apple-codesign: do not sign additional Mach-O binaries in shallow mode

See inline comments for more details.

Closes #148.

Author: indygreg

apple-codesign/CHANGELOG.md

@@ -6,6 +6,9 @@
 
 Released on ReleaseDate.
 
+* When signing a bundle in `--shallow` mode, we no longer sign Mach-O binaries
+  that aren't the *main* bundle binary. The new behavior is compatible with the
+  behavior of Apple's `codesign`. (#148)
 * MSRV 1.78 -> 1.81.
 * `aws-sdk-s3` 1.24 -> 1.59.
 * `clap` 4.4 -> 4.5.

apple-codesign/src/code_resources.rs

@@ -1362,20 +1362,26 @@ impl CodeResourcesBuilder {
             // Unlike Apple's tooling, we recognize Mach-O binaries when the nested
             // flag isn't set and we automatically sign.
             //
-            // When we seal the file, we treat it as a regular file since the
-            // nested flag isn't set. Note that we need to read the signed/installed
-            // version of the file since signing will change its content.
-
-            let read_path = if crate::reader::path_is_macho(full_path)?
+            // Unless the path is marked for exclusion or shallow signing mode is
+            // active.
+            //
+            // The reason we exclude in shallow mode is that shallow mode is supposed
+            // to behave like Apple's `codesign` and that tool only signs the bundle's
+            // "main" Mach-O binary, not other binaries.
+            let sign_macho = crate::reader::path_is_macho(full_path)?
                 && !context
                     .settings
                     .path_exclusion_pattern_matches(root_rel_path)
-            {
+                && !context.settings.shallow();
+
+            let read_path = if sign_macho {
                 info!(
                     "non-nested file is a Mach-O binary; signing accordingly {}",
                     rel_path.display()
                 );
                 need_install = false;
+                // We need to read the signed/installed version of the file since
+                // signing will change its content.
                 context.sign_and_install_macho(full_path, rel_path)?.0
             } else {
                 info!("sealing regular file {}", rel_path_normalized);
@@ -1390,6 +1396,8 @@ impl CodeResourcesBuilder {
                 FilesFlavor::Rules2
             };
 
+            // When we seal the file, we treat it as a regular file since the
+            // nested flag isn't set.
             self.resources
                 .seal_regular_file(flavor, rel_path_normalized, digests, optional)?;
         }

apple-codesign/tests/cmd/sign-bundle-multiple-macho.trycmd

@@ -423,7 +423,6 @@ signing bundle at MyApp.app
 signing bundle at MyApp.app into MyApp.app.signed-shallow
 signing Mach-O file Contents/MacOS/bin
 signing Mach-O file Contents/MacOS/lib.dylib
-signing Mach-O file Contents/Resources/non-nested-bin
 signing main executable Contents/MacOS/MyApp
 
 $ rcodesign print-signature-info MyApp.app.signed-shallow
@@ -433,7 +432,7 @@ $ rcodesign print-signature-info MyApp.app.signed-shallow
   entity: other
 - path: Contents/MacOS/MyApp
   file_size: 22544
-  file_sha256: ed9b322079f477b956269151b7f05966fe4c2522116e2c23b5ab40f518887fe3
+  file_sha256: b7c94c6c236fbf011c51b6a98221e648470a8bdb1e79179c5bed2a4229d9f33f
   entity:
     mach_o:
       macho_linkedit_start_offset: 16384 / 0x4000
@@ -451,8 +450,8 @@ $ rcodesign print-signature-info MyApp.app.signed-shallow
         - slot: CodeDirectory (0)
           magic: fade0c02
           length: 493
-          sha1: f342b48c4632318b35759a678a90f606463d44aa
-          sha256: 776f6ff24cb7986e98b41600c6f34ad9ef197b9d28c84531ae2cbdf7b965ac36
+          sha1: f5f97459503ca59e782bc7e09b0a0e84fbe2c469
+          sha256: eceb671be47c4515ac795ee6b4369f2c3e1ce3c92cd3b31826e3317afe78c8ae
         - slot: RequirementSet (2)
           magic: fade0c01
           length: 12
@@ -485,7 +484,7 @@ $ rcodesign print-signature-info MyApp.app.signed-shallow
           slot_digests:
           - 'Info (1): 0a5902dc8e47f490d03889d3593d17bddbf79e6c1f79494e20dd28f9459effa5'
           - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
-          - 'Resources (3): e9faf2afbb4ab5548d3531c4b40abdfd59a2d6c2b5834e1980993957ba5bec83'
+          - 'Resources (3): 29ca54092b8a1ee42bd378889eae9382dd64f94f6ac99e093d5aff76af6ea2bf'
           - 'Application (4): 0000000000000000000000000000000000000000000000000000000000000000'
           - 'Entitlements (5): adea2675562421d85cc35e2c909ae27f33846eeb3b2b7c68017abd1b4b02f624'
           - 'Rep Specific (6): 0000000000000000000000000000000000000000000000000000000000000000'
@@ -599,53 +598,22 @@ $ rcodesign print-signature-info MyApp.app.signed-shallow
           - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
         cms: null
 - path: Contents/Resources/non-nested-bin
-  file_size: 22544
-  file_sha256: 17ee48591c2b454766b3d38e00ba5b342b3695c635c9114aad839117f45e3b38
+  file_size: 16386
+  file_sha256: 4cfaf70bc9fb6827fcf7751deaf65f8b54d46fecb6f39cb2ba8fbcf36912430c
   entity:
     mach_o:
-      macho_linkedit_start_offset: 16384 / 0x4000
-      macho_signature_start_offset: 16400 / 0x4010
-      macho_signature_end_offset: 16783 / 0x418f
-      macho_linkedit_end_offset: 22544 / 0x5810
-      macho_end_offset: 22544 / 0x5810
-      linkedit_signature_start_offset: 16 / 0x10
-      linkedit_signature_end_offset: 399 / 0x18f
-      linkedit_bytes_after_signature: 5761 / 0x1681
-      signature:
-        superblob_length: 383 / 0x17f
-        blob_count: 3
-        blobs:
-        - slot: CodeDirectory (0)
-          magic: fade0c02
-          length: 327
-          sha1: c26826707603fb84e28487b5f936799d4edf6377
-          sha256: 7b46bdc9c357e9a5ce1b15cd255623667b42772b0f42db78c8b630740caecc86
-        - slot: RequirementSet (2)
-          magic: fade0c01
-          length: 12
-          sha1: 3a75f6db058529148e14dd7ea1b4729cc09ec973
-          sha256: 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986
-        - slot: CMS Signature (65536)
-          magic: fade0b01
-          length: 8
-          sha1: 2a7254313aa41796079bb0e9d0f044345f69f98b
-          sha256: e6c83bc98a10348492c7d4d2378a54572ef29e1a5692ccd02b5e29f4b762d6a0
-        code_directory:
-          version: '0x20400'
-          flags: CodeSignatureFlags(ADHOC)
-          identifier: non-nested-bin
-          digest_type: sha256
-          platform: 0
-          signed_entity_size: 16400
-          executable_segment_flags: ExecutableSegmentFlags(MAIN_BINARY)
-          code_digests_count: 5
-          slot_digests:
-          - 'Info (1): 0000000000000000000000000000000000000000000000000000000000000000'
-          - 'RequirementSet (2): 987920904eab650e75788c054aa0b0524e6a80bfc71aa32df8d237a61743f986'
-        cms: null
+      macho_linkedit_start_offset: null
+      macho_signature_start_offset: null
+      macho_signature_end_offset: null
+      macho_linkedit_end_offset: null
+      macho_end_offset: 16386 / 0x4002
+      linkedit_signature_start_offset: null
+      linkedit_signature_end_offset: null
+      linkedit_bytes_after_signature: null
+      signature: null
 - path: Contents/_CodeSignature/CodeResources
   file_size: 2882
-  file_sha256: e9faf2afbb4ab5548d3531c4b40abdfd59a2d6c2b5834e1980993957ba5bec83
+  file_sha256: 29ca54092b8a1ee42bd378889eae9382dd64f94f6ac99e093d5aff76af6ea2bf
   entity:
     bundle_code_signature_file: !ResourcesXml
     - <?xml version="1.0" encoding="UTF-8"?>
@@ -683,7 +651,7 @@ $ rcodesign print-signature-info MyApp.app.signed-shallow
     - '    <dict>'
     - '      <key>hash2</key>'
     - '      <data>'
-    - '      F+5IWRwrRUdms9OOALpbNCs2lcY1yRFKrYORF/ReOzg='
+    - '      TPr3C8n7aCf893Ud6vZfi1TUb+y285yyuo+882kSQww='
     - '      </data>'
     - '    </dict>'
     - '  </dict>'