) {
  229. req_string = rqs[j].replace("designated => ", "");
  230. }
  231. }
  232. }
  233. if (req_string.is_empty()) {
  234. req_string = "cdhash H\"" + String::hex_encode_buffer(hash.ptr(), hash.size()) + "\"";
  235. }
  236. print_verbose(vformat("CodeSign/CodeResources: Nested object %s (cputype: %d) cdhash:%s designated rq:%s", f.name, mh.get_cputype(), f.hash, req_string));
  237. if (f.requirements != req_string) {
  238. if (i != 0) {
  239. f.requirements += " or ";
  240. }
  241. f.requirements += req_string;
  242. }
  243. }
  244. files2.push_back(f);
  245. CLEANUP();
  246. return true;
  247. #undef CLEANUP
  248. }
  249. bool CodeSignCodeResources::add_folder_recursive(const String &p_root, const String &p_path, const String &p_main_exe_path) {
  250. Ref<DirAccess> da = DirAccess::create(DirAccess::ACCESS_FILESYSTEM);
  251. ERR_FAIL_COND_V(da.is_null(), false);
  252. Error err = da->change_dir(p_root.path_join(p_path));
  253. ERR_FAIL_COND_V(err != OK, false);
  254. bool ret = true;
  255. da->list_dir_begin();
  256. String n = da->get_next();
  257. while (n != String()) {
  258. if (n != "." && n != "..") {
  259. String path = p_root.path_join(p_path).path_join(n);
  260. if (path == p_main_exe_path) {
  261. n = da->get_next();
  262. continue; // Skip main executable.
  263. }
  264. if (da->current_is_dir()) {
  265. CRMatch found = match_rules2(p_path.path_join(n));
  266. String fmw_ver = "Current"; // Framework version (default).
  267. String info_path;
  268. String main_exe;
  269. bool bundle = false;
  270. if (da->file_exists(path.path_join("Contents/Info.plist"))) {
  271. info_path = path.path_join("Contents/Info.plist");
  272. main_exe = path.path_join("Contents/MacOS");
  273. bundle = true;
  274. } else if (da->file_exists(path.path_join(vformat("Versions/%s/Resources/Info.plist", fmw_ver)))) {
  275. info_path = path.path_join(vformat("Versions/%s/Resources/Info.plist", fmw_ver));
  276. main_exe = path.path_join(vformat("Versions/%s", fmw_ver));
  277. bundle = true;
  278. } else if (da->file_exists(path.path_join("Resources/Info.plist"))) {
  279. info_path = path.path_join("Resources/Info.plist");
  280. main_exe = path;
  281. bundle = true;
  282. } else if (da->file_exists(path.path_join("Info.plist"))) {
  283. info_path = path.path_join("Info.plist");
  284. main_exe = path;
  285. bundle = true;
  286. }
  287. if (bundle && found == CRMatch::CR_MATCH_NESTED && !info_path.is_empty()) {
  288. // Read Info.plist.
  289. PList info_plist;
  290. if (info_plist.load_file(info_path)) {
  291. if (info_plist.get_root()->data_type == PList::PLNodeType::PL_NODE_TYPE_DICT && info_plist.get_root()->data_dict.has("CFBundleExecutable")) {
  292. main_exe = main_exe.path_join(String::utf8(info_plist.get_root()->data_dict["CFBundleExecutable"]->data_string.get_data()));
  293. } else {
  294. ERR_FAIL_V_MSG(false, "CodeSign/CodeResources: Invalid Info.plist, no exe name.");
  295. }
  296. } else {
  297. ERR_FAIL_V_MSG(false, "CodeSign/CodeResources: Invalid Info.plist, can't load.");
  298. }
  299. ret = ret && add_nested_file(p_root, p_path.path_join(n), main_exe);
  300. } else {
  301. ret = ret && add_folder_recursive(p_root, p_path.path_join(n), p_main_exe_path);
  302. }
  303. } else {
  304. ret = ret && add_file1(p_root, p_path.path_join(n));
  305. ret = ret && add_file2(p_root, p_path.path_join(n));
  306. }
  307. }
  308. n = da->get_next();
  309. }
  310. da->list_dir_end();
  311. return ret;
  312. }
  313. bool CodeSignCodeResources::save_to_file(const String &p_path) {
  314. PList pl;
  315. print_verbose(vformat("CodeSign/CodeResources: Writing to file: %s", p_path));
  316. // Write version 1 hashes.
  317. Ref<PListNode> files1_dict = PListNode::new_dict();
  318. pl.get_root()->push_subnode(files1_dict, "files");
  319. for (int i = 0; i < files1.size(); i++) {
  320. if (files1[i].optional) {
  321. Ref<PListNode> file_dict = PListNode::new_dict();
  322. files1_dict->push_subnode(file_dict, files1[i].name);
  323. file_dict->push_subnode(PListNode::new_data(files1[i].hash), "hash");
  324. file_dict->push_subnode(PListNode::new_bool(true), "optional");
  325. } else {
  326. files1_dict->push_subnode(PListNode::new_data(files1[i].hash), files1[i].name);
  327. }
  328. }
  329. // Write version 2 hashes.
  330. Ref<PListNode> files2_dict = PListNode::new_dict();
  331. pl.get_root()->push_subnode(files2_dict, "files2");
  332. for (int i = 0; i < files2.size(); i++) {
  333. Ref<PListNode> file_dict = PListNode::new_dict();
  334. files2_dict->push_subnode(file_dict, files2[i].name);
  335. if (files2[i].nested) {
  336. file_dict->push_subnode(PListNode::new_data(files2[i].hash), "cdhash");
  337. file_dict->push_subnode(PListNode::new_string(files2[i].requirements), "requirement");
  338. } else {
  339. file_dict->push_subnode(PListNode::new_data(files2[i].hash), "hash");
  340. file_dict->push_subnode(PListNode::new_data(files2[i].hash2), "hash2");
  341. if (files2[i].optional) {
  342. file_dict->push_subnode(PListNode::new_bool(true), "optional");
  343. }
  344. }
  345. }
  346. // Write version 1 rules.
  347. Ref<PListNode> rules1_dict = PListNode::new_dict();
  348. pl.get_root()->push_subnode(rules1_dict, "rules");
  349. for (int i = 0; i < rules1.size(); i++) {
  350. if (rules1[i].store) {
  351. if (rules1[i].key.is_empty() && rules1[i].weight <= 0) {
  352. rules1_dict->push_subnode(PListNode::new_bool(true), rules1[i].file_pattern);
  353. } else {
  354. Ref<PListNode> rule_dict = PListNode::new_dict();
  355. rules1_dict->push_subnode(rule_dict, rules1[i].file_pattern);
  356. if (!rules1[i].key.is_empty()) {
  357. rule_dict->push_subnode(PListNode::new_bool(true), rules1[i].key);
  358. }
  359. if (rules1[i].weight != 1) {
  360. rule_dict->push_subnode(PListNode::new_real(rules1[i].weight), "weight");
  361. }
  362. }
  363. }
  364. }
  365. // Write version 2 rules.
  366. Ref<PListNode> rules2_dict = PListNode::new_dict();
  367. pl.get_root()->push_subnode(rules2_dict, "rules2");
  368. for (int i = 0; i < rules2.size(); i++) {
  369. if (rules2[i].store) {
  370. if (rules2[i].key.is_empty() && rules2[i].weight <= 0) {
  371. rules2_dict->push_subnode(PListNode::new_bool(true), rules2[i].file_pattern);
  372. } else {
  373. Ref<PListNode> rule_dict = PListNode::new_dict();
  374. rules2_dict->push_subnode(rule_dict, rules2[i].file_pattern);
  375. if (!rules2[i].key.is_empty()) {
  376. rule_dict->push_subnode(PListNode::new_bool(true), rules2[i].key);
  377. }
  378. if (rules2[i].weight != 1) {
  379. rule_dict->push_subnode(PListNode::new_real(rules2[i].weight), "weight");
  380. }
  381. }
  382. }
  383. }
  384. String text = pl.save_text();
  385. ERR_FAIL_COND_V_MSG(text.is_empty(), false, "CodeSign/CodeResources: Generating resources PList failed.");
  386. Ref<FileAccess> fa = FileAccess::open(p_path, FileAccess::WRITE);
  387. ERR_FAIL_COND_V_MSG(fa.is_null(), false, vformat("CodeSign/CodeResources: Can't open file: \"%s\".", p_path));
  388. CharString cs = text.utf8();
  389. fa->store_buffer((const uint8_t *)cs.ptr(), cs.length());
  390. return true;
  391. }
  392. /*************************************************************************/
  393. /* CodeSignRequirements */
  394. /*************************************************************************/
  395. CodeSignRequirements::CodeSignRequirements() {
  396. blob.append_array({ 0xFA, 0xDE, 0x0C, 0x01 }); // Requirement set magic.
  397. blob.append_array({ 0x00, 0x00, 0x00, 0x0C }); // Length of requirements set (12 bytes).
  398. blob.append_array({ 0x00, 0x00, 0x00, 0x00 }); // Empty.
  399. }
  400. CodeSignRequirements::CodeSignRequirements(const PackedByteArray &p_data) {
  401. blob = p_data;
  402. }
  403. _FORCE_INLINE_ void CodeSignRequirements::_parse_certificate_slot(uint32_t &r_pos, String &r_out, uint32_t p_rq_size) const {
  404. #define _R(x) BSWAP32(*(uint32_t *)(blob.ptr() + x))
  405. ERR_FAIL_COND_MSG(r_pos >= p_rq_size, "CodeSign/Requirements: Out of bounds.");
  406. r_out += "certificate ";
  407. uint32_t tag_slot = _R(r_pos);
  408. if (tag_slot == 0x00000000) {
  409. r_out += "leaf";
  410. } else if (tag_slot == 0xffffffff) {
  411. r_out += "root";
  412. } else {
  413. r_out += itos((int32_t)tag_slot);
  414. }
  415. r_pos += 4;
  416. #undef _R
  417. }
  418. _FORCE_INLINE_ void CodeSignRequirements::_parse_key(uint32_t &r_pos, String &r_out, uint32_t p_rq_size) const {
  419. #define _R(x) BSWAP32(*(uint32_t *)(blob.ptr() + x))
  420. ERR_FAIL_COND_MSG(r_pos >= p_rq_size, "CodeSign/Requirements: Out of bounds.");
  421. uint32_t key_size = _R(r_pos);
  422. ERR_FAIL_COND_MSG(r_pos + key_size > p_rq_size, "CodeSign/Requirements: Out of bounds.");
  423. CharString key;
  424. key.resize(key_size);
  425. memcpy(key.ptrw(), blob.ptr() + r_pos + 4, key_size);
  426. r_pos += 4 + key_size + PAD(key_size, 4);
  427. r_out += "[" + String::utf8(key, key_size) + "]";
  428. #undef _R
  429. }
  430. _FORCE_INLINE_ void CodeSignRequirements::_parse_oid_key(uint32_t &r_pos, String &r_out, uint32_t p_rq_size) const {
  431. #define _R(x) BSWAP32(*(uint32_t *)(blob.ptr() + x))
  432. ERR_FAIL_COND_MSG(r_pos >= p_rq_size, "CodeSign/Requirements: Out of bounds.");
  433. uint32_t key_size = _R(r_pos);
  434. ERR_FAIL_COND_MSG(r_pos + key_size > p_rq_size, "CodeSign/Requirements: Out of bounds.");
  435. r_out += "[field.";
  436. r_out += itos(blob[r_pos + 4] / 40) + ".";
  437. r_out += itos(blob[r_pos + 4] % 40);
  438. uint32_t spos = r_pos + 5;
  439. while (spos < r_pos + 4 + key_size) {
  440. r_out += ".";
  441. if (blob[spos] <= 127) {
  442. r_out += itos(blob[spos]);
  443. spos += 1;
  444. } else {
  445. uint32_t x = (0x7F & blob[spos]) << 7;
  446. spos += 1;
  447. while (blob[spos] > 127) {
  448. x = (x + (0x7F & blob[spos])) << 7;
  449. spos += 1;
  450. }
  451. x = (x + (0x7F & blob[spos]));
  452. r_out += itos(x);
  453. spos += 1;
  454. }
  455. }
  456. r_out += "]";
  457. r_pos += 4 + key_size + PAD(key_size, 4);
  458. #undef _R
  459. }
  460. _FORCE_INLINE_ void CodeSignRequirements::_parse_hash_string(uint32_t &r_pos, String &r_out, uint32_t p_rq_size) const {
  461. #define _R(x) BSWAP32(*(uint32_t *)(blob.ptr() + x))
  462. ERR_FAIL_COND_MSG(r_pos >= p_rq_size, "CodeSign/Requirements: Out of bounds.");
  463. uint32_t tag_size = _R(r_pos);
  464. ERR_FAIL_COND_MSG(r_pos + tag_size > p_rq_size, "CodeSign/Requirements: Out of bounds.");
  465. PackedByteArray data;
  466. data.resize(tag_size);
  467. memcpy(data.ptrw(), blob.ptr() + r_pos + 4, tag_size);
  468. r_out += "H\"" + String::hex_encode_buffer(data.ptr(), data.size()) + "\"";
  469. r_pos += 4 + tag_size + PAD(tag_size, 4);
  470. #undef _R
  471. }
  472. _FORCE_INLINE_ void CodeSignRequirements::_parse_value(uint32_t &r_pos, String &r_out, uint32_t p_rq_size) const {
  473. #define _R(x) BSWAP32(*(uint32_t *)(blob.ptr() + x))
  474. ERR_FAIL_COND_MSG(r_pos >= p_rq_size, "CodeSign/Requirements: Out of bounds.");
  475. uint32_t key_size = _R(r_pos);
  476. ERR_FAIL_COND_MSG(r_pos + key_size > p_rq_size, "CodeSign/Requirements: Out of bounds.");
  477. CharString key;
  478. key.resize(key_size);
  479. memcpy(key.ptrw(), blob.ptr() + r_pos + 4, key_size);
  480. r_pos += 4 + key_size + PAD(key_size, 4);
  481. r_out += "\"" + String::utf8(key, key_size) + "\"";
  482. #undef _R
  483. }
  484. _FORCE_INLINE_ void CodeSignRequirements::_parse_date(uint32_t &r_pos, String &r_out, uint32_t p_rq_size) const {
  485. #define _R(x) BSWAP32(*(uint32_t *)(blob.ptr() + x))
  486. ERR_FAIL_COND_MSG(r_pos >= p_rq_size, "CodeSign/Requirements: Out of bounds.");
  487. uint32_t date = _R(r_pos);
  488. time_t t = 978307200 + date;
  489. struct tm lt;
  490. #ifdef WINDOWS_ENABLED
  491. gmtime_s(&lt, &t);
  492. #else
  493. gmtime_r(&t, &lt);
  494. #endif
  495. r_out += vformat("<%04d-%02d-%02d ", (int)(1900 + lt.tm_year), (int)(lt.tm_mon + 1), (int)(lt.tm_mday)) + vformat("%02d:%02d:%02d +0000>", (int)(lt.tm_hour), (int)(lt.tm_min), (int)(lt.tm_sec));
  496. #undef _R
  497. }
  498. _FORCE_INLINE_ bool CodeSignRequirements::_parse_match(uint32_t &r_pos, String &r_out, uint32_t p_rq_size) const {
  499. #define _R(x) BSWAP32(*(uint32_t *)(blob.ptr() + x))
  500. ERR_FAIL_COND_V_MSG(r_pos >= p_rq_size, false, "CodeSign/Requirements: Out of bounds.");
  501. uint32_t match = _R(r_pos);
  502. r_pos += 4;
  503. switch (match) {
  504. case 0x00000000: {
  505. r_out += "exists";
  506. } break;
  507. case 0x00000001: {
  508. r_out += "= ";
  509. _parse_value(r_pos, r_out, p_rq_size);
  510. } break;
  511. case 0x00000002: {
  512. r_out += "~ ";
  513. _parse_value(r_pos, r_out, p_rq_size);
  514. } break;
  515. case 0x00000003: {
  516. r_out += "= *";
  517. _parse_value(r_pos, r_out, p_rq_size);
  518. } break;
  519. case 0x00000004: {
  520. r_out += "= ";
  521. _parse_value(r_pos, r_out, p_rq_size);
  522. r_out += "*";
  523. } break;
  524. case 0x00000005: {
  525. r_out += "< ";
  526. _parse_value(r_pos, r_out, p_rq_size);
  527. } break;
  528. case 0x00000006: {
  529. r_out += "> ";
  530. _parse_value(r_pos, r_out, p_rq_size);
  531. } break;
  532. case 0x00000007: {
  533. r_out += "<= ";
  534. _parse_value(r_pos, r_out, p_rq_size);
  535. } break;
  536. case 0x00000008: {
  537. r_out += ">= ";
  538. _parse_value(r_pos, r_out, p_rq_size);
  539. } break;
  540. case 0x00000009: {
  541. r_out += "= ";
  542. _parse_date(r_pos, r_out, p_rq_size);
  543. } break;
  544. case 0x0000000A: {
  545. r_out += "< ";
  546. _parse_date(r_pos, r_out, p_rq_size);
  547. } break;
  548. case 0x0000000B: {
  549. r_out += "> ";
  550. _parse_date(r_pos, r_out, p_rq_size);
  551. } break;
  552. case 0x0000000C: {
  553. r_out += "<= ";
  554. _parse_date(r_pos, r_out, p_rq_size);
  555. } break;
  556. case 0x0000000D: {
  557. r_out += ">= ";
  558. _parse_date(r_pos, r_out, p_rq_size);
  559. } break;
  560. case 0x0000000E: {
  561. r_out += "absent";
  562. } break;
  563. default: {
  564. return false;
  565. }
  566. }
  567. return true;
  568. #undef _R
  569. }
  570. Vector<String> CodeSignRequirements::parse_requirements() const {
  571. #define _R(x) BSWAP32(*(uint32_t *)(blob.ptr() + x))
  572. Vector<String> list;
  573. // Read requirements set header.
  574. ERR_FAIL_COND_V_MSG(blob.size() < 12, list, "CodeSign/Requirements: Blob is too small.");
  575. uint32_t magic = _R(0);
  576. ERR_FAIL_COND_V_MSG(magic != 0xfade0c01, list, "CodeSign/Requirements: Invalid set magic.");
  577. uint32_t size = _R(4);
  578. ERR_FAIL_COND_V_MSG(size != (uint32_t)blob.size(), list, "CodeSign/Requirements: Invalid set size.");
  579. uint32_t count = _R(8);
  580. for (uint32_t i = 0; i < count; i++) {
  581. String out;
  582. // Read requirement header.
  583. uint32_t rq_type = _R(12 + i * 8);
  584. uint32_t rq_offset = _R(12 + i * 8 + 4);
  585. ERR_FAIL_COND_V_MSG(rq_offset + 12 >= (uint32_t)blob.size(), list, "CodeSign/Requirements: Invalid requirement offset.");
  586. switch (rq_type) {
  587. case 0x00000001: {
  588. out += "host => ";
  589. } break;
  590. case 0x00000002: {
  591. out += "guest => ";
  592. } break;
  593. case 0x00000003: {
  594. out += "designated => ";
  595. } break;
  596. case 0x00000004: {
  597. out += "library => ";
  598. } break;
  599. case 0x00000005: {
  600. out += "plugin => ";
  601. } break;
  602. default: {
  603. ERR_FAIL_V_MSG(list, "CodeSign/Requirements: Invalid requirement type.");
  604. }
  605. }
  606. uint32_t rq_magic = _R(rq_offset);
  607. uint32_t rq_size = _R(rq_offset + 4);
  608. uint32_t rq_ver = _R(rq_offset + 8);
  609. uint32_t pos = rq_offset + 12;
  610. ERR_FAIL_COND_V_MSG(rq_magic != 0xfade0c00, list, "CodeSign/Requirements: Invalid requirement magic.");
  611. ERR_FAIL_COND_V_MSG(rq_ver != 0x00000001, list, "CodeSign/Requirements: Invalid requirement version.");
  612. // Read requirement tokens.
  613. List<String> tokens;
  614. while (pos < rq_offset + rq_size) {
  615. uint32_t rq_tag = _R(pos);
  616. pos += 4;
  617. String token;
  618. switch (rq_tag) {
  619. case 0x00000000: {
  620. token = "false";
  621. } break;
  622. case 0x00000001: {
  623. token = "true";
  624. } break;
  625. case 0x00000002: {
  626. token = "identifier ";
  627. _parse_value(pos, token, rq_offset + rq_size);
  628. } break;
  629. case 0x00000003: {
  630. token = "anchor apple";
  631. } break;
  632. case 0x00000004: {
  633. _parse_certificate_slot(pos, token, rq_offset + rq_size);
  634. token += " ";
  635. _parse_hash_string(pos, token, rq_offset + rq_size);
  636. } break;
  637. case 0x00000005: {
  638. token = "info";
  639. _parse_key(pos, token, rq_offset + rq_size);
  640. token += " = ";
  641. _parse_value(pos, token, rq_offset + rq_size);
  642. } break;
  643. case 0x00000006: {
  644. token = "and";
  645. } break;
  646. case 0x00000007: {
  647. token = "or";
  648. } break;
  649. case 0x00000008: {
  650. token = "cdhash ";
  651. _parse_hash_string(pos, token, rq_offset + rq_size);
  652. } break;
  653. case 0x00000009: {
  654. token = "!";
  655. } break;
  656. case 0x0000000A: {
  657. token = "info";
  658. _parse_key(pos, token, rq_offset + rq_size);
  659. token += " ";
  660. ERR_FAIL_COND_V_MSG(!_parse_match(pos, token, rq_offset + rq_size), list, "CodeSign/Requirements: Unsupported match suffix.");
  661. } break;
  662. case 0x0000000B: {
  663. _parse_certificate_slot(pos, token, rq_offset + rq_size);
  664. _parse_key(pos, token, rq_offset + rq_size);
  665. token += " ";
  666. ERR_FAIL_COND_V_MSG(!_parse_match(pos, token, rq_offset + rq_size), list, "CodeSign/Requirements: Unsupported match suffix.");
  667. } break;
  668. case 0x0000000C: {
  669. _parse_certificate_slot(pos, token, rq_offset + rq_size);
  670. token += " trusted";
  671. } break;
  672. case 0x0000000D: {
  673. token = "anchor trusted";
  674. } break;
  675. case 0x0000000E: {
  676. _parse_certificate_slot(pos, token, rq_offset + rq_size);
  677. _parse_oid_key(pos, token, rq_offset + rq_size);
  678. token += " ";
  679. ERR_FAIL_COND_V_MSG(!_parse_match(pos, token, rq_offset + rq_size), list, "CodeSign/Requirements: Unsupported match suffix.");
  680. } break;
  681. case 0x0000000F: {
  682. token = "anchor apple generic";
  683. } break;
  684. default: {
  685. ERR_FAIL_V_MSG(list, "CodeSign/Requirements: Invalid requirement token.");
  686. } break;
  687. }
  688. tokens.push_back(token);
  689. }
  690. // Polish to infix notation (w/o bracket optimization).
  691. for (List<String>::Element *E = tokens.back(); E; E = E->prev()) {
  692. if (E->get() == "and") {
  693. ERR_FAIL_COND_V_MSG(!E->next() || !E->next()->next(), list, "CodeSign/Requirements: Invalid token sequence.");
  694. String token = "(" + E->next()->get() + " and " + E->next()->next()->get() + ")";
  695. tokens.erase(E->next()->next());
  696. tokens.erase(E->next());
  697. E->get() = token;
  698. } else if (E->get() == "or") {
  699. ERR_FAIL_COND_V_MSG(!E->next() || !E->next()->next(), list, "CodeSign/Requirements: Invalid token sequence.");
  700. String token = "(" + E->next()->get() + " or " + E->next()->next()->get() + ")";
  701. tokens.erase(E->next()->next());
  702. tokens.erase(E->next());
  703. E->get() = token;
  704. }
  705. }
  706. if (tokens.size() == 1) {
  707. list.push_back(out + tokens.front()->get());
  708. } else {
  709. ERR_FAIL_V_MSG(list, "CodeSign/Requirements: Invalid token sequence.");
  710. }
  711. }
  712. return list;
  713. #undef _R
  714. }
  715. PackedByteArray CodeSignRequirements::get_hash_sha1() const {
  716. PackedByteArray hash;
  717. hash.resize(0x14);
  718. CryptoCore::SHA1Context ctx;
  719. ctx.start();
  720. ctx.update(blob.ptr(), blob.size());
  721. ctx.finish(hash.ptrw());
  722. return hash;
  723. }
  724. PackedByteArray CodeSignRequirements::get_hash_sha256() const {
  725. PackedByteArray hash;
  726. hash.resize(0x20);
  727. CryptoCore::SHA256Context ctx;
  728. ctx.start();
  729. ctx.update(blob.ptr(), blob.size());
  730. ctx.finish(hash.ptrw());
  731. return hash;
  732. }
  733. int CodeSignRequirements::get_size() const {
  734. return blob.size();
  735. }
  736. void CodeSignRequirements::write_to_file(Ref<FileAccess> p_file) const {
  737. ERR_FAIL_COND_MSG(p_file.is_null(), "CodeSign/Requirements: Invalid file handle.");
  738. p_file->store_buffer(blob.ptr(), blob.size());
  739. }
  740. /*************************************************************************/
  741. /* CodeSignEntitlementsText */
  742. /*************************************************************************/
  743. CodeSignEntitlementsText::CodeSignEntitlementsText() {
  744. blob.append_array({ 0xFA, 0xDE, 0x71, 0x71 }); // Text Entitlements set magic.
  745. blob.append_array({ 0x00, 0x00, 0x00, 0x08 }); // Length (8 bytes).
  746. }
  747. CodeSignEntitlementsText::CodeSignEntitlementsText(const String &p_string) {
  748. CharString utf8 = p_string.utf8();
  749. blob.append_array({ 0xFA, 0xDE, 0x71, 0x71 }); // Text Entitlements set magic.
  750. for (int i = 3; i >= 0; i--) {
  751. uint8_t x = ((utf8.length() + 8) >> i * 8) & 0xFF; // Size.
  752. blob.push_back(x);
  753. }
  754. for (int i = 0; i < utf8.length(); i++) { // Write data.
  755. blob.push_back(utf8[i]);
  756. }
  757. }
  758. PackedByteArray CodeSignEntitlementsText::get_hash_sha1() const {
  759. PackedByteArray hash;
  760. hash.resize(0x14);
  761. CryptoCore::SHA1Context ctx;
  762. ctx.start();
  763. ctx.update(blob.ptr(), blob.size());
  764. ctx.finish(hash.ptrw());
  765. return hash;
  766. }
  767. PackedByteArray CodeSignEntitlementsText::get_hash_sha256() const {
  768. PackedByteArray hash;
  769. hash.resize(0x20);
  770. CryptoCore::SHA256Context ctx;
  771. ctx.start();
  772. ctx.update(blob.ptr(), blob.size());
  773. ctx.finish(hash.ptrw());
  774. return hash;
  775. }
  776. int CodeSignEntitlementsText::get_size() const {
  777. return blob.size();
  778. }
  779. void CodeSignEntitlementsText::write_to_file(Ref<FileAccess> p_file) const {
  780. ERR_FAIL_COND_MSG(p_file.is_null(), "CodeSign/EntitlementsText: Invalid file handle.");
  781. p_file->store_buffer(blob.ptr(), blob.size());
  782. }
  783. /*************************************************************************/
  784. /* CodeSignEntitlementsBinary */
  785. /*************************************************************************/
  786. CodeSignEntitlementsBinary::CodeSignEntitlementsBinary() {
  787. blob.append_array({ 0xFA, 0xDE, 0x71, 0x72 }); // Binary Entitlements magic.
  788. blob.append_array({ 0x00, 0x00, 0x00, 0x08 }); // Length (8 bytes).
  789. }
  790. CodeSignEntitlementsBinary::CodeSignEntitlementsBinary(const String &p_string) {
  791. PList pl = PList(p_string);
  792. PackedByteArray asn1 = pl.save_asn1();
  793. blob.append_array({ 0xFA, 0xDE, 0x71, 0x72 }); // Binary Entitlements magic.
  794. uint32_t size = asn1.size() + 8;
  795. for (int i = 3; i >= 0; i--) {
  796. uint8_t x = (size >> i * 8) & 0xFF; // Size.
  797. blob.push_back(x);
  798. }
  799. blob.append_array(asn1); // Write data.
  800. }
  801. PackedByteArray CodeSignEntitlementsBinary::get_hash_sha1() const {
  802. PackedByteArray hash;
  803. hash.resize(0x14);
  804. CryptoCore::SHA1Context ctx;
  805. ctx.start();
  806. ctx.update(blob.ptr(), blob.size());
  807. ctx.finish(hash.ptrw());
  808. return hash;
  809. }
  810. PackedByteArray CodeSignEntitlementsBinary::get_hash_sha256() const {
  811. PackedByteArray hash;
  812. hash.resize(0x20);
  813. CryptoCore::SHA256Context ctx;
  814. ctx.start();
  815. ctx.update(blob.ptr(), blob.size());
  816. ctx.finish(hash.ptrw());
  817. return hash;
  818. }
  819. int CodeSignEntitlementsBinary::get_size() const {
  820. return blob.size();
  821. }
  822. void CodeSignEntitlementsBinary::write_to_file(Ref<FileAccess> p_file) const {
  823. ERR_FAIL_COND_MSG(p_file.is_null(), "CodeSign/EntitlementsBinary: Invalid file handle.");
  824. p_file->store_buffer(blob.ptr(), blob.size());
  825. }
  826. /*************************************************************************/
  827. /* CodeSignCodeDirectory */
  828. /*************************************************************************/
  829. CodeSignCodeDirectory::CodeSignCodeDirectory() {
  830. blob.append_array({ 0xFA, 0xDE, 0x0C, 0x02 }); // Code Directory magic.
  831. blob.append_array({ 0x00, 0x00, 0x00, 0x00 }); // Size (8 bytes).
  832. }
  833. CodeSignCodeDirectory::CodeSignCodeDirectory(uint8_t p_hash_size, uint8_t p_hash_type, bool p_main, const CharString &p_id, const CharString &p_team_id, uint32_t p_page_size, uint64_t p_exe_limit, uint64_t p_code_limit) {
  834. pages = p_code_limit / (uint64_t(1) << p_page_size);
  835. remain = p_code_limit % (uint64_t(1) << p_page_size);
  836. code_slots = pages + (remain > 0 ? 1 : 0);
  837. special_slots = 7;
  838. int cd_size = 8 + sizeof(CodeDirectoryHeader) + (code_slots + special_slots) * p_hash_size + p_id.size() + p_team_id.size();
  839. int cd_off = 8 + sizeof(CodeDirectoryHeader);
  840. blob.append_array({ 0xFA, 0xDE, 0x0C, 0x02 }); // Code Directory magic.
  841. for (int i = 3; i >= 0; i--) {
  842. uint8_t x = (cd_size >> i * 8) & 0xFF; // Size.
  843. blob.push_back(x);
  844. }
  845. blob.resize(cd_size);
  846. memset(blob.ptrw() + 8, 0x00, cd_size - 8);
  847. CodeDirectoryHeader *cd = reinterpret_cast<CodeDirectoryHeader *>(blob.ptrw() + 8);
  848. bool is_64_cl = (p_code_limit >= std::numeric_limits<uint32_t>::max());
  849. // Version and options.
  850. cd->version = BSWAP32(0x20500);
  851. cd->flags = BSWAP32(SIGNATURE_ADHOC | SIGNATURE_RUNTIME);
  852. cd->special_slots = BSWAP32(special_slots);
  853. cd->code_slots = BSWAP32(code_slots);
  854. if (is_64_cl) {
  855. cd->code_limit_64 = BSWAP64(p_code_limit);
  856. } else {
  857. cd->code_limit = BSWAP32(p_code_limit);
  858. }
  859. cd->hash_size = p_hash_size;
  860. cd->hash_type = p_hash_type;
  861. cd->page_size = p_page_size;
  862. cd->exec_seg_base = 0x00;
  863. cd->exec_seg_limit = BSWAP64(p_exe_limit);
  864. cd->exec_seg_flags = 0;
  865. if (p_main) {
  866. cd->exec_seg_flags |= EXECSEG_MAIN_BINARY;
  867. }
  868. cd->exec_seg_flags = BSWAP64(cd->exec_seg_flags);
  869. uint32_t version = (11 << 16) + (3 << 8) + 0; // Version 11.3.0
  870. cd->runtime = BSWAP32(version);
  871. // Copy ID.
  872. cd->ident_offset = BSWAP32(cd_off);
  873. memcpy(blob.ptrw() + cd_off, p_id.get_data(), p_id.size());
  874. cd_off += p_id.size();
  875. // Copy Team ID.
  876. if (p_team_id.length() > 0) {
  877. cd->team_offset = BSWAP32(cd_off);
  878. memcpy(blob.ptrw() + cd_off, p_team_id.get_data(), p_team_id.size());
  879. cd_off += p_team_id.size();
  880. } else {
  881. cd->team_offset = 0;
  882. }
  883. // Scatter vector.
  884. cd->scatter_vector_offset = 0; // Not used.
  885. // Executable hashes offset.
  886. cd->hash_offset = BSWAP32(cd_off + special_slots * cd->hash_size);
  887. }
  888. bool CodeSignCodeDirectory::set_hash_in_slot(const PackedByteArray &p_hash, int p_slot) {
  889. ERR_FAIL_COND_V_MSG((p_slot < -special_slots) || (p_slot >= code_slots), false, vformat("CodeSign/CodeDirectory: Invalid hash slot index: %d.", p_slot));
  890. CodeDirectoryHeader *cd = reinterpret_cast<CodeDirectoryHeader *>(blob.ptrw() + 8);
  891. for (int i = 0; i < cd->hash_size; i++) {
  892. blob.write[BSWAP32(cd->hash_offset) + p_slot * cd->hash_size + i] = p_hash[i];
  893. }
  894. return true;
  895. }
  896. int32_t CodeSignCodeDirectory::get_page_count() {
  897. return pages;
  898. }
  899. int32_t CodeSignCodeDirectory::get_page_remainder() {
  900. return remain;
  901. }
  902. PackedByteArray CodeSignCodeDirectory::get_hash_sha1() const {
  903. PackedByteArray hash;
  904. hash.resize(0x14);
  905. CryptoCore::SHA1Context ctx;
  906. ctx.start();
  907. ctx.update(blob.ptr(), blob.size());
  908. ctx.finish(hash.ptrw());
  909. return hash;
  910. }
  911. PackedByteArray CodeSignCodeDirectory::get_hash_sha256() const {
  912. PackedByteArray hash;
  913. hash.resize(0x20);
  914. CryptoCore::SHA256Context ctx;
  915. ctx.start();
  916. ctx.update(blob.ptr(), blob.size());
  917. ctx.finish(hash.ptrw());
  918. return hash;
  919. }
  920. int CodeSignCodeDirectory::get_size() const {
  921. return blob.size();
  922. }
  923. void CodeSignCodeDirectory::write_to_file(Ref<FileAccess> p_file) const {
  924. ERR_FAIL_COND_MSG(p_file.is_null(), "CodeSign/CodeDirectory: Invalid file handle.");
  925. p_file->store_buffer(blob.ptr(), blob.size());
  926. }
  927. /*************************************************************************/
  928. /* CodeSignSignature */
  929. /*************************************************************************/
  930. CodeSignSignature::CodeSignSignature() {
  931. blob.append_array({ 0xFA, 0xDE, 0x0B, 0x01 }); // Signature magic.
  932. uint32_t sign_size = 8; // Ad-hoc signature is empty.
  933. for (int i = 3; i >= 0; i--) {
  934. uint8_t x = (sign_size >> i * 8) & 0xFF; // Size.
  935. blob.push_back(x);
  936. }
  937. }
  938. PackedByteArray CodeSignSignature::get_hash_sha1() const {
  939. PackedByteArray hash;
  940. hash.resize(0x14);
  941. CryptoCore::SHA1Context ctx;
  942. ctx.start();
  943. ctx.update(blob.ptr(), blob.size());
  944. ctx.finish(hash.ptrw());
  945. return hash;
  946. }
  947. PackedByteArray CodeSignSignature::get_hash_sha256() const {
  948. PackedByteArray hash;
  949. hash.resize(0x20);
  950. CryptoCore::SHA256Context ctx;
  951. ctx.start();
  952. ctx.update(blob.ptr(), blob.size());
  953. ctx.finish(hash.ptrw());
  954. return hash;
  955. }
  956. int CodeSignSignature::get_size() const {
  957. return blob.size();
  958. }
  959. void CodeSignSignature::write_to_file(Ref<FileAccess> p_file) const {
  960. ERR_FAIL_COND_MSG(p_file.is_null(), "CodeSign/Signature: Invalid file handle.");
  961. p_file->store_buffer(blob.ptr(), blob.size());
  962. }
  963. /*************************************************************************/
  964. /* CodeSignSuperBlob */
  965. /*************************************************************************/
  966. bool CodeSignSuperBlob::add_blob(const Ref<CodeSignBlob> &p_blob) {
  967. if (p_blob.is_valid()) {
  968. blobs.push_back(p_blob);
  969. return true;
  970. } else {
  971. return false;
  972. }
  973. }
  974. int CodeSignSuperBlob::get_size() const {
  975. int size = 12 + blobs.size() * 8;
  976. for (int i = 0; i < blobs.size(); i++) {
  977. if (blobs[i].is_null()) {
  978. return 0;
  979. }
  980. size += blobs[i]->get_size();
  981. }
  982. return size;
  983. }
  984. void CodeSignSuperBlob::write_to_file(Ref<FileAccess> p_file) const {
  985. ERR_FAIL_COND_MSG(p_file.is_null(), "CodeSign/SuperBlob: Invalid file handle.");
  986. uint32_t size = get_size();
  987. uint32_t data_offset = 12 + blobs.size() * 8;
  988. // Write header.
  989. p_file->store_32(BSWAP32(0xfade0cc0));
  990. p_file->store_32(BSWAP32(size));
  991. p_file->store_32(BSWAP32(blobs.size()));
  992. // Write index.
  993. for (int i = 0; i < blobs.size(); i++) {
  994. if (blobs[i].is_null()) {
  995. return;
  996. }
  997. p_file->store_32(BSWAP32(blobs[i]->get_index_type()));
  998. p_file->store_32(BSWAP32(data_offset));
  999. data_offset += blobs[i]->get_size();
  1000. }
  1001. // Write blobs.
  1002. for (int i = 0; i < blobs.size(); i++) {
  1003. blobs[i]->write_to_file(p_file);
  1004. }
  1005. }
  1006. /*************************************************************************/
  1007. /* CodeSign */
  1008. /*************************************************************************/
  1009. PackedByteArray CodeSign::file_hash_sha1(const String &p_path) {
  1010. PackedByteArray file_hash;
  1011. Ref<FileAccess> f = FileAccess::open(p_path, FileAccess::READ);
  1012. ERR_FAIL_COND_V_MSG(f.is_null(), PackedByteArray(), vformat("CodeSign: Can't open file: \"%s\".", p_path));
  1013. CryptoCore::SHA1Context ctx;
  1014. ctx.start();
  1015. unsigned char step[4096];
  1016. while (true) {
  1017. uint64_t br = f->get_buffer(step, 4096);
  1018. if (br > 0) {
  1019. ctx.update(step, br);
  1020. }
  1021. if (br < 4096) {
  1022. break;
  1023. }
  1024. }
  1025. file_hash.resize(0x14);
  1026. ctx.finish(file_hash.ptrw());
  1027. return file_hash;
  1028. }
  1029. PackedByteArray CodeSign::file_hash_sha256(const String &p_path) {
  1030. PackedByteArray file_hash;
  1031. Ref<FileAccess> f = FileAccess::open(p_path, FileAccess::READ);
  1032. ERR_FAIL_COND_V_MSG(f.is_null(), PackedByteArray(), vformat("CodeSign: Can't open file: \"%s\".", p_path));
  1033. CryptoCore::SHA256Context ctx;
  1034. ctx.start();
  1035. unsigned char step[4096];
  1036. while (true) {
  1037. uint64_t br = f->get_buffer(step, 4096);
  1038. if (br > 0) {
  1039. ctx.update(step, br);
  1040. }
  1041. if (br < 4096) {
  1042. break;
  1043. }
  1044. }
  1045. file_hash.resize(0x20);
  1046. ctx.finish(file_hash.ptrw());
  1047. return file_hash;
  1048. }
  1049. Error CodeSign::_codesign_file(bool p_use_hardened_runtime, bool p_force, const String &p_info, const String &p_exe_path, const String &p_bundle_path, const String &p_ent_path, bool p_ios_bundle, String &r_error_msg) {
  1050. #define CLEANUP() \
  1051. if (files_to_sign.size() > 1) { \
  1052. for (int j = 0; j < files_to_sign.size(); j++) { \
  1053. da->remove(files_to_sign[j]); \
  1054. } \
  1055. }
  1056. print_verbose(vformat("CodeSign: Signing executable: %s, bundle: %s with entitlements %s", p_exe_path, p_bundle_path, p_ent_path));
  1057. PackedByteArray info_hash1, info_hash2;
  1058. PackedByteArray res_hash1, res_hash2;
  1059. String id;
  1060. String main_exe = p_exe_path;
  1061. Ref<DirAccess> da = DirAccess::create(DirAccess::ACCESS_FILESYSTEM);
  1062. if (da.is_null()) {
  1063. r_error_msg = TTR("Can't get filesystem access.");
  1064. ERR_FAIL_V_MSG(ERR_CANT_CREATE, "CodeSign: Can't get filesystem access.");
  1065. }
  1066. // Read Info.plist.
  1067. if (!p_info.is_empty()) {
  1068. print_verbose("CodeSign: Reading bundle info...");
  1069. PList info_plist;
  1070. if (info_plist.load_file(p_info)) {
  1071. info_hash1 = file_hash_sha1(p_info);
  1072. info_hash2 = file_hash_sha256(p_info);
  1073. if (info_hash1.is_empty() || info_hash2.is_empty()) {
  1074. r_error_msg = TTR("Failed to get Info.plist hash.");
  1075. ERR_FAIL_V_MSG(FAILED, "CodeSign: Failed to get Info.plist hash.");
  1076. }
  1077. if (info_plist.get_root()->data_type == PList::PLNodeType::PL_NODE_TYPE_DICT && info_plist.get_root()->data_dict.has("CFBundleExecutable")) {
  1078. main_exe = p_exe_path.path_join(String::utf8(info_plist.get_root()->data_dict["CFBundleExecutable"]->data_string.get_data()));
  1079. } else {
  1080. r_error_msg = TTR("Invalid Info.plist, no exe name.");
  1081. ERR_FAIL_V_MSG(FAILED, "CodeSign: Invalid Info.plist, no exe name.");
  1082. }
  1083. if (info_plist.get_root()->data_type == PList::PLNodeType::PL_NODE_TYPE_DICT && info_plist.get_root()->data_dict.has("CFBundleIdentifier")) {
  1084. id = info_plist.get_root()->data_dict["CFBundleIdentifier"]->data_string.get_data();
  1085. } else {
  1086. r_error_msg = TTR("Invalid Info.plist, no bundle id.");
  1087. ERR_FAIL_V_MSG(FAILED, "CodeSign: Invalid Info.plist, no bundle id.");
  1088. }
  1089. } else {
  1090. r_error_msg = TTR("Invalid Info.plist, can't load.");
  1091. ERR_FAIL_V_MSG(FAILED, "CodeSign: Invalid Info.plist, can't load.");
  1092. }
  1093. }
  1094. // Extract fat binary.
  1095. Vector<String> files_to_sign;
  1096. if (LipO::is_lipo(main_exe)) {
  1097. print_verbose(vformat("CodeSign: Executable is fat, extracting..."));
  1098. String tmp_path_name = EditorPaths::get_singleton()->get_temp_dir().path_join("_lipo");
  1099. Error err = da->make_dir_recursive(tmp_path_name);
  1100. if (err != OK) {
  1101. r_error_msg = vformat(TTR("Failed to create \"%s\" subfolder."), tmp_path_name);
  1102. ERR_FAIL_V_MSG(FAILED, vformat("CodeSign: Failed to create \"%s\" subfolder.", tmp_path_name));
  1103. }
  1104. LipO lip;
  1105. if (lip.open_file(main_exe)) {
  1106. for (int i = 0; i < lip.get_arch_count(); i++) {
  1107. if (!lip.extract_arch(i, tmp_path_name.path_join("_exe_" + itos(i)))) {
  1108. CLEANUP();
  1109. r_error_msg = TTR("Failed to extract thin binary.");
  1110. ERR_FAIL_V_MSG(FAILED, "CodeSign: Failed to extract thin binary.");
  1111. }
  1112. files_to_sign.push_back(tmp_path_name.path_join("_exe_" + itos(i)));
  1113. }
  1114. }
  1115. } else if (MachO::is_macho(main_exe)) {
  1116. print_verbose("CodeSign: Executable is thin...");
  1117. files_to_sign.push_back(main_exe);
  1118. } else {
  1119. r_error_msg = TTR("Invalid binary format.");
  1120. ERR_FAIL_V_MSG(FAILED, "CodeSign: Invalid binary format.");
  1121. }
  1122. // Check if it's already signed.
  1123. if (!p_force) {
  1124. for (int i = 0; i < files_to_sign.size(); i++) {
  1125. MachO mh;
  1126. mh.open_file(files_to_sign[i]);
  1127. if (mh.is_signed()) {
  1128. CLEANUP();
  1129. r_error_msg = TTR("Already signed!");
  1130. ERR_FAIL_V_MSG(FAILED, "CodeSign: Already signed!");
  1131. }
  1132. }
  1133. }
  1134. // Generate core resources.
  1135. if (!p_bundle_path.is_empty()) {
  1136. print_verbose("CodeSign: Generating bundle CodeResources...");
  1137. CodeSignCodeResources cr;
  1138. if (p_ios_bundle) {
  1139. cr.add_rule1("^.*");
  1140. cr.add_rule1("^.*\\.lproj/", "optional", 100);
  1141. cr.add_rule1("^.*\\.lproj/locversion.plist$", "omit", 1100);
  1142. cr.add_rule1("^Base\\.lproj/", "", 1010);
  1143. cr.add_rule1("^version.plist$");
  1144. cr.add_rule2(".*\\.dSYM($|/)", "", 11);
  1145. cr.add_rule2("^(.*/)?\\.DS_Store$", "omit", 2000);
  1146. cr.add_rule2("^.*");
  1147. cr.add_rule2("^.*\\.lproj/", "optional", 1000);
  1148. cr.add_rule2("^.*\\.lproj/locversion.plist$", "omit", 1100);
  1149. cr.add_rule2("^Base\\.lproj/", "", 1010);
  1150. cr.add_rule2("^Info\\.plist$", "omit", 20);
  1151. cr.add_rule2("^PkgInfo$", "omit", 20);
  1152. cr.add_rule2("^embedded\\.provisionprofile$", "", 10);
  1153. cr.add_rule2("^version\\.plist$", "", 20);
  1154. cr.add_rule2("^_MASReceipt", "omit", 2000, false);
  1155. cr.add_rule2("^_CodeSignature", "omit", 2000, false);
  1156. cr.add_rule2("^CodeResources", "omit", 2000, false);
  1157. } else {
  1158. cr.add_rule1("^Resources($|/)");
  1159. cr.add_rule1("^Resources/.*\\.lproj/", "optional", 1000);
  1160. cr.add_rule1("^Resources/.*\\.lproj/locversion.plist$", "omit", 1100);
  1161. cr.add_rule1("^Resources/Base\\.lproj/", "", 1010);
  1162. cr.add_rule1("^version.plist$");
  1163. cr.add_rule2(".*\\.dSYM($|/)", "", 11);
  1164. cr.add_rule2("^(.*/)?\\.DS_Store$", "omit", 2000);
  1165. cr.add_rule2("^(Frameworks|SharedFrameworks|PlugIns|Plug-ins|XPCServices|Helpers|MacOS|Library/(Automator|Spotlight|LoginItems))/", "nested", 10);
  1166. cr.add_rule2("^.*");
  1167. cr.add_rule2("^Info\\.plist$", "omit", 20);
  1168. cr.add_rule2("^PkgInfo$", "omit", 20);
  1169. cr.add_rule2("^Resources($|/)", "", 20);
  1170. cr.add_rule2("^Resources/.*\\.lproj/", "optional", 1000);
  1171. cr.add_rule2("^Resources/.*\\.lproj/locversion.plist$", "omit", 1100);
  1172. cr.add_rule2("^Resources/Base\\.lproj/", "", 1010);
  1173. cr.add_rule2("^[^/]+$", "nested", 10);
  1174. cr.add_rule2("^embedded\\.provisionprofile$", "", 10);
  1175. cr.add_rule2("^version\\.plist$", "", 20);
  1176. cr.add_rule2("^_MASReceipt", "omit", 2000, false);
  1177. cr.add_rule2("^_CodeSignature", "omit", 2000, false);
  1178. cr.add_rule2("^CodeResources", "omit", 2000, false);
  1179. }
  1180. if (!cr.add_folder_recursive(p_bundle_path, "", main_exe)) {
  1181. CLEANUP();
  1182. r_error_msg = TTR("Failed to process nested resources.");
  1183. ERR_FAIL_V_MSG(FAILED, "CodeSign: Failed to process nested resources.");
  1184. }
  1185. Error err = da->make_dir_recursive(p_bundle_path.path_join("_CodeSignature"));
  1186. if (err != OK) {
  1187. CLEANUP();
  1188. r_error_msg = TTR("Failed to create _CodeSignature subfolder.");
  1189. ERR_FAIL_V_MSG(FAILED, "CodeSign: Failed to create _CodeSignature subfolder.");
  1190. }
  1191. cr.save_to_file(p_bundle_path.path_join("_CodeSignature").path_join("CodeResources"));
  1192. res_hash1 = file_hash_sha1(p_bundle_path.path_join("_CodeSignature").path_join("CodeResources"));
  1193. res_hash2 = file_hash_sha256(p_bundle_path.path_join("_CodeSignature").path_join("CodeResources"));
  1194. if (res_hash1.is_empty() || res_hash2.is_empty()) {
  1195. CLEANUP();
  1196. r_error_msg = TTR("Failed to get CodeResources hash.");
  1197. ERR_FAIL_V_MSG(FAILED, "CodeSign: Failed to get CodeResources hash.");
  1198. }
  1199. }
  1200. // Generate common signature structures.
  1201. if (id.is_empty()) {
  1202. CryptoCore::RandomGenerator rng;
  1203. ERR_FAIL_COND_V_MSG(rng.init(), FAILED, "Failed to initialize random number generator.");
  1204. uint8_t uuid[16];
  1205. Error err = rng.get_random_bytes(uuid, 16);
  1206. ERR_FAIL_COND_V_MSG(err, err, "Failed to generate UUID.");
  1207. id = (String("a-55554944") /*a-UUID*/ + String::hex_encode_buffer(uuid, 16));
  1208. }
  1209. CharString uuid_str = id.utf8();
  1210. print_verbose(vformat("CodeSign: Used bundle ID: %s", id));
  1211. print_verbose("CodeSign: Processing entitlements...");
  1212. Ref<CodeSignEntitlementsText> cet;
  1213. Ref<CodeSignEntitlementsBinary> ceb;
  1214. if (!p_ent_path.is_empty()) {
  1215. String entitlements = FileAccess::get_file_as_string(p_ent_path);
  1216. if (entitlements.is_empty()) {
  1217. CLEANUP();
  1218. r_error_msg = TTR("Invalid entitlements file.");
  1219. ERR_FAIL_V_MSG(FAILED, "CodeSign: Invalid entitlements file.");
  1220. }
  1221. cet.instantiate(entitlements);
  1222. ceb.instantiate(entitlements);
  1223. }
  1224. print_verbose("CodeSign: Generating requirements...");
  1225. Ref<CodeSignRequirements> rq;
  1226. String team_id = "";
  1227. rq.instantiate();
  1228. // Sign executables.
  1229. for (int i = 0; i < files_to_sign.size(); i++) {
  1230. MachO mh;
  1231. if (!mh.open_file(files_to_sign[i])) {
  1232. CLEANUP();
  1233. r_error_msg = TTR("Invalid executable file.");
  1234. ERR_FAIL_V_MSG(FAILED, "CodeSign: Invalid executable file.");
  1235. }
  1236. print_verbose(vformat("CodeSign: Signing executable for cputype: %d ...", mh.get_cputype()));
  1237. print_verbose("CodeSign: Generating CodeDirectory...");
  1238. Ref<CodeSignCodeDirectory> cd1 = memnew(CodeSignCodeDirectory(0x14, 0x01, true, uuid_str, team_id.utf8(), 12, mh.get_exe_limit(), mh.get_code_limit()));
  1239. Ref<CodeSignCodeDirectory> cd2 = memnew(CodeSignCodeDirectory(0x20, 0x02, true, uuid_str, team_id.utf8(), 12, mh.get_exe_limit(), mh.get_code_limit()));
  1240. print_verbose("CodeSign: Calculating special slot hashes...");
  1241. if (info_hash2.size() == 0x20) {
  1242. cd2->set_hash_in_slot(info_hash2, CodeSignCodeDirectory::SLOT_INFO_PLIST);
  1243. }
  1244. if (info_hash1.size() == 0x14) {
  1245. cd1->set_hash_in_slot(info_hash1, CodeSignCodeDirectory::SLOT_INFO_PLIST);
  1246. }
  1247. cd1->set_hash_in_slot(rq->get_hash_sha1(), CodeSignCodeDirectory::Slot::SLOT_REQUIREMENTS);
  1248. cd2->set_hash_in_slot(rq->get_hash_sha256(), CodeSignCodeDirectory::Slot::SLOT_REQUIREMENTS);
  1249. if (res_hash2.size() == 0x20) {
  1250. cd2->set_hash_in_slot(res_hash2, CodeSignCodeDirectory::SLOT_RESOURCES);
  1251. }
  1252. if (res_hash1.size() == 0x14) {
  1253. cd1->set_hash_in_slot(res_hash1, CodeSignCodeDirectory::SLOT_RESOURCES);
  1254. }
  1255. if (cet.is_valid()) {
  1256. cd1->set_hash_in_slot(cet->get_hash_sha1(), CodeSignCodeDirectory::Slot::SLOT_ENTITLEMENTS); //Text variant.
  1257. cd2->set_hash_in_slot(cet->get_hash_sha256(), CodeSignCodeDirectory::Slot::SLOT_ENTITLEMENTS);
  1258. }
  1259. if (ceb.is_valid()) {
  1260. cd1->set_hash_in_slot(ceb->get_hash_sha1(), CodeSignCodeDirectory::Slot::SLOT_DER_ENTITLEMENTS); //ASN.1 variant.
  1261. cd2->set_hash_in_slot(ceb->get_hash_sha256(), CodeSignCodeDirectory::Slot::SLOT_DER_ENTITLEMENTS);
  1262. }
  1263. // Calculate signature size.
  1264. int sign_size = 12; // SuperBlob header.
  1265. sign_size += cd1->get_size() + 8;
  1266. sign_size += cd2->get_size() + 8;
  1267. sign_size += rq->get_size() + 8;
  1268. if (cet.is_valid()) {
  1269. sign_size += cet->get_size() + 8;
  1270. }
  1271. if (ceb.is_valid()) {
  1272. sign_size += ceb->get_size() + 8;
  1273. }
  1274. sign_size += 16; // Empty signature size.
  1275. // Alloc/resize signature load command.
  1276. print_verbose(vformat("CodeSign: Reallocating space for the signature superblob (%d)...", sign_size));
  1277. if (!mh.set_signature_size(sign_size)) {
  1278. CLEANUP();
  1279. r_error_msg = TTR("Can't resize signature load command.");
  1280. ERR_FAIL_V_MSG(FAILED, "CodeSign: Can't resize signature load command.");
  1281. }
  1282. print_verbose("CodeSign: Calculating executable code hashes...");
  1283. // Calculate executable code hashes.
  1284. PackedByteArray buffer;
  1285. PackedByteArray hash1, hash2;
  1286. hash1.resize(0x14);
  1287. hash2.resize(0x20);
  1288. buffer.resize(1 << 12);
  1289. mh.get_file()->seek(0);
  1290. for (int32_t j = 0; j < cd2->get_page_count(); j++) {
  1291. mh.get_file()->get_buffer(buffer.ptrw(), (1 << 12));
  1292. CryptoCore::SHA256Context ctx2;
  1293. ctx2.start();
  1294. ctx2.update(buffer.ptr(), (1 << 12));
  1295. ctx2.finish(hash2.ptrw());
  1296. cd2->set_hash_in_slot(hash2, j);
  1297. CryptoCore::SHA1Context ctx1;
  1298. ctx1.start();
  1299. ctx1.update(buffer.ptr(), (1 << 12));
  1300. ctx1.finish(hash1.ptrw());
  1301. cd1->set_hash_in_slot(hash1, j);
  1302. }
  1303. if (cd2->get_page_remainder() > 0) {
  1304. mh.get_file()->get_buffer(buffer.ptrw(), cd2->get_page_remainder());
  1305. CryptoCore::SHA256Context ctx2;
  1306. ctx2.start();
  1307. ctx2.update(buffer.ptr(), cd2->get_page_remainder());
  1308. ctx2.finish(hash2.ptrw());
  1309. cd2->set_hash_in_slot(hash2, cd2->get_page_count());
  1310. CryptoCore::SHA1Context ctx1;
  1311. ctx1.start();
  1312. ctx1.update(buffer.ptr(), cd1->get_page_remainder());
  1313. ctx1.finish(hash1.ptrw());
  1314. cd1->set_hash_in_slot(hash1, cd1->get_page_count());
  1315. }
  1316. print_verbose("CodeSign: Generating signature...");
  1317. Ref<CodeSignSignature> cs;
  1318. cs.instantiate();
  1319. print_verbose("CodeSign: Writing signature superblob...");
  1320. // Write signature data to the executable.
  1321. CodeSignSuperBlob sb = CodeSignSuperBlob();
  1322. sb.add_blob(cd2);
  1323. sb.add_blob(cd1);
  1324. sb.add_blob(rq);
  1325. if (cet.is_valid()) {
  1326. sb.add_blob(cet);
  1327. }
  1328. if (ceb.is_valid()) {
  1329. sb.add_blob(ceb);
  1330. }
  1331. sb.add_blob(cs);
  1332. mh.get_file()->seek(mh.get_signature_offset());
  1333. sb.write_to_file(mh.get_file());
  1334. }
  1335. if (files_to_sign.size() > 1) {
  1336. print_verbose("CodeSign: Rebuilding fat executable...");
  1337. LipO lip;
  1338. if (!lip.create_file(main_exe, files_to_sign)) {
  1339. CLEANUP();
  1340. r_error_msg = TTR("Failed to create fat binary.");
  1341. ERR_FAIL_V_MSG(FAILED, "CodeSign: Failed to create fat binary.");
  1342. }
  1343. CLEANUP();
  1344. }
  1345. FileAccess::set_unix_permissions(main_exe, 0755); // Restore unix permissions.
  1346. return OK;
  1347. #undef CLEANUP
  1348. }
  1349. Error CodeSign::codesign(bool p_use_hardened_runtime, bool p_force, const String &p_path, const String &p_ent_path, String &r_error_msg) {
  1350. Ref<DirAccess> da = DirAccess::create(DirAccess::ACCESS_FILESYSTEM);
  1351. if (da.is_null()) {
  1352. r_error_msg = TTR("Can't get filesystem access.");
  1353. ERR_FAIL_V_MSG(ERR_CANT_CREATE, "CodeSign: Can't get filesystem access.");
  1354. }
  1355. if (da->dir_exists(p_path)) {
  1356. String fmw_ver = "Current"; // Framework version (default).
  1357. String info_path;
  1358. String main_exe;
  1359. String bundle_path;
  1360. bool bundle = false;
  1361. bool ios_bundle = false;
  1362. if (da->file_exists(p_path.path_join("Contents/Info.plist"))) {
  1363. info_path = p_path.path_join("Contents/Info.plist");
  1364. main_exe = p_path.path_join("Contents/MacOS");
  1365. bundle_path = p_path.path_join("Contents");
  1366. bundle = true;
  1367. } else if (da->file_exists(p_path.path_join(vformat("Versions/%s/Resources/Info.plist", fmw_ver)))) {
  1368. info_path = p_path.path_join(vformat("Versions/%s/Resources/Info.plist", fmw_ver));
  1369. main_exe = p_path.path_join(vformat("Versions/%s", fmw_ver));
  1370. bundle_path = p_path.path_join(vformat("Versions/%s", fmw_ver));
  1371. bundle = true;
  1372. } else if (da->file_exists(p_path.path_join("Resources/Info.plist"))) {
  1373. info_path = p_path.path_join("Resources/Info.plist");
  1374. main_exe = p_path;
  1375. bundle_path = p_path;
  1376. bundle = true;
  1377. } else if (da->file_exists(p_path.path_join("Info.plist"))) {
  1378. info_path = p_path.path_join("Info.plist");
  1379. main_exe = p_path;
  1380. bundle_path = p_path;
  1381. bundle = true;
  1382. ios_bundle = true;
  1383. }
  1384. if (bundle) {
  1385. return _codesign_file(p_use_hardened_runtime, p_force, info_path, main_exe, bundle_path, p_ent_path, ios_bundle, r_error_msg);
  1386. } else {
  1387. r_error_msg = TTR("Unknown bundle type.");
  1388. ERR_FAIL_V_MSG(FAILED, "CodeSign: Unknown bundle type.");
  1389. }
  1390. } else if (da->file_exists(p_path)) {
  1391. return _codesign_file(p_use_hardened_runtime, p_force, "", p_path, "", p_ent_path, false, r_error_msg);
  1392. } else {
  1393. r_error_msg = TTR("Unknown object type.");
  1394. ERR_FAIL_V_MSG(FAILED, "CodeSign: Unknown object type.");
  1395. }
  1396. }
  1397. #endif // MODULE_REGEX_ENABLED