Skip to content

Apple Codesign 0.25.1
Compare
Choose a tag to compare
@indygreg indygreg released this 16 Nov 03:03
apple-codesign/0.25.1
35c877f

Release Info

Changelog

(The 0.25.0 release had a regression and the release notes for 0.25.0 are folded into this release.)

  • (Breaking change) The --extra-digest argument has been removed.
    --digest can now be specified multiple times. --digest is now a
    scoped value.
  • (Breaking change) The sign --remote-signer argument has been removed. It
    is now implicitly assumed via presence of a remote session initialization
    argument.
  • (Breaking change) Various signing settings no longer inherit to nested
    entities: --entitlements-xml-file, --code-requirements-file,
    --code-resources-file, --code-signature-flags, and --info-plist-file.
    The new behavior is much more conservative about which signing settings
    can be inherited and prevents unexpected results, such as all binaries
    in a bundle sharing the same entitlements or signing flags. Previous signers
    of bundles may find various signing settings disappearing from nested
    bundles or the non-main Mach-O binary within a bundle. It is highly encouraged
    to use the rcodesign diff-signatures command to compare results. If settings
    were dropped, add new scoped CLI arguments or use the new configuration
    file feature to add settings back in to specific paths.
  • (New feature) Configuration file support added. TOML based configuration
    files can now define signers and signing settings in named profiles,
    allowing for automatic and near effortless reuse of common configurations.
    See the documentation for more.
  • (New feature) Environment constraints support. We now support defining launch
    constraints and library constraints. We don't yet fully understand the
    interactions of constraints and code signing. If using constraints, we
    highly recommend comparing signature output with Apple's tooling to validate
    similar behavior. If you notice discrepancies, please file a GitHub issue!
    (#83)
  • Detection of nested bundles now looks for CFBundlePackageType or
    CFBundleIdentifier in bundle Info.plist and ignores bundles
    lacking these. As a result, we no longer attempt signing of storybook
    bundles and other non-signable bundle-looking directories and no
    longer likely encounter errors in the process. (#38)
  • CLI arguments for paths are now consistently named --foo-file
    instead of using a mix of --foo-path, --foo-filename, and
    potentially other variants. The old names are still recognized as
    aliases to maintain backwards compatibility.
  • Changed heuristic for naming a binary identifier from its path to be
    more similar to Apple's. e.g. foo1.2.dylib will now resolve to foo1
    instead of foo1.2. We still don't use the binary UUID or digest of its
    load commands to compute the binary identifier like Apple does.
  • When signing nested Mach-O binaries in a bundle, we now set the binary
    identifier from the filename rather than preserving the identifier in an
    existing signature. This helps ensure identifiers stay in sync and prevents
    bad signatures. (#109)
  • print-signature-info now prints the entitlements plist decoded from DER.
    (#75)
  • We no longer obtain placeholder time-stamp tokens when estimating the size
    of embedded signatures. Instead, we statically reserve 8192 bytes for the
    token. This may cause signatures to increase in size by a few kilobytes,
    as Apple's TSTs are ~4200 bytes. Signing should now be faster since we avoid
    an excessive network roundtrip. (#4)
Assets 17
Loading
0 Join discussion