google · russellhancox · Apr 5, 2024 · Apr 5, 2024 · Apr 5, 2024
diff --git a/.bazelversion b/.bazelversion
@@ -0,0 +1 @@
+6.3.2
diff --git a/MOLCodesignChecker.podspec b/MOLCodesignChecker.podspec
diff --git a/Podfile b/Podfile
diff --git a/Podfile.lock b/Podfile.lock
diff --git a/README.md b/README.md
@@ -31,28 +31,13 @@ Provides an easy way to do code signature validation in Objective-C
 
 ## Installation
 
-#### Using CocoaPods
-
-Add the following line to your Podfile:
-
-```
-pod 'MOLCodesignChecker'
-```
-
 #### Using [Bazel](http://bazel.build)
 
 Add the following to your WORKSPACE:
 
 ```
 load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")
 
-# Needed for MOLCodesignChecker
-git_repository(
-    name = "MOLCertificate",
-    remote = "https://github.com/google/macops-molcertificate.git",
-    tag = "v2.1",
-)
-
 git_repository(
     name = "MOLCodesignChecker",
     remote = "https://github.com/google/macops-molcodesignchecker.git",
@@ -70,12 +55,6 @@ objc_library(
 )
 </pre>
 
-## Documentation
-
-Reference documentation is at CocoaDocs.org:
-
-http://cocoadocs.org/docsets/MOLCodesignChecker
-
 ## Contributing
 
 Patches to this library are very much welcome. Please see the

diff --git a/Source/MOLCodesignChecker/MOLCodesignChecker.h b/Source/MOLCodesignChecker/MOLCodesignChecker.h
@@ -68,6 +68,21 @@
 /** Code signature flags. */
 @property(readonly, nonatomic) uint32_t signatureFlags;
 
+/** The CDHash for this binary, if properly signed. */
+@property(readonly) NSString *cdhash;
+
+/** The Team ID from the certificate that signed this binary. */
+@property(readonly) NSString *teamID;
+
+/** The developer provided signing ID for this binary. */
+@property(readonly) NSString *signingID;
+
+/** Whether or not this binary is considered a platform binary (i.e. part of the OS) */
+@property(readonly) BOOL platformBinary;
+
+/** The entitlements encoded in this binary. */
+@property(readonly) NSDictionary *entitlements;
+
 /**
   Designated initializer
 

diff --git a/Source/MOLCodesignChecker/MOLCodesignChecker.m b/Source/MOLCodesignChecker/MOLCodesignChecker.m
@@ -269,6 +269,35 @@ - (uint32_t)signatureFlags {
   return [self.signingInformation[(__bridge id)kSecCodeInfoFlags] intValue];
 }
 
+- (NSString *)cdhash {
+  NSData *d = (NSData *)self.signingInformation[(__bridge id)kSecCodeInfoUnique];
+  const unsigned char *buf = d.bytes;
+
+  NSMutableString *s = [NSMutableString stringWithCapacity:d.length * 2];
+  for (int i = 0; i < d.length; ++i) {
+    [s appendFormat:@"%02x", buf[i]];
+  }
+  return s;
+}
+
+- (NSString *)teamID {
+  return self.signingInformation[(__bridge id)kSecCodeInfoTeamIdentifier];
+}
+
+- (NSString *)signingID {
+  return self.signingInformation[(__bridge id)kSecCodeInfoIdentifier];
+}
+
+- (BOOL)platformBinary {
+  id p = self.signingInformation[(__bridge id)kSecCodeInfoPlatformIdentifier];
+  if (![p isKindOfClass:[NSNumber class]] || [p intValue] == 0) return NO;
+  return YES;
+}
+
+- (NSDictionary *)entitlements {
+  return self.signingInformation[(__bridge NSString *)kSecCodeInfoEntitlementsDict];
+}
+
 - (BOOL)signingInformationMatches:(MOLCodesignChecker *)otherChecker {
   return [self.certificates isEqual:otherChecker.certificates];
 }

diff --git a/Tests/MOLCodesignCheckerTest.m b/Tests/MOLCodesignCheckerTest.m
@@ -125,7 +125,6 @@ - (void)testInitWithFileDescriptor {
   int fd = open(path.UTF8String, O_RDONLY | O_CLOEXEC);
   MOLCodesignChecker *sut = [[MOLCodesignChecker alloc] initWithBinaryPath:path fileDescriptor:fd];
   XCTAssertNotNil(sut.signingInformation);
-  XCTAssertEqual(lseek(fd, 0, SEEK_CUR), sizeof(struct fat_header));
   close(fd);
 }
 
@@ -184,9 +183,62 @@ - (void)testTeamID {
   MOLCodesignChecker *sut = [[MOLCodesignChecker alloc] initWithBinaryPath:path error:&error];
   XCTAssertNotNil(sut.signingInformation);
   XCTAssertNil(error);
+  XCTAssertEqualObjects(sut.teamID, @"EQHXZ8M8AV");
+}
+
+- (void)testCDHash {
+  NSError *error;
+  NSBundle *bundle = [NSBundle bundleForClass:[self class]];
+  NSString *path = [bundle pathForResource:@"signed-with-teamid" ofType:@""];
+
+  MOLCodesignChecker *sut = [[MOLCodesignChecker alloc] initWithBinaryPath:path error:&error];
+  XCTAssertNotNil(sut.signingInformation);
+  XCTAssertNil(error);
+  XCTAssertEqualObjects(sut.cdhash, @"23cbe7039ac34bf26f0b1ccc22ff96d6f0d80b72");
+}
+
+- (void)testSigningID {
+  NSError *error;
+  NSBundle *bundle = [NSBundle bundleForClass:[self class]];
+  NSString *path = [bundle pathForResource:@"signed-with-teamid" ofType:@""];
+
+  MOLCodesignChecker *sut = [[MOLCodesignChecker alloc] initWithBinaryPath:path error:&error];
+  XCTAssertNotNil(sut.signingInformation);
+  XCTAssertNil(error);
+  XCTAssertEqualObjects(sut.signingID, @"goodcert");
+}
+
+- (void)testPlatformBinary {
+  NSError *error;
+  NSBundle *bundle = [NSBundle bundleForClass:[self class]];
+  NSString *path = [bundle pathForResource:@"signed-with-teamid" ofType:@""];
+
+  MOLCodesignChecker *sut = [[MOLCodesignChecker alloc] initWithBinaryPath:path error:&error];
+  XCTAssertNotNil(sut.signingInformation);
+  XCTAssertNil(error);
+  XCTAssertFalse(sut.platformBinary);
+
+  sut = [[MOLCodesignChecker alloc] initWithBinaryPath:@"/sbin/launchd"];
+  XCTAssertNotNil(sut);
+  XCTAssertTrue(sut.platformBinary);
+}
+
+- (void)testEntitlements {
+  NSError *error;
+  NSBundle *bundle = [NSBundle bundleForClass:[self class]];
+  NSString *path = [bundle pathForResource:@"signed-with-teamid" ofType:@""];
 
-  NSString *gotTeamID = [sut.signingInformation valueForKey:@"teamid"];
-  XCTAssertEqualObjects(@"EQHXZ8M8AV", gotTeamID);
+  MOLCodesignChecker *sut = [[MOLCodesignChecker alloc] initWithBinaryPath:path error:&error];
+  XCTAssertNotNil(sut.signingInformation);
+  XCTAssertNil(error);
+  XCTAssertNil(sut.entitlements);
+
+  sut = [[MOLCodesignChecker alloc] initWithBinaryPath:@"/usr/bin/eslogger"];
+  XCTAssertNotNil(sut);
+  NSDictionary *wantedEntitlements = @{
+      @"com.apple.developer.endpoint-security.client" : @YES,
+  };
+  XCTAssertEqualObjects(sut.entitlements, wantedEntitlements);
 }
 
 @end
diff --git a/WORKSPACE b/WORKSPACE
@@ -1,15 +1,13 @@
 load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
-git_repository(
+http_archive(
     name = "build_bazel_rules_apple",
-    remote = "https://github.com/bazelbuild/rules_apple.git",
-    tag = "0.31.3",
+    sha256 = "8ac4c7997d863f3c4347ba996e831b5ec8f7af885ee8d4fe36f1c3c8f0092b2c",
+    url = "https://github.com/bazelbuild/rules_apple/releases/download/2.5.0/rules_apple.2.5.0.tar.gz",
 )
 
-load(
-    "@build_bazel_rules_apple//apple:repositories.bzl",
-    "apple_rules_dependencies",
-)
+load("@build_bazel_rules_apple//apple:repositories.bzl", "apple_rules_dependencies")
 
 apple_rules_dependencies()