Implement installd hooking dylib, automatic injection via daemon

Author: insidegui

AppRegistrarHooks/AppRegistrarInstallDaemonSwizzles.h

@@ -0,0 +1,5 @@
+@import Foundation;
+
+@interface AppRegistrarInstallDaemonSwizzles : NSObject
+
+@end

AppRegistrarHooks/AppRegistrarInstallDaemonSwizzles.m

@@ -0,0 +1,144 @@
+#import "AppRegistrarInstallDaemonSwizzles.h"
+
+#import "CodesigningHelper.h"
+
+#import "installd.h"
+#import "InstalledContentLibrary.h"
+
+#import "SwizzlingHelper.h"
+
+@import os.log;
+
+os_log_t logger(void)
+{
+    static dispatch_once_t onceToken;
+    static os_log_t _log;
+    dispatch_once(&onceToken, ^{
+        _log = os_log_create("codes.rambo.research.appregistrard", "AppRegistrarInstallDaemonSwizzles");
+    });
+    return _log;
+}
+
+/// Declarations for things we'll need from the runtime.
+@interface NSObject ()
+
+@property (readonly) BOOL isPlaceholderInstall;
+@property (strong) MIExecutableBundle *bundle;
+@property (strong) MICodeSigningInfo *bundleSigningInfo;
+
+- (BOOL)__original_performVerificationWithError:(NSError *__autoreleasing *)outError;
+
+@end
+
+@implementation AppRegistrarInstallDaemonSwizzles
+
++ (void)load
+{
+    static dispatch_once_t onceToken;
+    dispatch_once(&onceToken, ^{
+        if (strcmp(getprogname(), "installd")) return;
+
+        os_log_debug(logger(), "🚀 Loaded into installd, hooking!");
+
+        SwizzleInstanceMethod(MIInstallableBundle, performVerificationWithError:, AppRegistrarInstallDaemonSwizzles);
+        SwizzleInstanceMethod(MIDaemonConfiguration, codeSigningEnforcementIsDisabled, AppRegistrarInstallDaemonSwizzles);
+    });
+}
+
+/**
+ This is the swizzle for the method that verifies the code signature and certain special entitlements on bundles being installed.
+
+ It used to be done in `MICodeSigningVerifier` before iOS 18.4, but since then this method in `MIInstallableBundle`
+ is what does the heavy lifting and `MICodeSigningVerifier` has lost a lot of its importance.
+
+ Since this cryptex technically only supports iOS 26+, only this override is left, and it has been reimplemented
+ to completely fake the verification by extracting the code signature information using the most lenient validation possible,
+ which skips a bunch of the special entitlement checks performed by the original implementation.
+
+ The most important step is actually setting `bundleSigningInfo` on the `MIInstallableBundle` to the signing info
+ extracted from `MIExecutableBundle` by calling `codeSigningInfoByValidatingResources:...`.
+
+ The presence of that signing info and the return value of `YES` is what concludes the verification successfully.
+
+ Of course none of that would work before first performing the TSS signing and trust cache load for all executables present within the bundle,
+ but even then the original implementation has some annoying validations that are skipped by doing the above.
+
+ To get ad-hoc binaries to pass validation, it's also crucial to override `-[MIDaemonConfiguration codeSigningEnforcementIsDisabled]` so that it returns `YES`, which this class also does.
+ */
+- (BOOL)__override_performVerificationWithError:(NSError *__autoreleasing *)outError
+{
+    os_log_t log = logger();
+
+    BOOL isPlaceholder = self.isPlaceholderInstall;
+    NSString *logFunctionName = [NSString stringWithFormat:@"%@%@", NSStringFromSelector(_cmd), (isPlaceholder ? @"[placeholder bundle]" : @"")];
+
+    MIExecutableBundle *bundle = self.bundle;
+
+    os_log(log, "%{public}@ called with bundle %@", logFunctionName, self.bundle);
+
+    NSError *myError;
+    BOOL result;
+
+    if (isPlaceholder) {
+        os_log_debug(log, "Bundle is placeholder install, delegating to original performVerificationWithError implementation");
+        result = [self __original_performVerificationWithError:&myError];
+    } else {
+        os_log_debug(log, "Bundle is real install, will perform lenient verification.");
+
+        NSString *bundleName = bundle.bundleURL.lastPathComponent;
+
+        os_log_debug(log, "Checking if %@ is adhoc-signed...", bundleName);
+
+        BOOL isAdHoc = [CodeSigningHelper isAdHocSignedBundleAtURL:bundle.bundleURL];
+
+        if (!isAdHoc) {
+            os_log(log, "%@ is not adhoc-signed, proceeding with regular installd flow...", bundleName);
+            return [self __original_performVerificationWithError:outError];
+        }
+
+        if (!bundle) {
+            os_log_fault(log, "MIInstallableBundle has no bundle!");
+            myError = [NSError errorWithDomain:@"codes.rambo.appregistrard" code:0 userInfo:@{NSLocalizedFailureReasonErrorKey: @"MIInstallableBundle has no bundle."}];
+            result = NO;
+        } else {
+            /// Create signing info with most lenient validation possible.
+            /// Regular verification by original implementation would work for most cases, but doing this allows us to skip some annoying checks
+            /// such as checks for forbidden entitlement combinations that are only checked during installation.
+            MICodeSigningInfo *signingInfo = [bundle codeSigningInfoByValidatingResources:NO
+                                                            performingOnlineAuthorization:NO
+                                                                ignoringCachedSigningInfo:NO
+                                                           checkingTrustCacheIfApplicable:NO
+                                                              skippingProfileIDValidation:YES
+                                                                                    error:&myError];
+
+            /// This is the crucial step: we must set the signing info on the installable bundle,
+            /// otherwise installation will fail even if we return a success response from this method.
+            self.bundleSigningInfo = signingInfo;
+
+            if (signingInfo) {
+                os_log(log, "Successfully obtained signing info for bundle - %{public}@", signingInfo.dictionaryRepresentation);
+                result = YES;
+            } else {
+                os_log_error(log, "Error obtaining signing info for bundle - %{public}@", myError);
+                result = NO;
+            }
+        }
+    }
+
+    if (result) {
+        os_log(log, "%{public}@ OK", logFunctionName);
+        return YES;
+    } else {
+        os_log_error(log, "%{public}@ FAILED: %{public}@", logFunctionName, myError);
+        if (outError) *outError = myError;
+        return NO;
+    }
+}
+
+/// This override is on `MIDaemonConfiguration`, it's required so that ad-hoc signed binaries are accepted.
+- (BOOL)__override_codeSigningEnforcementIsDisabled
+{
+    return YES;
+}
+
+@end

AppRegistrarHooks/CodesigningHelper.h

@@ -0,0 +1,8 @@
+@import Foundation;
+
+@interface CodeSigningHelper : NSObject
+
++ (BOOL)isAdHocSignedBundleAtURL:(NSURL *)bundleURL;
++ (BOOL)isAdHocSignedExecutableAtURL:(NSURL *)executableURL;
+
+@end

AppRegistrarHooks/CodesigningHelper.m

@@ -0,0 +1,82 @@
+#import "CodesigningHelper.h"
+
+@import os.log;
+
+#import "SecuritySPI.h"
+
+os_log_t csLogger(void)
+{
+    static dispatch_once_t onceToken;
+    static os_log_t _log;
+    dispatch_once(&onceToken, ^{
+        _log = os_log_create("codes.rambo.research.appregistrard", "CodeSigningHelper");
+    });
+    return _log;
+}
+
+@implementation CodeSigningHelper
+
++ (BOOL)isAdHocSignedBundleAtURL:(NSURL *)bundleURL
+{
+    os_log_t log = csLogger();
+
+    os_log_debug(log, "Checking adhoc status for bundle: %@", bundleURL.lastPathComponent);
+
+    NSBundle *bundle = [NSBundle bundleWithURL:bundleURL];
+    if (!bundle) {
+        os_log_error(log, "Failed to construct NSBundle with bundle at %@", bundleURL.path);
+        return NO;
+    }
+
+    NSURL *effectiveExecutableURL = nil;
+    if (bundle.executableURL) {
+        effectiveExecutableURL = bundle.executableURL;
+    } else {
+        effectiveExecutableURL = [bundleURL URLByAppendingPathComponent:bundleURL.URLByDeletingPathExtension.lastPathComponent];
+        os_log_error(log, "[WARN] Bundle has no executable URL, using default: %@", effectiveExecutableURL.path);
+    }
+
+    return [self isAdHocSignedExecutableAtURL:effectiveExecutableURL];
+}
+
++ (BOOL)isAdHocSignedExecutableAtURL:(NSURL *)executableURL
+{
+    os_log_t log = csLogger();
+
+    NSString *name = executableURL.lastPathComponent;
+
+    os_log_debug(log, "Checking adhoc status for executable: %@", executableURL.lastPathComponent);
+
+    SecStaticCodeRef code;
+    OSStatus status = SecStaticCodeCreateWithPath((__bridge CFURLRef)executableURL, kSecCSDefaultFlags, &code);
+    if (status != errSecSuccess) {
+        os_log_error(log, "SecStaticCodeCreateWithPath failed with %{public}d (%{public}@)", status, SecCopyErrorMessageString(status, NULL));
+        return NO;
+    }
+
+    os_log_debug(log, "Successfully obtained static code reference for %@", name);
+
+    CFDictionaryRef signingInfo;
+    status = SecCodeCopySigningInformation(code, kSecCSDefaultFlags, &signingInfo);
+    if (status != errSecSuccess) {
+        os_log_error(log, "SecCodeCopySigningInformation failed with %{public}d (%{public}@)", status, SecCopyErrorMessageString(status, NULL));
+        return NO;
+    }
+
+    os_log_debug(log, "Successfully obtained signing info for %@", name);
+
+    NSDictionary <NSString *, id> *infoDict = (__bridge NSDictionary *)signingInfo;
+    NSNumber *flags = infoDict[(__bridge NSString *)kSecCodeInfoFlags];
+    if (!flags) {
+        os_log_error(log, "Signing info for %@ is missing kSecCodeInfoFlags", name);
+        return NO;
+    }
+
+    BOOL isAdHoc = (flags.unsignedIntValue & kSecCodeSignatureAdhoc) != 0;
+
+    os_log(log, "%@ is adhoc? %{public}@", name, ((isAdHoc) ? @"YES" : @"NO"));
+
+    return isAdHoc;
+}
+
+@end

AppRegistrarHooks/Headers/InstalledContentLibrary.h

@@ -0,0 +1,34 @@
+@import Foundation;
+
+@interface MIBundle : NSObject
+
+@property (readonly) NSURL *bundleURL;
+@property (readonly) NSString *identifier;
+@property (readonly) BOOL isPlaceholder;
+
+@end
+
+@interface MIExecutableBundle : MIBundle
+
+@property (readonly) NSURL *executableURL;
+
+- (MICodeSigningInfo *)codeSigningInfoByValidatingResources:(BOOL)resources
+                              performingOnlineAuthorization:(BOOL)authorization
+                                  ignoringCachedSigningInfo:(BOOL)info
+                             checkingTrustCacheIfApplicable:(BOOL)applicable
+                                skippingProfileIDValidation:(BOOL)idvalidation
+                                                      error:(NSError **)outError;
+
+@end
+
+@interface MIDaemonConfiguration : NSObject
+
+- (BOOL)codeSigningEnforcementIsDisabled;
+
+@end
+
+@interface MICodeSigningInfo : NSObject
+
+@property (readonly, copy, nonatomic) NSDictionary *dictionaryRepresentation;
+
+@end

AppRegistrarHooks/Headers/SecuritySPI.h

@@ -0,0 +1,26 @@
+#pragma clang diagnostic ignored "-Wincomplete-umbrella"
+
+@import Foundation;
+@import Security;
+
+#import <TargetConditionals.h>
+
+#if TARGET_OS_IOS
+
+extern const CFStringRef _Nonnull kSecCodeInfoFlags;
+
+typedef CF_OPTIONS(uint32_t, SecCodeSignatureFlags) {
+    kSecCodeSignatureAdhoc = 0x0002,
+};
+
+typedef CF_OPTIONS(uint32_t, SecCSFlags) {
+    kSecCSDefaultFlags = 0,
+};
+
+typedef struct CF_BRIDGED_TYPE(id) __SecCode const *SecStaticCodeRef;
+
+OSStatus SecStaticCodeCreateWithPath(CFURLRef __nonnull path, SecCSFlags flags, SecStaticCodeRef * __nonnull CF_RETURNS_RETAINED staticCode);
+
+OSStatus SecCodeCopySigningInformation(SecStaticCodeRef __nonnull code, SecCSFlags flags, CFDictionaryRef * __nonnull CF_RETURNS_RETAINED information);
+
+#endif

AppRegistrarHooks/Headers/installd.h

@@ -0,0 +1,17 @@
+@import Foundation;
+
+@class MIExecutableBundle, MICodeSigningInfo;
+
+@interface MIInstallable : NSObject
+
+- (BOOL)performVerificationWithError:(NSError **)outError;
+
+@end
+
+@interface MIInstallableBundle : MIInstallable
+
+@property (readonly) MIExecutableBundle *bundle;
+@property (readonly) BOOL isPlaceholderInstall;
+@property (strong) MICodeSigningInfo *bundleSigningInfo;
+
+@end

AppRegistrarHooks/README.md

@@ -0,0 +1,9 @@
+# libAppRegistrarHooks
+
+This dynamic library is injected into `installd` on SRD to allow ad-hoc binaries to pass its code signature validation checks.
+
+With this library injected, `appregistrard` can use the InstallCoordination-based installation method, which installs
+apps exactly the same way as those installed via Xcode or the App Store, ensuring that all app extension types work as expected.
+
+The daemon will automatically set up injection by copying this dylib into a place that `installd` can load from
+and setting the `DYLD_INSERT_LIBRARIES` environment via `launchd` to include it. The library does nothing unless loaded into `installd`.

AppRegistrarHooks/SwizzlingHelper.h

@@ -0,0 +1,28 @@
+@import Foundation;
+
+NS_ASSUME_NONNULL_BEGIN
+
+#define SwizzleInstanceMethod( className, methodName, overridingType ) \
+[SwizzlingHelper swizzleClass:NSClassFromString(@#className) method:NSSelectorFromString(@#methodName) overridingClass:[overridingType class] isClassMethod:NO];
+
+#define SwizzleClassMethod( className, methodName, overridingType ) \
+[SwizzlingHelper swizzleClass:NSClassFromString(@#className) method:NSSelectorFromString(@#methodName) overridingClass:[overridingType class] isClassMethod:YES];
+
+@interface SwizzlingHelper : NSObject
+
+/// Swizzles the method on the provided class with an instance method named
+/// according to the pattern in the override class.
+/// The pattern is as follows:
+/// Let's say the original selector is `removeObjectAtIndex:`
+/// The override class should have a method with the selector `__override_removeObjectAtIndex:`
+/// Swizzling also introduces the original method's implementation that can be called from the override,
+/// in this example it would be `__original_removeObjectAtIndex:`.
+/// The override and original methods will be either instance or class methods depending upon the `isClassMethod` argument.
++ (BOOL)swizzleClass:(Class)aClass
+              method:(SEL)methodSelector
+     overridingClass:(Class)overrideClass
+       isClassMethod:(BOOL)isClassMethod;
+
+@end
+
+NS_ASSUME_NONNULL_END