iphone代码签名


iphone 2.0 firmware 需要CHECK每个应用程序的签名,如果不通过,就会自动KILL.由于校验机制做到了内核中很多地方,简单的给内核打补丁很难解决.

1. codesign利用apple sdk的工具进行self-sign
mac$ export CODESIGN_ALLOCATE=/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin/codesign_allocate mac$ codesign -fs "CertificateName" ProgramName
参考下述APPLE文档如何创建自签名证书.
http://developer.apple.com/documentatio … ion_2.html

2. ldid
在你的IPHONE上用Cydia安装ldid, 然后运行
ldid -S programname

[自己找到xcode的编译目录build/Release-iphoneos目录 将程序包用WinSCP之类的工具传到iphone的Applications目录
然后做数字签名:
  1.需要先在iphone安装ldid,命令行:  apt-get install ldid
  2.然后签名,命令行:  ldid -S YouProgramName
你的程序就可以拷出来安装到其他破解的2.0的iphone上了]

3.sysctl

我在机器上试了1和2都没有作用,只有这种可以让我的程序运行,不过这个是有其他影响的,不过可以很容易恢复,或者简单重启就行了.
取消codesign check:
sysctl -w security.mac.proc_enforce=0
sysctl -w security.mac.vnode_enforce=0
恢复codesign check:
sysctl -w security.mac.proc_enforce=1
sysctl -w security.mac.vnode_enforce=1

 

代码签名的原理

其实代码签名是一个比较通用的技术,而底层实现都是使用RSA不对称加密的原理,数学原理就不在此赘述,RSA密钥体系中,有一个公钥和一个私钥,公钥是公开出去的,私钥自己保存。数字签名一般是这样的,先对文件做摘要如MD5的散列,然后使用你自己的私钥对这个散列码进行加密,并和文件合并在一起。
这样当其他人获得这个文件的时候,使用签名者的公钥对报文进行解密,然后和文件的MD5散列进行比较,这样既保证了来源的可靠性也保证了数据的完整性。

用过诺基亚的高端智能手机的人也许知道“给软件签名”这个说法,否则设备不会接受这个软件,代码签名主要是为了保证代码的安全性,没有恶意或不安全的代码。
代码签名确保代码的真实以及明确识别代码的来源。在代码运行在一个开发系统以前,以及在代码提交到Apple发布以前,Apple要求所有的的应用程序都必须进行数字签名。另外,Apple在发布每一个应用程序之前都要添加他自己的数字签名。

Signing Code For iPhone Development


(iPhone开发中的代码签名)

Code signing ensures the integrity of code and positively identifiesthe originator of the code. Apple requires all iPhone applications tobe digitally signed before they can be run on a development system andbefore they are submitted to Apple for distribution. In addition, Appleadds its own digital signature to each application before distributingit.

(代码签名可以用来保证代码的完善并确定代码的开发者。Apple需要所有的iPhone程序在他们运行在开发系统或者上传到apple发布的时候都需要数字签名。另外apple在发布的时候也会添加自己的数字签名。)

 

Digital Signatures and Signing Identities

(数字签名和数字身份)

Apple requires that all iPhone applications be digitally signed with asigning certificate issued by Apple to a registered iPhone developer.This signature authenticates the identity of the developer of theapplication and ensures that the application has not been modified orcorrupted since it was signed.

(Apple需要所有的注册开发人员对自己的iPhone应用程序使用数字签名技术。这个签名是用来标识应用程序的开发者以及保证应用程序在签名之後不被更改和损坏。)

Digital signatures require the use of two distinct but mathematically-related encryption keys known as a public key and a private key.The private key is used in the signing process, and the public key isused to verify the signature. The public key is stored in the signingcertificate; the private key is stored separately. This combination ofa certificate and related private key is called a digital identity or signing identity.

(数字签名需要使用两个密钥一个是公钥一个是私钥。私钥是使用在签名过程中,公钥是用来核实签名的。公钥保存在签名证书中,私钥是保存在其他地方。这个签名的证书合称数字身份或者签名认证。)

To obtain a signing identity for iPhone development, you use theCertificate Assistant in the Keychain Access utility to create aCertificate Signing Request (CSR), which you submit for approval usingthe Program Portal of the iPhone Developer Program. When your requestis approved, you download the certificate file and double-click toinstall it in your keychain. What may not be apparent in this procedureis that when you use the Certificate Assistant utility to generate aCSR, it automatically generates a public-private key pair. It includesthe public key in the certificate request sent to Apple and stores theprivate key in your keychain.

(要获得iPhone开发的签名认证,你可以使用Keychain Access工具中的证书代理(Certificate Assistant)来创建一个证书签名请求(CSR),当你想iPhone程序上传的时候,你需要使用开发执照去创建一个证书签名请求(CSR)。当你的请求被核实了,你就可以下载你的证书程序并安装起来。在你使用证书创建CSR的时候会自动创建一个公钥/私钥对,公钥包含在证书签名请求中发送到Apple,私钥被保存在密码包中。)

When you download and install the signing certificate, the KeychainAccess utility associates it with the private key, thus creating asigning identity. To see your certificates with their associatedprivate keys, open the Keychain Access utility and click MyCertificates in the Category pane.

(当你下载并安装了签名证书,Keychain Access工具会用私钥关联这个证书,创建一个签名标识。要查看你的证书和你的密钥,你可以打开Keychain Access然後在Category面板中点击我的证书。)

When you install a signed application on your provisioned device, theiPhone OS verifies the signature to make sure the application wassigned by you and has not been altered since it was signed. If thesignature is not valid or if the code was not signed by you, the iPhoneOS will not let the application run.

(当你在你的设备中安装了签名程序後,iPhone 操作系统会核实这个签名来查看这个应用程序是否被改变。如果这个签名不是有效的,并且不是你创建的,那么iPhone操作系统将不会让这个程序运行。)

Similarly, when you send your application to Apple for approval anddistribution, you must sign the application using your signing identityand send your signing certificate along with the application. (You do notsend your private key to Apple.) Apple then verifies the signature tobe sure that the code came from a registered developer (you) and hasnot been corrupted. Finally, Apple signs your signed application withits own signing certificate. Only then can your application run on aniPhone or iPod Touch other than your development device. This policyenables the owners of these devices to be secure in the knowledge thatthe applications they download from iTunes have been written byregistered developers and have not been altered since they were created.

(相对的,当你向Apple传送了你的应用程序後,你需要使用的你的签名证书为你的应用程序签名,并连同你签名证书的应用程序上传到Apple。(不要发送密钥)然後Apple就会核实这个应用程序是来自于一个认证的开发人员,并保证这个程序没有损坏。最後,Apple会创建拥有你签名的应用程序。这样你的应用程序才可以在其他的iPhone和iPod Touch中运行起来。这样就可以很好的保证了你开发人员的只是并确定这个应用程序是由一个认证的开发人员编写的并没有被其他人修改过。)

Copying a Signing Identity To Another Computer

(把签名证书拷贝到其他计算机)

If you wantto use more than one computer for development (for example, yourdesktop computer in the office and your laptop at home), you need tohave your signing identity on both computers. Because the signingcertificate file you downloaded from the Program Portal does notinclude your private key, just copying this file to the second computeris not sufficient. Instead, use the Export Items menu item in the Filemenu of Keychain Access to export both the certificate and private keyas a Personal Information Exchange (.p12) file and copy that file tothe second computer. Double-click the file to install the certificateand key in the keychain.

(如果你想要使用不只是一台计算机用于开发(举个例子,你的个人电脑在办公室,你的笔记本电脑在家里。),你需要在这两台计算机上都装有证书。因为你从Program Portal里面下载的签名证书不包含你的私钥,她只是简单的复制到另外一个机器上的话是不好的。取而代之的是,使用Keychain Access中的File菜单的Export项目来导出证书和私钥作为个人信息导出(.p12)文件然後再把它应用到第二胎计算机。)双击文件就可以在新的机器上安装了。)

Keeping Your Private Key Safe and Secure

(保证你私钥的安全和稳定)

Thissystem is very secure as long as you keep your signingidentity—especially your private key—secure. However, if anyunauthorized person has access to your signing certificate and privatekey, then they can alter your application and sign the altered code, orthey can write their own application and present it as yours.Therefore, the physical security of your private key is essential toprevent malicious use of your software and your identity.

(这个系统的安全取决与你保存你的个人签名和你私钥的安全程度。然而,如果其他非法人员破解了你的签名证书和私钥,他们能够改变你的代码,或者他们会用他们的应用程序来冒充你的。因此,你的密钥的安全程序是保证你的软件和证书安全的根本。)

Beforeobtaining a signing identity and proceeding to sign code, you mustdetermine who within your company should possess the identity, who canuse it, and how to keep it safe. For example, if the identity must beused by more than one person, you can keep it in the keychain of asecure computer and give the password of the keychain only toauthorized users, or you can put the identity on a smart card to whichonly authorized users have the PIN.

(在你或者签名证书并用来签名你的代码的时候,你需要决定给你们公司内谁创建,使用证书,以此来保证她的其安全。举个例子,如果证书可以被许多人使用,那你可以把你的证书放在一个带有密码的安全的计算机中,只有授权的人可以访问。或者你可以把它放在一个拥有PIN的密码的智能卡中。)

By default, your keychainpassword is the same as your login password, and your keychain remainsunlocked as long as you are logged in to your computer. This is akin toleaving your car keys on a table next to the back door, and leaving theback door unlocked all day. The fact that it requires a key to startyour car is no protection against car theft if you don’t keep the carkey secure.

(默认的你的keychain的密码和你的登陆密码是一样的,keychain会保持打开状态直到你注销你的计算机。这个你把你的车钥匙放在桌子上,然後保持後门开着。如果你不看好你的钥匙,偷车戝就会有机会去偷你的车。)

To provide some security for the signing identitiesand other valuable secrets stored in your keychain, you should adopt atleast the following measures:Set your keychain to lockitself when not in use: in the Keychain Access utility, choose Edit> Change Settings for Keychain, and check both Lock checkboxes.

(为了保证你的证书的安全和保存在keychain中的其他私有信息的安全性,建议你做如下的一些设置:当keychain不使用的时候让他自动锁定:在Keychain Access中选择 Edit> Change Settings for Keychain,然後选择both Lock多选框。)

Usea different password for your keychain than your login password: InKeychain Access utility, choose Edit > Change Password to changeyour keychain's password. Click the lock icon in the Change Passworddialog to get the password assistant, which tells you how secure yourpassword is and can suggest passwords. Be sure to pick one you canremember—don't write it down anywhere.

(为你的keychain使用不同于你的登陆密码:在Keychain Access中选择Edit > Change Password来改变你的keychain的密码。在Change Password面板中选择锁的图标,他会告诉你你的密码的安全程度,并建议你使用的密码。记住你的选择不要写在其他地方。)

In addition, provide physical security for your computers to prevent unauthorized people from gaining access to them.

(为你的计算机提供物理的安全保障他不被非授权人员打开计算机。)

Aswith any other important data, you should keep a backup of your signingidentity in a safe place. You can put it in the keychain of anothersecure computer, or you can store it on an encrypted CD or in anencrypted disk image in the form of a Personal Information Exchange(.p12) file. Just be sure that all the passwords you use are strong andthat all the computers you use for this purpose are kept physicallysecure, with access limited to a few trusted individuals.

(对于其他一些重要的信息,你需要为他们做一个备份并放在一个安全的地方。你可以把它放在其他安全的计算机,或者加密的CD中。确定所有的密码都足够健壮,哪台存放密码的计算机足够安全,并授权给一些信用很高的个体。)

Where to Start

(从那里开始)
Proceduresfor obtaining and installing a signing identity are detailed in theProgram Portal on the iPhone Developer Program website. Click theProgram Portal icon near the top-right corner of the iPhone DevCenterpage (you have to be logged in to make this link active).
(在iPhone开发人员的网站桑有详细的安装获得签名证书的过程。选择Program Portal图标(确保你在登陆的情况下。))