IPhone code signature (code signing) and parsing and shielding

IPhone code signature

The iPhone 2.0 firmware needs to check the signature of each application. If it fails, it will automatically kill. Because the Verification Mechanism achieves many features in the kernel, it is difficult to fix it simply by patching the kernel.

1. codesign uses Apple SDK tools for self-sign
Mac $ export codesign_allocate =/developer/platforms/iphoneos. Platform/developer/usr/bin/codesign_allocate Mac $ codesign-Fs "certificatename" programname
Refer to the following Apple documentation for how to create a self-signed certificate.
Http://developer.apple.com/documentatio... Ion_2.html

2. ldid
Install ldid with cydia on your iPhone and then run
Ldid-s programname

[Find the xcode compilation directory build/release-iphoneos directory and upload the package to the applications directory of the iPhone using tools such as winscp.
Then make a digital signature:
1. Install ldid on the iPhone first. Command Line: APT-Get install ldid
2. Sign the file and run the command: ldid-s youprogramname.
Your program can be copied out and installed to the iPhone of another cracked 2.0]

3. sysctl

I tried both 1 and 2 on the machine and it didn't work. Only in this way can I run the program, but this has other effects, but it can be easily recovered, or simply restart.
Cancel codesign check:
Sysctl-W security. Mac. proc_enforce = 0
Sysctl-W security. Mac. vnode_enforce = 0
Restore codesign check:
Sysctl-W security. Mac. proc_enforce = 1
Sysctl-W security. Mac. vnode_enforce = 1

 

The above is transferred from http://blog.csdn.net/ydfok/archive/2008/08/27/2836871.aspx

 

Code signature principles

In fact, code signature is a common technology, and the underlying implementation uses the RSA asymmetric encryption principle. The mathematical principle is not described here. In the RSA key system, there is a public key and a private key, the Public Key is made public, and the private key is saved by itself. The digital signature is generally like this. First digest the file, such as the MD5 hash, and then use your own private key to encrypt the hash code and merge it with the file.
In this way, when others obtain this file, they use the public key of the signatory to decrypt the packet and then compare it with the MD5 hash of the file, in this way, both the reliability of the source and the data integrity are ensured.

People who have used Nokia's high-end smartphones may know the saying "sign the software". Otherwise, the device will not accept the software. The code signature is mainly used to ensure code security, no malicious or insecure code.
The code signature ensures the authenticity of the code and clearly identifies the source of the Code. Before the code runs on a development system and before the code is submitted to Apple for release, Apple requires that all applications must be digitally signed. In addition, apple must add its own digital signature before publishing each application.

From: http://www.cocoachina.com/wiki/index.php? Title = signing_code_for_iphone_developmentsigning code for iPhone Development

(Code signature in iPhone Development)

Code signing ensures the integrity of code and positively identifiesthe originator of the Code. apple requires all iPhone applications tobe digitally signed before they can be run on a development system andbefore they are submitted to Apple for distribution. in addition, appleadds its own digital signature to each application before distributingit.

(Code signature can be used to ensure code perfection and determine the developer of the Code. Apple requires digital signatures for all iPhone programs when they are running in the development system or uploaded to Apple for release. In addition, Apple will add its own digital signature at the time of release .)

 

Digital signatures and signing identities

(Digital Signature and digital identity)

Apple requires that all iPhone applications be digitally signed with asigning certificate issued by Apple to a registered iPhone developer. this signature authenticates the identity of the developer of theapplication and ensures that the application has not been modified orcorrupted since it was signed.

(Apple requires all registered developers to use digital signature technology for their iPhone applications. This signature is used to identify the developer of the application and ensure that the application will not be changed or damaged after the signature .)

Digital signatures require the use of two distinct but mathematically-related encryption keys known as a public key and a private key. the private key is used in the signing process, and the Public Key isused to verify the signature. the Public Key is stored in the signingcertificate; the private key is stored separately. this combination ofa certificate and related private key is called a digital identity or signing identity.

(Two keys are required for digital signature. One is the public key and the other is the private key. The private key is used to verify the signature during the signature process. The Public Key is saved in the signature certificate, and the private key is saved elsewhere. The signed certificate is collectively called a digital identity or signature authentication .)

To obtain a signing identity for iPhone development, you use thecertificate Assistant in the keychain access utility to create ACertificate Signing Request (CSR ), which you submit for approval usingthe program portal of the iPhone developer program. when your requestis approved, you download the Certificate file and double-click toinstall it in your keychain. what may not be apparent in this procedureis that when you use the certificate assistant utility to generate acsr, it automatically generates a public-private key pair. it requires desthe Public Key in the certificate request sent to Apple and stores theprivate key in your keychain.

(To obtain the signature authentication developed by the iPhone, you can use the certificate proxy (certificate Assistant) in the keychain access tool to create a Certificate Signature request (CSR ), when you want to upload an iPhone program, you need to use the development license to create a Certificate Signing Request (CSR ). When your request is verified, you can download and install your certificate program. When you create a CSR using a certificate, a public/private key pair is automatically created. The public key is included in the certificate signature request and sent to Apple. The private key is saved in the password package .)

When you download and install the signing Certificate, the keychainaccess utility associates it with the private key, thus creating asigning identity. to see your certificates with their associatedprivate keys, open the keychain access utility and click mycertificates in the category pane.

(When you download and install a signature certificate, the keychain access tool associates the certificate with the private key to create a signature ID. To view your certificate and your key, you can open the keychain access and then click my certificate on the category panel .)

When you install a signed application on your provisioned device, theiphone OS verifies the signature to make sure the application wassigned by you and has not been altered since it was signed. if thesignature is not valid or if the code was not signed by you, the iphoneos will not let the application run.

(After you install the signature program on your device, the iPhone operating system will verify the signature to check whether the application has been changed. If the signature is not valid and is not created by you, the iPhone operating system will not allow the program to run .)

Similarly, when you send your application to Apple for approval anddistribution, you must sign the application using your signing identityand send your signing Certificate along with the application. (You do notsend your private key to Apple .) apple then verifies the signature tobe sure that the Code came from a registered developer (you) and hasnot been upted. finally, Apple signs your signed application Withits own signing Certificate. only then can your application run on aniphone or iPod touch other than your development device. this role yenables the owners of these devices to be secure in the knowledge thatthe applications they download from iTunes have been written byregistered developers and have not been altered since they were created.

(When you send your application to Apple, you need to use your signature certificate to sign your application, and upload it to Apple together with the application of your signature certificate. (Do not send the key) then Apple will verify that the application is from an authenticated developer and ensure that the application is not damaged. Finally, Apple will create an application with your signature. In this way, your applications can run on other iPhones and iPod Touch. This ensures that your developer only makes sure that the application is written by an authenticated developer and has not been modified by others .)

Copying a signing identity to another computer

(Copy the signature certificate to another computer)

If you wantto use more than one computer for development (for example, yourdesktop computer in the office and your laptop at home), you need tohave your signing identity on both computers. because the signingcertificate file you downloaded from the program portal does notinclude your private key, just copying this file to the second computeris not sufficient. instead, use the export items menu item in the filemenu of keychain access to export both the certificate and private keyas a Personal Information Exchange (. p12) file and copy that file tothe second computer. double-click the file to install the certificateand key in the keychain.

(If you want to use more than just one computer for development (for example, your personal computer is in the office and your laptop is at home .), You need to install certificates on both computers. Because the signature certificate you downloaded from the program portal does not contain your private key, it is not good if she simply copies it to another machine. Instead, use the export project in the File menu in the keychain access to export the certificate and private key as the personal information (. p12) file and then apply it to the second-born computer .) Double-click the file to install it on the new machine .)

Keeping your private key safe and secure

(Ensure the security and stability of your private key)

Thissystem is very secure as long as you keep your signingidentity-especially your private key-secure. however, if anyunauthorized person has access to your signing Certificate and privatekey, then they can alter your application and sign the altered code, orthey can write their own application and present it as yours. therefore, the physical security of your private key is essential toprevent malicious use of your software and your identity.

(The security of this system depends on the security of your personal signature and your private key. However, if other illegal people crack your signature certificate and private key, they can change your code, or they will use their applications to impersonate you. Therefore, your key security program is fundamental to ensuring the security of your software and certificates .)

Beforeobtaining a signing identity and proceeding to sign code, you mustdetermine who within your company shoshould possess the identity, who canuse it, and how to keep it safe. for example, if the identity must beused by more than one person, you can keep it in the keychain of asecure computer and give the password of the keychain only toauthorized users, or you can put the identity on a smart card to whichonly authorized users have the pin.

(When you sign the certificate and use it to sign your code, you need to decide who to create and use the Certificate for your company to ensure her security. For example, if the certificate can be used by many people, you can put your certificate in a secure computer with a password, and only authorized people can access it. Or you can put it in a smart card with a pin password .)

By default, your keychainpassword is the same as your login password, and your keychain remainsunlocked as long as you are logged in to your computer. this is akin toleaving your car keys on a table next to the back door, and leaving theback door unlocked all day. the fact that it requires a key to startyour car is no protection against car theft if you don't keep the carkey secure.

(By default, your keychain password is the same as your login password, and the keychain will remain open until you log off your computer. You put your car key on the desk, and then keep the rear door open. If you are not optimistic about your key, you will have a chance to steal your car .)

To provide some security for the signing identitiesand other valuable secrets stored in your keychain, you shocould adopt atleast the following measures: Set your keychain to lockitself when not in use: In the keychain access utility, choose Edit> change settings for keychain, and check both lock checkboxes.

(To ensure the security of your certificate and the security of other private information in the keychain, we recommend that you make the following settings: When the keychain is not used, make it automatically locked: select Edit> change settings for keychain in keychain access, and then select the both lock Multiple selection box .)

USEA different password for your keychain than your login password: inkeychain access utility, choose Edit> Change Password to changeyour keychain's password. click the lock icon in the change passworddialog to get the password assistant, which tells you how secure yourpassword is and can suggest passwords. be sure to pick one you canremember-don't write it down anywhere.

(Use different passwords for your keychain: select Edit> Change Password in keychain access to change your keychain password. Select the lock icon in the Change Password panel, which will tell you the security level of your password and recommend that you use the password. Remember not to write your choice elsewhere .)

In addition, provide physical security for your computers to prevent unauthorized people from gaining access to them.

(Provide physical security for your computer. It is not accessible to unauthorized users .)

Aswith any other important data, you shoshould keep a backup of your signingidentity in a safe place. you can put it in the keychain of anothersecure computer, or you can store it on an encrypted CD or in anencrypted disk image in the form of a personal information exchange (. p12) file. just be sure that all the passwords you use are strong andthat all the computers you use for this purpose are kept physicallysecure, with access limited to a few trusted individuals.

(For other important information, you need to make a backup for them and put it in a safe place. You can put it on another secure computer or encrypted CD. Make sure that all passwords are strong enough and that the computer that stores the passwords is safe enough to authorize some individuals with high credit .)

Where to start

(From there)
Proceduresfor obtaining and installing a signing identity are detailed in theprogram portal on the iPhone developer Program website. click theprogram portal icon near the top-right corner of the iPhone devcenterpage (You have to be logged in to make this link active ).
(On the iPhone developer's website, Sang has a detailed installation process for obtaining the signature certificate. Select the program portal icon (make sure you are logged on .))