iPhone 程式碼簽署 (code signing) 以及解析、屏蔽

iphone程式碼簽署

iphone 2.0 firmware 需要CHECK每個應用程式的簽名,如果不通過,就會自動KILL.由於校正機製做到了核心中很多地方,簡單的給核心打補丁很難解決.

1. codesign利用apple sdk的工具進行self-sign
mac$ export CODESIGN_ALLOCATE=/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_allocate mac$ codesign -fs "CertificateName" ProgramName
參考下述APPLE文檔如何建立自我簽署憑證.
http://developer.apple.com/documentatio … ion_2.html

2. ldid
在你的IPHONE上用Cydia安裝ldid, 然後運行
ldid -S programname

[自己找到xcode的編譯目錄build/Release-iphoneos目錄 將程式包用WinSCP之類的工具傳到iphone的Applications目錄
然後做數位簽章:
  1.需要先在iphone安裝ldid,命令列:  apt-get install ldid
  2.然後簽名,命令列:  ldid -S YouProgramName
你的程式就可以拷出來安裝到其他破解的2.0的iphone上了]

3.sysctl

我在機器上試了1和2都沒有作用,只有這種可以讓我的程式運行,不過這個是有其他影響的,不過可以很容易恢複,或者簡單重啟就行了.
取消codesign check:
sysctl -w security.mac.proc_enforce=0
sysctl -w security.mac.vnode_enforce=0
恢複codesign check:
sysctl -w security.mac.proc_enforce=1
sysctl -w security.mac.vnode_enforce=1

 

以上轉自http://blog.csdn.net/ydfok/archive/2008/08/27/2836871.aspx

 

程式碼簽署的原理

其實程式碼簽署是一個比較通用的技術，而底層實現都是使用RSA不對稱式加密的原理，數學原理就不在此贅述，RSA密鑰體系中，有一個公開金鑰和一個私密金鑰，公開金鑰是公開出去的，私密金鑰自己儲存。數位簽章一般是這樣的，先對檔案做摘要如MD5的散列，然後使用你自己的私密金鑰對這個散列碼進行加密，並和檔案合并在一起。
這樣當其他人獲得這個檔案的時候，使用簽名者的公開金鑰對報文進行解密，然後和檔案的MD5散列進行比較，這樣既保證了來源的可靠性也保證了資料的完整性。

用過諾基亞的高端智能手機的人也許知道“給軟體簽名”這個說法，否則裝置不會接受這個軟體，程式碼簽署主要是為了保證代碼的安全性，沒有惡意或不安全的代碼。
程式碼簽署確保代碼的真實以及明確識別代碼的來源。在代碼運行在一個開發系統以前，以及在代碼提交到Apple發布以前，Apple要求所有的的應用程式都必須進行數位簽章。另外，Apple在發布每一個應用程式之前都要添加他自己的數位簽章。

轉自:http://www.cocoachina.com/wiki/index.php?title=Signing_Code_For_iPhone_DevelopmentSigning Code For iPhone Development

（iPhone開發中的程式碼簽署）

Code signing ensures the integrity of code and positively identifiesthe originator of the code. Apple requires all iPhone applications tobe digitally signed before they can be run on a development system andbefore they are submitted to Apple for distribution. In addition, Appleadds its own digital signature to each application before distributingit.

（程式碼簽署可以用來保證代碼的完善並確定代碼的開發人員。Apple需要所有的iPhone程式在他們運行在開發系統或者上傳到apple發布的時候都需要數位簽章。另外apple在發布的時候也會添加自己的數位簽章。）

 

Digital Signatures and Signing Identities

（數位簽章和數字身份）

Apple requires that all iPhone applications be digitally signed with asigning certificate issued by Apple to a registered iPhone developer.This signature authenticates the identity of the developer of theapplication and ensures that the application has not been modified orcorrupted since it was signed.

(Apple需要所有的註冊開發人員對自己的iPhone應用程式使用數位簽章技術。這個簽名是用來標識應用程式的開發人員以及保證應用程式在簽名之後不被更改和損壞。)

Digital signatures require the use of two distinct but mathematically-related encryption keys known as a public key and a private key.The private key is used in the signing process, and the public key isused to verify the signature. The public key is stored in the signingcertificate; the private key is stored separately. This combination ofa certificate and related private key is called a digital identity or signing identity.

(數位簽章需要使用兩個密鑰一個是公開金鑰一個是私密金鑰。私密金鑰是使用在簽名過程中，公開金鑰是用來核實簽名的。公開金鑰儲存在簽署憑證中，私密金鑰是儲存在其他地方。這個簽名的認證合稱數字身份或者簽名認證。)

To obtain a signing identity for iPhone development, you use theCertificate Assistant in the Keychain Access utility to create aCertificate Signing Request (CSR), which you submit for approval usingthe Program Portal of the iPhone Developer Program. When your requestis approved, you download the certificate file and double-click toinstall it in your keychain. What may not be apparent in this procedureis that when you use the Certificate Assistant utility to generate aCSR, it automatically generates a public-private key pair. It includesthe public key in the certificate request sent to Apple and stores theprivate key in your keychain.

(要獲得iPhone開發的簽名認證，你可以使用Keychain Access工具中的認證代理(Certificate Assistant)來建立一個認證簽章要求(CSR)，當你想iPhone程式上傳的時候，你需要使用開發執照去建立一個認證簽章要求(CSR)。當你的請求被核實了，你就可以下載你的認證程式並安裝起來。在你使用認證建立CSR的時候會自動建立一個公開金鑰/私密金鑰對，公開金鑰包含在認證簽章要求中發送到Apple，私密金鑰被儲存在密碼包中。)

When you download and install the signing certificate, the KeychainAccess utility associates it with the private key, thus creating asigning identity. To see your certificates with their associatedprivate keys, open the Keychain Access utility and click MyCertificates in the Category pane.

(當你下載並安裝了簽署憑證，Keychain Access工具會用私密金鑰關聯這個認證，建立一個簽名標識。要查看你的認證和你的密鑰，你可以開啟Keychain Access然後在Category面板中點擊我的認證。)

When you install a signed application on your provisioned device, theiPhone OS verifies the signature to make sure the application wassigned by you and has not been altered since it was signed. If thesignature is not valid or if the code was not signed by you, the iPhoneOS will not let the application run.

(當你在你的裝置中安裝了簽名程式後，iPhone 作業系統會核實這個簽名來查看這個應用程式是否被改變。如果這個簽名不是有效，並且不是你建立的，那麼iPhone作業系統將不會讓這個程式運行。)

Similarly, when you send your application to Apple for approval anddistribution, you must sign the application using your signing identityand send your signing certificate along with the application. (You do notsend your private key to Apple.) Apple then verifies the signature tobe sure that the code came from a registered developer (you) and hasnot been corrupted. Finally, Apple signs your signed application withits own signing certificate. Only then can your application run on aniPhone or iPod Touch other than your development device. This policyenables the owners of these devices to be secure in the knowledge thatthe applications they download from iTunes have been written byregistered developers and have not been altered since they were created.

(相對的，當你向Apple傳送了你的應用程式後，你需要使用的你的簽署憑證為你的應用程式簽名，並連同你簽署憑證的應用程式上傳到Apple。（不要發送密鑰）然後Apple就會核實這個應用程式是來自於一個認證的開發人員，並保證這個程式沒有損壞。最後,Apple會建立擁有你簽名的應用程式。這樣你的應用程式才可以在其他的iPhone和iPod Touch中運行起來。這樣就可以很好的保證了你開發人員的只是並確定這個應用程式是由一個認證的開發人員編寫的並沒有被其他人修改過。)

Copying a Signing Identity To Another Computer

(把簽署憑證拷貝到其他電腦)

If you wantto use more than one computer for development (for example, yourdesktop computer in the office and your laptop at home), you need tohave your signing identity on both computers. Because the signingcertificate file you downloaded from the Program Portal does notinclude your private key, just copying this file to the second computeris not sufficient. Instead, use the Export Items menu item in the Filemenu of Keychain Access to export both the certificate and private keyas a Personal Information Exchange (.p12) file and copy that file tothe second computer. Double-click the file to install the certificateand key in the keychain.

(如果你想要使用不只是一台電腦用於開發(舉個例子，你的個人電腦在辦公室，你的膝上型電腦在家裡。)，你需要在這兩台電腦上都裝有認證。因為你從Program Portal裡面下載的簽署憑證不包含你的私密金鑰，她只是簡單的複製到另外一個機器上的話是不好的。取而代之的是，使用Keychain Access中的File菜單的Export項目來匯出認證和私密金鑰作為個人資訊匯出(.p12)檔案然後再把它應用到第二胎電腦。)雙擊檔案就可以在新的機器上安裝了。)

Keeping Your Private Key Safe and Secure

(保證你私密金鑰的安全和穩定)

Thissystem is very secure as long as you keep your signingidentity—especially your private key—secure. However, if anyunauthorized person has access to your signing certificate and privatekey, then they can alter your application and sign the altered code, orthey can write their own application and present it as yours.Therefore, the physical security of your private key is essential toprevent malicious use of your software and your identity.

(這個系統的安全取決與你儲存你的心情小語和你私密金鑰的安全程度。然而，如果其他非法人員破解了你的簽署憑證和私密金鑰，他們能夠改變你的代碼，或者他們會用他們的應用程式來冒充你的。因此，你的密鑰的安全程式是保證你的軟體和認證安全的根本。)

Beforeobtaining a signing identity and proceeding to sign code, you mustdetermine who within your company should possess the identity, who canuse it, and how to keep it safe. For example, if the identity must beused by more than one person, you can keep it in the keychain of asecure computer and give the password of the keychain only toauthorized users, or you can put the identity on a smart card to whichonly authorized users have the PIN.

(在你或者簽署憑證並用來簽名你的代碼的時候，你需要決定給你們公司內誰建立，使用認證，以此來保證她的其安全。舉個例子，如果認證可以被許多人使用，那你可以把你的認證放在一個帶有密碼的安全的電腦中，只有授權的人可以訪問。或者你可以把它放在一個擁有PIN的密碼的智慧卡中。)

By default, your keychainpassword is the same as your login password, and your keychain remainsunlocked as long as you are logged in to your computer. This is akin toleaving your car keys on a table next to the back door, and leaving theback door unlocked all day. The fact that it requires a key to startyour car is no protection against car theft if you don’t keep the carkey secure.

(預設的你的keychain的密碼和你的登陸密碼是一樣的，keychain會保持開啟狀態直到你登出你的電腦。這個你把你的車鑰匙放在桌子上，然後保持後門開著。如果你不看好你的鑰匙，偷車戝就會有機會去偷你的車。)

To provide some security for the signing identitiesand other valuable secrets stored in your keychain, you should adopt atleast the following measures:Set your keychain to lockitself when not in use: in the Keychain Access utility, choose Edit> Change Settings for Keychain, and check both Lock checkboxes.

(為了保證你的認證的安全和儲存在keychain中的其他私人資訊的安全性，建議你做如下的一些設定：當keychain不使用的時候讓他自動鎖定:在Keychain Access中選擇 Edit> Change Settings for Keychain,然後選擇both Lock多選框。)

Usea different password for your keychain than your login password: InKeychain Access utility, choose Edit > Change Password to changeyour keychain's password. Click the lock icon in the Change Passworddialog to get the password assistant, which tells you how secure yourpassword is and can suggest passwords. Be sure to pick one you canremember—don't write it down anywhere.

(為你的keychain使用不同於你的登陸密碼：在Keychain Access中選擇Edit > Change Password來改變你的keychain的密碼。在Change Password面板中選擇鎖的表徵圖，他會告訴你你的密碼的安全程度，並建議你使用的密碼。記住你的選擇不要寫在其他地方。)

In addition, provide physical security for your computers to prevent unauthorized people from gaining access to them.

(為你的電腦提供物理的安全保障他不被非授權人員開啟電腦。)

Aswith any other important data, you should keep a backup of your signingidentity in a safe place. You can put it in the keychain of anothersecure computer, or you can store it on an encrypted CD or in anencrypted disk image in the form of a Personal Information Exchange(.p12) file. Just be sure that all the passwords you use are strong andthat all the computers you use for this purpose are kept physicallysecure, with access limited to a few trusted individuals.

(對於其他一些重要的資訊，你需要為他們做一個備份並放在一個安全的地方。你可以把它放在其他安全的電腦，或者加密的CD中。確定所有的密碼都足夠健壯，哪台存放密碼的電腦足夠安全，並授權給一些信用很高的個體。)

Where to Start

(從那裡開始)
Proceduresfor obtaining and installing a signing identity are detailed in theProgram Portal on the iPhone Developer Program website. Click theProgram Portal icon near the top-right corner of the iPhone DevCenterpage (you have to be logged in to make this link active).
(在iPhone開發人員的網站桑有詳細的安裝獲得簽署憑證的過程。選擇Program Portal表徵圖（確保你在登陸的情況下。）)