Releases: indygreg/apple-platform-rs
Releases · indygreg/apple-platform-rs
Apple Codesign 0.29.0
Release Info
Changelog
- When signing a bundle in
--shallow
mode, we no longer sign Mach-O binaries
that aren't the main bundle binary. The new behavior is compatible with the
behavior of Apple'scodesign
. (#148) - Fixed a bug where signing of a bundle containing child bundles could sign and
install certain files multiple times. This could result in a child bundle having
an incorrect signature. (#149) - MSRV 1.78 -> 1.81.
aws-sdk-s3
1.24 -> 1.59.clap
4.4 -> 4.5.minicbor
0.24 -> 0.25.thiserror
1.0 -> 2.0.
Apple Codesign 0.28.0
Release Info
Changelog
- Fixed
env_logger
construction soRUST_LOG
environment variable is
respected. (#162) - MSRV 1.70 -> 1.78.
- Improve logging of S3 upload failures. We should now hopefully print something
more useful thans3 upload error: unhandled error
on failures. Info.plist
path handling should be more robust. This should fix errors
likeI/O error: No such file or directory
when signing Frameworks. (#163)- Enabled
http2
feature ofreqwest
crate. This may provide better HTTP/2.0
compatibility. aws-config
1.1 -> 1.5.aws-sdk-s3
1.12 -> 1.24.aws-smithy-types
1.1 -> 1.2.base64
0.21 -> 0.22.bitflags
2.4 -> 2.6.bytes
1.5 -> 1.8.cryptographic-message-syntax
0.26 -> 0.27.env_logger
0.10 -> 0.11.goblin
0.8 -> 0.9.minicbor
0.20 -> 0.24.object
0.32 -> 0.36.oid-registry
0.6 -> 0.7.once_cell
1.19 -> 1.20.plist
1.6 -> 1.7.rasn
0.12 -> 0.20.rayon
1.8 -> 1.10.regex
1.10 -> 1.11.reqwest
0.11 -> 0.12.security-framework
2.9 -> 2.11.subtle
2.5 -> 2.6.tempfile
3.9 -> 3.13.tokio
1.35 -> 1.41.tungstenite
0.21 -> 0.24.uuid
1.6 -> 1.11.walkdir
2.4 -> 2.5.widestring
1.0 -> 1.1.x509-certificate
0.23 -> 0.24.zeroize
1.7 -> 1.8.zip
0.6 -> 2.2.
Apple Codesign 0.27.0
Release Info
Changelog
- Published a GitHub Action for code signing and notarization and wrote project documentation for how to use it. (#6)
- Fix to restore working builds with
--no-default-features
. - Added
notary-list
command to print information about recently submitted notarizations to Apple. (#124) - Fixed a bug where
.dSYM/
directories were incorrectly signed as bundles. (#128) - The
sign
command has gained a--shallow
argument to prevent traversing into nested entities when signing. It currently only prevents traversal into nested bundles. In the future, behavior may be expanded to also exclude signing of additional Mach-O binaries inside bundles, among other potential changes. Ultimately we want this signing mode to converge with the default behavior of Apple's tooling. - The
sign
command has gained a--for-notarization
argument that attempts to engage and enforce signing settings required for Apple notarization (such as enabling the hardened runtime). The goal of the feature is to cut down on notarization failures after successful signing operations. If you encounter a preventable notarization failure when using this new flag, consider filing a bug report. - (API)
BundleSigner
now requires callingcollect_nested_bundles()
to register child bundles for signing instead of signing all nested bundles by default. - aws-config 0.57 -> 1.1.
- aws-sdk-s3 0.36 -> 1.10.
- aws-smithy-http 0.57 -> 0.60.
- aws-smithy-types 0.57 -> 1.1.
- goblin 0.7 -> 0.8.
- scroll 0.11 -> 0.12.
- tungstenite 0.20 -> 0.21.
- windows-sys 0.48 -> 0.52.
Apple Codesign 0.26.0
Release Info
Changelog
- (New feature) On Windows, it is now possible to sign with code signing
certificates stored in the Windows Certificate Store. Thesign
command
(and other commands taking certificate sources) gained--windows-store-name
and--windows-store-sha1-fingerprint
arguments to specify a certificate in
the Windows Certificate Store to use. New commands
windows-store-print-certificates
and
windows-store-export-certificate-chain
can discover and export certificates
in the Windows Certificate Store. Feature contributed by El Mostafa Idrassi
in #111. - Fixed a bug where a
signing without an Apple signed certificate but signing settings contain a team name
warning was printed incorrectly. - We now print a warning when signing using an expired certificate.
- Fixed a bug where
sign --code-signature-flags
could not be scoped. (#116)
Apple Codesign 0.25.1
Release Info
Changelog
(The 0.25.0 release had a regression and the release notes for 0.25.0 are folded into this release.)
- (Breaking change) The
--extra-digest
argument has been removed.
--digest
can now be specified multiple times.--digest
is now a
scoped value. - (Breaking change) The
sign --remote-signer
argument has been removed. It
is now implicitly assumed via presence of a remote session initialization
argument. - (Breaking change) Various signing settings no longer inherit to nested
entities:--entitlements-xml-file
,--code-requirements-file
,
--code-resources-file
,--code-signature-flags
, and--info-plist-file
.
The new behavior is much more conservative about which signing settings
can be inherited and prevents unexpected results, such as all binaries
in a bundle sharing the same entitlements or signing flags. Previous signers
of bundles may find various signing settings disappearing from nested
bundles or the non-main Mach-O binary within a bundle. It is highly encouraged
to use thercodesign diff-signatures
command to compare results. If settings
were dropped, add new scoped CLI arguments or use the new configuration
file feature to add settings back in to specific paths. - (New feature) Configuration file support added. TOML based configuration
files can now define signers and signing settings in named profiles,
allowing for automatic and near effortless reuse of common configurations.
See the documentation for more. - (New feature) Environment constraints support. We now support defining launch
constraints and library constraints. We don't yet fully understand the
interactions of constraints and code signing. If using constraints, we
highly recommend comparing signature output with Apple's tooling to validate
similar behavior. If you notice discrepancies, please file a GitHub issue!
(#83) - Detection of nested bundles now looks for
CFBundlePackageType
or
CFBundleIdentifier
in bundleInfo.plist
and ignores bundles
lacking these. As a result, we no longer attempt signing of storybook
bundles and other non-signable bundle-looking directories and no
longer likely encounter errors in the process. (#38) - CLI arguments for paths are now consistently named
--foo-file
instead of using a mix of--foo-path
,--foo-filename
, and
potentially other variants. The old names are still recognized as
aliases to maintain backwards compatibility. - Changed heuristic for naming a binary identifier from its path to be
more similar to Apple's. e.g.foo1.2.dylib
will now resolve tofoo1
instead offoo1.2
. We still don't use the binary UUID or digest of its
load commands to compute the binary identifier like Apple does. - When signing nested Mach-O binaries in a bundle, we now set the binary
identifier from the filename rather than preserving the identifier in an
existing signature. This helps ensure identifiers stay in sync and prevents
bad signatures. (#109) print-signature-info
now prints the entitlements plist decoded from DER.
(#75)- We no longer obtain placeholder time-stamp tokens when estimating the size
of embedded signatures. Instead, we statically reserve 8192 bytes for the
token. This may cause signatures to increase in size by a few kilobytes,
as Apple's TSTs are ~4200 bytes. Signing should now be faster since we avoid
an excessive network roundtrip. (#4)
Apple Codesign 0.25.0
This release has a CLI argument parsing bug that breaks at lease the remote signing functionality. Please use the 0.25.1 or newer release instead. See the 0.25.1 release for a changelog in the 0.25.x release.
For this reason, binaries were not published for this release.
Apple Codesign 0.24.0
Release Info
Changelog
- Add a
macho-universal-create
command to assemble single-arch Mach-O
binaries into a single multi-arch / universal / fat binary. The command
can be used as a replacement for Apple'slipo -create
. - When signing bundles, the
CodeResources
file for nested Mach-O binaries
now emits the code directory hashes for every code directory. Before, if
a Mach-O contained both SHA-1 and SHA-256 code directories, only the
SHA-256 hash would be emitted. The new behavior matches Apple's tooling.
(#95) - The
generate-self-signed-certificate
command has gained the--p12-file
and--p12-password
arguments to write a self-signed certificate to a
PKCS#12 / p12 / PFX file. - The
generate-self-signed-certificate
command now supports generating
RSA certificates. RSA certificates are now the default, to match what
Apple uses by default. - Reworked how code requirements expressions are automatically derived.
This should result in self-signed certificates having correct requirements
expressions that no longer imply they were signed by Apple's CAs. In
addition, some Apple signing certificates should now opt into using a
more appropriate code requirements expression than before. This may have
fixed validation errors with some signatures. (#99) - Team name is no longer included in signature when signing with a non
Apple signed certificate. This matches the behavior of Apple's tools. (#101) - Fixed a bug where the
AnchorCertificateHash
code requirements expression
was being incorrectly formatted asanchor <slot> H"<hash>"
instead of
certificate <slot> = H"<hash>"
. - Added awareness of new Apple CA certificates:
Apple Application Integration CA 7 - G1 Certificate
,
Worldwide Developer Relations - G7
, andWorldwide Developer Relations - G8
. print-signature-info
now prints some integer values as strings containing
both the integer and hex forms. Additional fields are added to help debug
signature writing.- Conflicting binary identifiers within a universal Mach-O are now reconciled
to the initially seen value. This matches the behavior of Apple's tooling
and fixes a bug where drift between the values could cause bundle validation
to fail. (#103) - Fixed a bug where bundle signing would fail to overwrite preexisting state
in Mach-O binaries, leading to failed signature verification. This likely
only occurred when attempting to re-sign already signed binaries. (#104) - When signing bundles, non Mach-O resources files are no longer fully buffered
in memory to compute their content digests. This can drastically cut down
on memory usage when signing large resources files. Mach-O binaries are
still fully buffered in memory. (#45) - Removed
verify
warning about insecure code digests. The warning was spurious
and didn't take into account the nuanced logic for emitting SHA-1 digests.
(#50) - cryptographic-message-syntax 0.25 -> 0.26.
- x509-certificate 0.22 -> 0.23.
Apple Codesign 0.23.0
Release Info
Changelog
- Notarization features are now optional and can be controlled via the
enabled-by-defaultnotarize
crate feature. (#78) - Minimum supported Rust version changed from 1.62.1 to 1.70.0.
- CLI argument parsing has been rewritten to use clap's derive mode
instead of the builder mode. The intent was to mostly preserve existing
CLI behavior. However, some minor changes - possibly bugs - may have
occurred as a result of this refactor. AppleCodesignError::AwsS3Error
now stores aBox<T>
.- Added a hidden
debug-create-macho
command for generating Mach-O files.
The command (and new code behind it) is intended to facilitate writing
tests of Mach-O signing. - Added a hidden
debug-create-info-plist
command for generating Info.plist
files. The command is intended to be used to facilitate testing. - The
--code-signature-flags
argument of thesign
command now correctly
applies multiple values. Before, flags were set to the final specified
value. - Added several trycmd based tests for testing CLI and signing behaviors.
The trycmd tests may download a prebuilt Rust coreutils binary from
github.com when executing on platforms with prebuilt binaries. - The
--data
argument of theextract
command is now a positional argument. - Added a hidden
debug-create-code-requirements
command for generating
binary code requirements files. The command is intended to facilitate testing. - The
print-signature-info
command should now work on bundles. It may have
stopped working as part of an upgrade toserde_yaml
. The YAML output may
have changed slightly. CodeResources
files now emit"
instead of"
for parity with Apple
tooling.- SHA-1 digests are now automatically enabled when signing a Mach-O binary
without platform targeting. This mimics the behavior of Apple's tooling.
Before, we would only automatically activate SHA-1 digests when there was
a Mach-O load command targeting a too-old platform version which didn't
support SHA-256 digests. - An empty CMS blob is now automatically added when signing in ad-hoc mode.
Before, no CMS blob would be present. The new behavior matches that of
Apple's tooling. - Code signature data is now aligned to 16 byte boundaries in Mach-O binaries.
This matches the behavior of Apple tooling. - HTTP requests now use the operating system's trusted X.509 certificates
instead of a default set (based off Mozilla's maintained list). This should
allow connections to HTTP proxies using custom/private certificate authorities
to work, assuming certificates are installed on the local system. (#85) - Added a hidden
debug-create-entitlements
command for generating entitlements
plist files. The command is intended to facilitate testing. - The
print-signature-info
command YAML output now encodes entitlements XML
as an array of strings for easier readability. - A custom signing time can now be specified to force using a specific
time instead of the current time. The CMS signing and settings APIs have
changed accordingly. Thesign
command now accepts a--signing-time
argument to control the signing time. - The
generate-self-signed-certificate
command gained a
--pem-unified-filename
argument to write a PEM encoded file containing
both the private key and public certificate. - Fixed a bug where files would be identified as Mach-O when they weren't.
- Bundle signing logic has been significantly overhauled to hopefully make
it conform with Apple tooling's behavior. This likely fixed several bugs
with bundle signing. - Fixed a bundle signing bug where overwriting symlinks would incorrectly
result in anError: I/O error: File exists (os error 17)
or similar. - When signing bundles, symlinks in directories marked as nested should
now get properly sealed and installed. (#10) - When signing bundles, Mach-O binaries outside of nested directories
(e.g.Libraries/libFoo.dylib
) are automatically detected as Mach-O
binaries and signed. This behavior conforms with our stated behavior of
recursively signing all signable entities. However, it is incompatible
with Apple's tooling, which only signs Mach-O binaries located in
specific directories having the nested flag set. This change should
result in it just works single command signing of many complex
bundles. - Added a hidden
debug-file-tree
command to print simple directory
trees. The command is used by snapshot tests to validate bundle signing
behavior. - The CLI default log level has been changed to
warn
. As a result,
command output is less verbose.-v
restores the prior behavior. And
-vvv
is now needed to activatetrace
logging (previously-vv
was
the highest log level). - The
sign --exclude
argument is now honored for Mach-O binaries within
bundles. Previously, it only applied to bundle paths. - The default
CodeResources
rules for bundles lacking aResources/
now properly have trailing/
on rules referencing.lproj
directories.
Previously, these directories were likely not handled correctly. (#42) - Fixed a bug where attempting to sign Mach-O binaries having a
__TEXT
segment
whose start offset was >0 resulted in aMach-O segment corruption
error.
We can now properly sign such files. (#91) verify
command now errors if not given the path of a Mach-O binary.verify
command now prints a warning that its known to be buggy.- aws crates 0.53 -> 0.57.
- bitflags 1.3 -> 2.0.
- cryptographic-message-syntax 0.19 -> 0.25.
- dialoguer 0.10 -> 0.11.
- dirs 4.0 -> 5.0.
- elliptic-curve 0.12 -> 0.13.
- goblin 0.6 -> 0.7.
- minicbor 0.19 -> 0.20.
- once_cell 1.16 -> 1.17.
- pkcs1 0.4 -> 0.7.
- p256 0.11 -> 0.13.
- pem 1.1 -> 3.0.
- pkcs8 0.9 -> 0.10.
- rasn 0.6 -> 0.11.
- ring 0.16 -> 0.17.
- rsa 0.7 -> 0.9.
- signature 1.6 -> 2.0.
- spake2 0.3 -> 0.4.
- spki 0.6 -> 0.7.
- tungstenite 0.18 -> 0.20.
- x509-certificate 0.16 -> 0.22.
- yubikey 0.7 -> 0.8.
Apple Codesign 0.22.0
Release Info
Changelog
- Cargo.toml now defines patch version for all dependencies.
- goblin crate upgraded from 0.5 to 0.6.
- App Store Connect API code extracted to its own crate,
app-store-connect
.
The new crate lives in the same repository as this one. (#54)
Apple Codesign 0.21.0
Release Info
Changelog
- Embedded entitlements XML is now used when estimating the size of signatures.
Previously, this data could cause us to not reserve enough space for the
signature, causing signing to fail. (#32, #40) - Bundle stapling is now capable of stapling any bundle with a main executable,
not just app bundles with a main executable. (#41) - The
smartcard-scan
,smartcard-generate-key
, andsmartcard-import
commons are now always present, even when compiled without thesmartcard
crate feature enabled. The commands will error at runtime if smartcard support
is not enabled. - Minimum supported Rust version changed from 1.61.0 to 1.62.1.
- Changed handling of code requirements around bundle signing to hopefully fix
the sealed resource directory is invalid
errors. This should hopefully
enable signing adhoc app bundles with frameworks. Before, if a Mach-O inside
a bundle contained no designated requirements, no designated requirements
were emitted. After, designated requirements are derived automatically from
the digests of code directories in Mach-O binaries. Additionally, an empty
designated requirements blob can be emitted. (#44) - Shallow framework bundles are now properly recognized as such. This fixes
a common issue with signing iOS bundles. (#46)