Bypassing iPhone Code Signatures

【Bypassing iPhone Code Signatures】

　　Starting with the recent beta releases of the iPhoneOS, Apple has started requiring that all code on the device is signed. This is mostly to make it impossible for programs running through Apple's AppStore to download more software and run it (so no competition for AppStore).

　　iOS要求所有程序都必须签名。

　　In order to get around this (and thereby to install our own code onto the device) the iPhone Dev Team has patched the signature verification out of the kernel. However, another half of the codesign problem is that the binary contains a number of SHA1 verification hashes that are checked in numerous locations throughout the kernel. Patching this out is A) difficult (especially to track as Apple makes changes) and B) of marginal benefit as adding these hashes is easy. This means you do still have to at least pay lipservice to the code signature process. There are currently three viable options.

　　iPhone Dev Team已经把签名校验机制从内核中抽离出来。可是，对于SHA1的校验确无处不在，A）把所有这些校验机制抽离出来很困难（尤其是要跟得上苹果的变化），B）添加这些hashes很容易。

　　所以有以下3种方式可以用来帮助绕过这些SHA1校验：

　　1、Option #1: Self-Signing

　　　　使用苹果的签名工具codesign进行签名即可。

　　2、Option #2: Pseudo-Signing

　　　　codesign是macos平台上的工具，linux平台可以使用ldid。

　　3、Option #3: Disable Checks

　　　　关闭所有的校验。

【Entitlements】

　　Every executable also has an XML file (specifically an Objective-C Property List) that is signed into it that is its block of "entitlements". This area is read (I'm not certain by who, but I'd guess the kernel) to determine what seatbelt profile to apply to that process and what extra abilities it gets.

　　To dump or set the entitlements of a binary we can use ldid. Dumping uses -e and setting involves passing an argument to -S as you sign the file. You can also pass --entitlements to codesign.

　　ldid -e选项用于从bin中导出entitlements权限，-S选项用于签名，给-S添加参数的是一个entitlements文件。也可通过给codesign --entitlements选项来设置权限。如下：

　　

【Entitlement实战】

　　

参考：http://www.saurik.com/id/8