Apple Codesign 0.28.0

Release Info

• Documentation
• Known issues and limitations
• Debugging and bug filing instructions

Changelog

• Fixed env_logger construction so RUST_LOG environment variable is
  respected. (#162)
• MSRV 1.70 -> 1.78.
• Improve logging of S3 upload failures. We should now hopefully print something
  more useful than s3 upload error: unhandled error on failures.
• Info.plist path handling should be more robust. This should fix errors
  like I/O error: No such file or directory when signing Frameworks. (#163)
• Enabled http2 feature of reqwest crate. This may provide better HTTP/2.0
  compatibility.
• aws-config 1.1 -> 1.5.
• aws-sdk-s3 1.12 -> 1.24.
• aws-smithy-types 1.1 -> 1.2.
• base64 0.21 -> 0.22.
• bitflags 2.4 -> 2.6.
• bytes 1.5 -> 1.8.
• cryptographic-message-syntax 0.26 -> 0.27.
• env_logger 0.10 -> 0.11.
• goblin 0.8 -> 0.9.
• minicbor 0.20 -> 0.24.
• object 0.32 -> 0.36.
• oid-registry 0.6 -> 0.7.
• once_cell 1.19 -> 1.20.
• plist 1.6 -> 1.7.
• rasn 0.12 -> 0.20.
• rayon 1.8 -> 1.10.
• regex 1.10 -> 1.11.
• reqwest 0.11 -> 0.12.
• security-framework 2.9 -> 2.11.
• subtle 2.5 -> 2.6.
• tempfile 3.9 -> 3.13.
• tokio 1.35 -> 1.41.
• tungstenite 0.21 -> 0.24.
• uuid 1.6 -> 1.11.
• walkdir 2.4 -> 2.5.
• widestring 1.0 -> 1.1.
• x509-certificate 0.23 -> 0.24.
• zeroize 1.7 -> 1.8.
• zip 0.6 -> 2.2.

Apple Codesign 0.27.0

Release Info

• Documentation
• Known issues and limitations
• Debugging and bug filing instructions

Changelog

• Published a GitHub Action for code signing and notarization and wrote project documentation for how to use it. (#6)
• Fix to restore working builds with --no-default-features.
• Added notary-list command to print information about recently submitted notarizations to Apple. (#124)
• Fixed a bug where .dSYM/ directories were incorrectly signed as bundles. (#128)
• The sign command has gained a --shallow argument to prevent traversing into nested entities when signing. It currently only prevents traversal into nested bundles. In the future, behavior may be expanded to also exclude signing of additional Mach-O binaries inside bundles, among other potential changes. Ultimately we want this signing mode to converge with the default behavior of Apple's tooling.
• The sign command has gained a --for-notarization argument that attempts to engage and enforce signing settings required for Apple notarization (such as enabling the hardened runtime). The goal of the feature is to cut down on notarization failures after successful signing operations. If you encounter a preventable notarization failure when using this new flag, consider filing a bug report.
• (API) BundleSigner now requires calling collect_nested_bundles() to register child bundles for signing instead of signing all nested bundles by default.
• aws-config 0.57 -> 1.1.
• aws-sdk-s3 0.36 -> 1.10.
• aws-smithy-http 0.57 -> 0.60.
• aws-smithy-types 0.57 -> 1.1.
• goblin 0.7 -> 0.8.
• scroll 0.11 -> 0.12.
• tungstenite 0.20 -> 0.21.
• windows-sys 0.48 -> 0.52.

Apple Codesign 0.26.0

Release Info

• Documentation
• Known issues and limitations
• Debugging and bug filing instructions

Changelog

• (New feature) On Windows, it is now possible to sign with code signing
  certificates stored in the Windows Certificate Store. The sign command
  (and other commands taking certificate sources) gained --windows-store-name
  and --windows-store-sha1-fingerprint arguments to specify a certificate in
  the Windows Certificate Store to use. New commands
  windows-store-print-certificates and
  windows-store-export-certificate-chain can discover and export certificates
  in the Windows Certificate Store. Feature contributed by El Mostafa Idrassi
  in #111.
• Fixed a bug where a signing without an Apple signed certificate but signing settings contain a team name warning was printed incorrectly.
• We now print a warning when signing using an expired certificate.
• Fixed a bug where sign --code-signature-flags could not be scoped. (#116)

Apple Codesign 0.25.1

Release Info

• Documentation
• Known issues and limitations
• Debugging and bug filing instructions

Changelog

(The 0.25.0 release had a regression and the release notes for 0.25.0 are folded into this release.)

• (Breaking change) The --extra-digest argument has been removed.
  --digest can now be specified multiple times. --digest is now a
  scoped value.
• (Breaking change) The sign --remote-signer argument has been removed. It
  is now implicitly assumed via presence of a remote session initialization
  argument.
• (Breaking change) Various signing settings no longer inherit to nested
  entities: --entitlements-xml-file, --code-requirements-file,
  --code-resources-file, --code-signature-flags, and --info-plist-file.
  The new behavior is much more conservative about which signing settings
  can be inherited and prevents unexpected results, such as all binaries
  in a bundle sharing the same entitlements or signing flags. Previous signers
  of bundles may find various signing settings disappearing from nested
  bundles or the non-main Mach-O binary within a bundle. It is highly encouraged
  to use the rcodesign diff-signatures command to compare results. If settings
  were dropped, add new scoped CLI arguments or use the new configuration
  file feature to add settings back in to specific paths.
• (New feature) Configuration file support added. TOML based configuration
  files can now define signers and signing settings in named profiles,
  allowing for automatic and near effortless reuse of common configurations.
  See the documentation for more.
• (New feature) Environment constraints support. We now support defining launch
  constraints and library constraints. We don't yet fully understand the
  interactions of constraints and code signing. If using constraints, we
  highly recommend comparing signature output with Apple's tooling to validate
  similar behavior. If you notice discrepancies, please file a GitHub issue!
  (#83)
• Detection of nested bundles now looks for CFBundlePackageType or
  CFBundleIdentifier in bundle Info.plist and ignores bundles
  lacking these. As a result, we no longer attempt signing of storybook
  bundles and other non-signable bundle-looking directories and no
  longer likely encounter errors in the process. (#38)
• CLI arguments for paths are now consistently named --foo-file
  instead of using a mix of --foo-path, --foo-filename, and
  potentially other variants. The old names are still recognized as
  aliases to maintain backwards compatibility.
• Changed heuristic for naming a binary identifier from its path to be
  more similar to Apple's. e.g. foo1.2.dylib will now resolve to foo1
  instead of foo1.2. We still don't use the binary UUID or digest of its
  load commands to compute the binary identifier like Apple does.
• When signing nested Mach-O binaries in a bundle, we now set the binary
  identifier from the filename rather than preserving the identifier in an
  existing signature. This helps ensure identifiers stay in sync and prevents
  bad signatures. (#109)
• print-signature-info now prints the entitlements plist decoded from DER.
  (#75)
• We no longer obtain placeholder time-stamp tokens when estimating the size
  of embedded signatures. Instead, we statically reserve 8192 bytes for the
  token. This may cause signatures to increase in size by a few kilobytes,
  as Apple's TSTs are ~4200 bytes. Signing should now be faster since we avoid
  an excessive network roundtrip. (#4)

Apple Codesign 0.25.0

This release has a CLI argument parsing bug that breaks at lease the remote signing functionality. Please use the 0.25.1 or newer release instead. See the 0.25.1 release for a changelog in the 0.25.x release.

For this reason, binaries were not published for this release.

Apple Codesign 0.24.0

Release Info

• Documentation
• Known issues and limitations
• Debugging and bug filing instructions

Changelog

• Add a macho-universal-create command to assemble single-arch Mach-O
  binaries into a single multi-arch / universal / fat binary. The command
  can be used as a replacement for Apple's lipo -create.
• When signing bundles, the CodeResources file for nested Mach-O binaries
  now emits the code directory hashes for every code directory. Before, if
  a Mach-O contained both SHA-1 and SHA-256 code directories, only the
  SHA-256 hash would be emitted. The new behavior matches Apple's tooling.
  (#95)
• The generate-self-signed-certificate command has gained the --p12-file
  and --p12-password arguments to write a self-signed certificate to a
  PKCS#12 / p12 / PFX file.
• The generate-self-signed-certificate command now supports generating
  RSA certificates. RSA certificates are now the default, to match what
  Apple uses by default.
• Reworked how code requirements expressions are automatically derived.
  This should result in self-signed certificates having correct requirements
  expressions that no longer imply they were signed by Apple's CAs. In
  addition, some Apple signing certificates should now opt into using a
  more appropriate code requirements expression than before. This may have
  fixed validation errors with some signatures. (#99)
• Team name is no longer included in signature when signing with a non
  Apple signed certificate. This matches the behavior of Apple's tools. (#101)
• Fixed a bug where the AnchorCertificateHash code requirements expression
  was being incorrectly formatted as anchor <slot> H"<hash>" instead of
  certificate <slot> = H"<hash>".
• Added awareness of new Apple CA certificates:
  Apple Application Integration CA 7 - G1 Certificate,
  Worldwide Developer Relations - G7, and Worldwide Developer Relations - G8.
• print-signature-info now prints some integer values as strings containing
  both the integer and hex forms. Additional fields are added to help debug
  signature writing.
• Conflicting binary identifiers within a universal Mach-O are now reconciled
  to the initially seen value. This matches the behavior of Apple's tooling
  and fixes a bug where drift between the values could cause bundle validation
  to fail. (#103)
• Fixed a bug where bundle signing would fail to overwrite preexisting state
  in Mach-O binaries, leading to failed signature verification. This likely
  only occurred when attempting to re-sign already signed binaries. (#104)
• When signing bundles, non Mach-O resources files are no longer fully buffered
  in memory to compute their content digests. This can drastically cut down
  on memory usage when signing large resources files. Mach-O binaries are
  still fully buffered in memory. (#45)
• Removed verify warning about insecure code digests. The warning was spurious
  and didn't take into account the nuanced logic for emitting SHA-1 digests.
  (#50)
• cryptographic-message-syntax 0.25 -> 0.26.
• x509-certificate 0.22 -> 0.23.

Apple Codesign 0.23.0

Release Info

• Documentation
• Known issues and limitations
• Debugging and bug filing instructions

Changelog

• Notarization features are now optional and can be controlled via the
  enabled-by-default notarize crate feature. (#78)
• Minimum supported Rust version changed from 1.62.1 to 1.70.0.
• CLI argument parsing has been rewritten to use clap's derive mode
  instead of the builder mode. The intent was to mostly preserve existing
  CLI behavior. However, some minor changes - possibly bugs - may have
  occurred as a result of this refactor.
• AppleCodesignError::AwsS3Error now stores a Box<T>.
• Added a hidden debug-create-macho command for generating Mach-O files.
  The command (and new code behind it) is intended to facilitate writing
  tests of Mach-O signing.
• Added a hidden debug-create-info-plist command for generating Info.plist
  files. The command is intended to be used to facilitate testing.
• The --code-signature-flags argument of the sign command now correctly
  applies multiple values. Before, flags were set to the final specified
  value.
• Added several trycmd based tests for testing CLI and signing behaviors.
  The trycmd tests may download a prebuilt Rust coreutils binary from
  github.com when executing on platforms with prebuilt binaries.
• The --data argument of the extract command is now a positional argument.
• Added a hidden debug-create-code-requirements command for generating
  binary code requirements files. The command is intended to facilitate testing.
• The print-signature-info command should now work on bundles. It may have
  stopped working as part of an upgrade to serde_yaml. The YAML output may
  have changed slightly.
• CodeResources files now emit " instead of " for parity with Apple
  tooling.
• SHA-1 digests are now automatically enabled when signing a Mach-O binary
  without platform targeting. This mimics the behavior of Apple's tooling.
  Before, we would only automatically activate SHA-1 digests when there was
  a Mach-O load command targeting a too-old platform version which didn't
  support SHA-256 digests.
• An empty CMS blob is now automatically added when signing in ad-hoc mode.
  Before, no CMS blob would be present. The new behavior matches that of
  Apple's tooling.
• Code signature data is now aligned to 16 byte boundaries in Mach-O binaries.
  This matches the behavior of Apple tooling.
• HTTP requests now use the operating system's trusted X.509 certificates
  instead of a default set (based off Mozilla's maintained list). This should
  allow connections to HTTP proxies using custom/private certificate authorities
  to work, assuming certificates are installed on the local system. (#85)
• Added a hidden debug-create-entitlements command for generating entitlements
  plist files. The command is intended to facilitate testing.
• The print-signature-info command YAML output now encodes entitlements XML
  as an array of strings for easier readability.
• A custom signing time can now be specified to force using a specific
  time instead of the current time. The CMS signing and settings APIs have
  changed accordingly. The sign command now accepts a --signing-time
  argument to control the signing time.
• The generate-self-signed-certificate command gained a
  --pem-unified-filename argument to write a PEM encoded file containing
  both the private key and public certificate.
• Fixed a bug where files would be identified as Mach-O when they weren't.
• Bundle signing logic has been significantly overhauled to hopefully make
  it conform with Apple tooling's behavior. This likely fixed several bugs
  with bundle signing.
• Fixed a bundle signing bug where overwriting symlinks would incorrectly
  result in an Error: I/O error: File exists (os error 17) or similar.
• When signing bundles, symlinks in directories marked as nested should
  now get properly sealed and installed. (#10)
• When signing bundles, Mach-O binaries outside of nested directories
  (e.g. Libraries/libFoo.dylib) are automatically detected as Mach-O
  binaries and signed. This behavior conforms with our stated behavior of
  recursively signing all signable entities. However, it is incompatible
  with Apple's tooling, which only signs Mach-O binaries located in
  specific directories having the nested flag set. This change should
  result in it just works single command signing of many complex
  bundles.
• Added a hidden debug-file-tree command to print simple directory
  trees. The command is used by snapshot tests to validate bundle signing
  behavior.
• The CLI default log level has been changed to warn. As a result,
  command output is less verbose. -v restores the prior behavior. And
  -vvv is now needed to activate trace logging (previously -vv was
  the highest log level).
• The sign --exclude argument is now honored for Mach-O binaries within
  bundles. Previously, it only applied to bundle paths.
• The default CodeResources rules for bundles lacking a Resources/
  now properly have trailing / on rules referencing .lproj directories.
  Previously, these directories were likely not handled correctly. (#42)
• Fixed a bug where attempting to sign Mach-O binaries having a __TEXT segment
  whose start offset was >0 resulted in a Mach-O segment corruption error.
  We can now properly sign such files. (#91)
• verify command now errors if not given the path of a Mach-O binary.
• verify command now prints a warning that its known to be buggy.
• aws crates 0.53 -> 0.57.
• bitflags 1.3 -> 2.0.
• cryptographic-message-syntax 0.19 -> 0.25.
• dialoguer 0.10 -> 0.11.
• dirs 4.0 -> 5.0.
• elliptic-curve 0.12 -> 0.13.
• goblin 0.6 -> 0.7.
• minicbor 0.19 -> 0.20.
• once_cell 1.16 -> 1.17.
• pkcs1 0.4 -> 0.7.
• p256 0.11 -> 0.13.
• pem 1.1 -> 3.0.
• pkcs8 0.9 -> 0.10.
• rasn 0.6 -> 0.11.
• ring 0.16 -> 0.17.
• rsa 0.7 -> 0.9.
• signature 1.6 -> 2.0.
• spake2 0.3 -> 0.4.
• spki 0.6 -> 0.7.
• tungstenite 0.18 -> 0.20.
• x509-certificate 0.16 -> 0.22.
• yubikey 0.7 -> 0.8.

Apple Codesign 0.22.0

Release Info

• Documentation
• Known issues and limitations
• Debugging and bug filing instructions

Changelog

• Cargo.toml now defines patch version for all dependencies.
• goblin crate upgraded from 0.5 to 0.6.
• App Store Connect API code extracted to its own crate, app-store-connect.
  The new crate lives in the same repository as this one. (#54)

Apple Codesign 0.21.0

Release Info

• Documentation
• Known issues and limitations
• Debugging and bug filing instructions

Changelog

• Embedded entitlements XML is now used when estimating the size of signatures.
  Previously, this data could cause us to not reserve enough space for the
  signature, causing signing to fail. (#32, #40)
• Bundle stapling is now capable of stapling any bundle with a main executable,
  not just app bundles with a main executable. (#41)
• The smartcard-scan, smartcard-generate-key, and smartcard-import
  commons are now always present, even when compiled without the smartcard
  crate feature enabled. The commands will error at runtime if smartcard support
  is not enabled.
• Minimum supported Rust version changed from 1.61.0 to 1.62.1.
• Changed handling of code requirements around bundle signing to hopefully fix
  the sealed resource directory is invalid errors. This should hopefully
  enable signing adhoc app bundles with frameworks. Before, if a Mach-O inside
  a bundle contained no designated requirements, no designated requirements
  were emitted. After, designated requirements are derived automatically from
  the digests of code directories in Mach-O binaries. Additionally, an empty
  designated requirements blob can be emitted. (#44)
• Shallow framework bundles are now properly recognized as such. This fixes
  a common issue with signing iOS bundles. (#46)

Apple Codesign 0.20.0

Release Info

• Documentation
• Known issues and limitations
• Debugging and bug filing instructions

Changelog

• Zip notarization support. APIs and the notary-submit CLI command now recognize
  zip files and will upload them to the Notary API without modifications. Neither
  zip file signing nor stapling are supported. Feature contributed by @deansheather.
  (#20)
• When signing the main binary in a bundle, we now prefer the identifier from
  the bundle's Info.plist over the identifier already present in the Mach-O.
  This ensures that the identifier is consistent across multiple Mach-O in a
  fat/universal binary and is consistent with the value advertised in the
  Info.plist. (#12, #22)
• It is now possible to sign Mach-O binaries where the __LINKEDIT segment
  wasn't the final advertised segment in Mach-O headers. Previously, a
  __LINKEDIT isn't final Mach-O segment error would occur when attempting to
  sign a Mach-O whose headers declared a __LINKEDIT segment before other
  segments, even if __LINKEDIT was truly at the highest file offset. (This
  scenario is common in Go binaries.) (#17)
• The --pem-source argument can now decode PKCS#1 private keys as encoded
  with RSA PRIVATE KEY. Previously, an unhandled PEM tag RSA PRIVATE KEY; ignoring warning would have been printed. (#26)
• Most code from main.rs has been moved into cli.rs so it is part of the
  library.
• aws-config, aws-smithy-http upgraded from 0.47 -> 0.49.
• aws-sdk-s3 upgraded from 0.17 -> 0.19.
• clap upgraded from 3.1 -> 4.0. This entailed a lot of code changes to
  argument parsing. Argument parsing behavior should be backwards compatible
  (unless otherwise documented in this section) and any change in behavior is
  a bug.