Skip to content

Reconsider Xcode re-signing instruction. #376

@r-plus

Description

@r-plus

Current re-signing Xcode step is for disable "Library Validation" feature since Xcode 8.

This is codesing information original Xcode and re-signed Xcode.

original 12.4

Executable=/Applications/Xcode_12.4.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20200 size=722 flags=0x2000(library-validation) hashes=15+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=89179fda01d07ba9862d293b896020a0b3516de6
CandidateCDHashFull sha256=89179fda01d07ba9862d293b896020a0b3516de69e03f4885f58239c24ea6a40
Hash choices=sha256
CMSDigest=89179fda01d07ba9862d293b896020a0b3516de69e03f4885f58239c24ea6a40
CMSDigestType=2
CDHash=89179fda01d07ba9862d293b896020a0b3516de6
Signature size=4547
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=44
TeamIdentifier=59GAB85EFG
Sealed Resources version=2 rules=13 files=478483
Internal requirements count=1 size=68

re-signed 12.4

$ codesign -dvvv /Applications/Xcode.app
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=683 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=4d8e4e0d729d83a8afe1da4155560c764b23a821
CandidateCDHashFull sha256=4d8e4e0d729d83a8afe1da4155560c764b23a82128ad61e11d8d1b863b230742
Hash choices=sha256
CMSDigest=4d8e4e0d729d83a8afe1da4155560c764b23a82128ad61e11d8d1b863b230742
CMSDigestType=2
CDHash=4d8e4e0d729d83a8afe1da4155560c764b23a821
Signature size=1604
Authority=XcodeSigner
Signed Time=Apr 20, 2021 10:04:14
Info.plist entries=44
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=478483
Internal requirements count=1 size=96

original old versions

7.3.1 has 0x0(none) flags
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=387 flags=0x0(none) hashes=7+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6
CandidateCDHashFull sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6
CandidateCDHash sha256=3dc708c9c3e773179aa3b58523a94706f83d176a
CandidateCDHashFull sha256=3dc708c9c3e773179aa3b58523a94706f83d176aeed06e3d3b025079e6fc18ff
Hash choices=sha1,sha256
CMSDigest=63c87bc3848fa4ffec5cadabf519ccd0d9a69253e12ae2f3a17ef16c95ffc320
CMSDigestType=2
CDHash=3dc708c9c3e773179aa3b58523a94706f83d176a
Signature size=4658
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Oct 5, 2019 9:36:14
Info.plist entries=34
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=401974
Internal requirements count=1 size=68

CodeDirectory flags changed to 0x0(none) from flags=0x2000(library-validation).
and TeamIdentifier will be not set.

In this case, I'm thinking that re-sign with self signed cert and simply removing signature are equivalent.
Both Xcode (re-sign and remove) no longer prevent malicious plugin like XcodeGhost, thus removing codesign signature is same risk.

Removing codesign signature from Xcode is simple, faster and no expire period.
NOTE: not resolve sign-in to Apple ID via Xcode on BigSur.

tested on Intel mac.
TBD for M1 mac.

xcode env load system x64 arm64
re-signed any Xcode Plugin
remove codesign (don't use! this occur `tccd` problem) any Xcode Plugin TBD
original disable library-validation Xcode Plugin TBD TBD
disable library-validation and SIP Xcode Plugin TBD
SIMBL MacForge 1.1.0 not yet support M1

hmm, is re-signing for tccd process performance...?
in my use case, could not run app on iOS simulator.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions