Reconsider Xcode re-signing instruction. #376
Description
Current re-signing Xcode step is for disable "Library Validation" feature since Xcode 8.
This is codesing information original Xcode and re-signed Xcode.
original 12.4
Executable=/Applications/Xcode_12.4.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20200 size=722 flags=0x2000(library-validation) hashes=15+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=89179fda01d07ba9862d293b896020a0b3516de6
CandidateCDHashFull sha256=89179fda01d07ba9862d293b896020a0b3516de69e03f4885f58239c24ea6a40
Hash choices=sha256
CMSDigest=89179fda01d07ba9862d293b896020a0b3516de69e03f4885f58239c24ea6a40
CMSDigestType=2
CDHash=89179fda01d07ba9862d293b896020a0b3516de6
Signature size=4547
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=44
TeamIdentifier=59GAB85EFG
Sealed Resources version=2 rules=13 files=478483
Internal requirements count=1 size=68
re-signed 12.4
$ codesign -dvvv /Applications/Xcode.app
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=683 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=4d8e4e0d729d83a8afe1da4155560c764b23a821
CandidateCDHashFull sha256=4d8e4e0d729d83a8afe1da4155560c764b23a82128ad61e11d8d1b863b230742
Hash choices=sha256
CMSDigest=4d8e4e0d729d83a8afe1da4155560c764b23a82128ad61e11d8d1b863b230742
CMSDigestType=2
CDHash=4d8e4e0d729d83a8afe1da4155560c764b23a821
Signature size=1604
Authority=XcodeSigner
Signed Time=Apr 20, 2021 10:04:14
Info.plist entries=44
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=478483
Internal requirements count=1 size=96
original old versions
7.3.1 has 0x0(none) flags
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=387 flags=0x0(none) hashes=7+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6
CandidateCDHashFull sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6
CandidateCDHash sha256=3dc708c9c3e773179aa3b58523a94706f83d176a
CandidateCDHashFull sha256=3dc708c9c3e773179aa3b58523a94706f83d176aeed06e3d3b025079e6fc18ff
Hash choices=sha1,sha256
CMSDigest=63c87bc3848fa4ffec5cadabf519ccd0d9a69253e12ae2f3a17ef16c95ffc320
CMSDigestType=2
CDHash=3dc708c9c3e773179aa3b58523a94706f83d176a
Signature size=4658
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Oct 5, 2019 9:36:14
Info.plist entries=34
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=401974
Internal requirements count=1 size=68
CodeDirectory flags changed to 0x0(none) from flags=0x2000(library-validation).
and TeamIdentifier will be not set.
In this case, I'm thinking that re-sign with self signed cert and simply removing signature are equivalent.
Both Xcode (re-sign and remove) no longer prevent malicious plugin like XcodeGhost, thus removing codesign signature is same risk.
Removing codesign signature from Xcode is simple, faster and no expire period.
NOTE: not resolve sign-in to Apple ID via Xcode on BigSur.
tested on Intel mac.
TBD for M1 mac.
| xcode | env | load system | x64 | arm64 |
|---|---|---|---|---|
| re-signed | any | Xcode Plugin | ✅ | ✅ |
| remove codesign (don't use! this occur `tccd` problem) | any | Xcode Plugin | ✅ | TBD |
| original | disable library-validation | Xcode Plugin | TBD | TBD |
| disable library-validation and SIP | Xcode Plugin | ✅ | TBD | |
| SIMBL | ✅ | MacForge 1.1.0 not yet support M1 |
hmm, is re-signing for tccd process performance...?
in my use case, could not run app on iOS simulator.