Add codesign (#2609)

* add codesign * add spellcheck for PR only * excluding problematic file
OWASP · Apr 28, 2024 · 5354699 · 5354699
1 parent 85e4830
commit 5354699
Show file tree

Hide file tree

Showing 7 changed files with 50 additions and 6 deletions.
diff --git a/.github/workflows/spell-checker-pr.yml b/.github/workflows/spell-checker-pr.yml
@@ -0,0 +1,29 @@
+name: Spell Checker (PR)
+
+on:
+  pull_request:
+
+jobs:
+  codespell:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Get Changed Files from Pull Request
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # get file names and seperate them with space ' '
+          files=$(gh pr diff ${{ github.event.pull_request.number }} --name-only | xargs -I {} sh -c 'echo "./{}"' | tr '\n' ' ')
+          echo "CHANGED_FILES=$files" >> "$GITHUB_ENV"          
+
+      - name: Output Changed Files
+        run: echo ${{ env.CHANGED_FILES }}
+
+      - name: Check for Spelling Errors for Changed Files
+        uses: codespell-project/actions-codespell@master
+        with:
+          check_filenames: true
+          skip: "*.json,*.yml,*.apk,*.ipa,*.svg"
+          ignore_words_list: "aas,aaS,ba,bund,compliancy,firt,ist,keypair,ligh,Manuel,Manual,ro,ser,synopsys,theses,zuser,lief"
+          path: ${{ env.CHANGED_FILES }}
diff --git a/.github/workflows/spell-checker.yml b/.github/workflows/spell-checker.yml
@@ -2,7 +2,6 @@ name: Spell Checker
 
 on:
   workflow_dispatch:
-  pull_request:
   push:
     branches:
       - master
@@ -16,3 +15,4 @@ jobs:
         with:
           ignore_words_list: "aas,aaS,ba,bund,compliancy,firt,ist,keypair,ligh,Manuel,Manual,ro,ser,synopsys,theses,zuser,lief"
           skip: "*.json,*.yml,*.apk,*.ipa,*.svg"
+          exclude_file: docs/contributing.md
diff --git a/techniques/ios/MASTG-TECH-0084.md b/techniques/ios/MASTG-TECH-0084.md
@@ -9,7 +9,7 @@ Coming from a Linux background you'd expect the `ptrace` system call to be as po
 
 ## Debugging with LLDB
 
-The default debugserver executable that Xcode installs can't be used to attach to arbitrary processes (it is usually used only for debugging self-developed apps deployed with Xcode). To enable debugging of third-party apps, the `task_for_pid-allow` entitlement must be added to the debugserver executable so that the debugger process can call `task_for_pid` to obtain the target Mach task port as seen before. An easy way to do this is to add the entitlement to the [debugserver binary shipped with Xcode](http://iphonedevwiki.net/index.php/Debugserver "Debug Server on the iPhone Dev Wiki").
+The default debugserver executable that Xcode installs can't be used to attach to arbitrary processes (it is usually used only for debugging self-developed apps deployed with Xcode). To enable debugging of third-party apps, the `task_for_pid-allow` entitlement must be added to the debugserver executable so that the debugger process can call `task_for_pid` to obtain the target Mach task port as seen before. An easy way to do this is to add the entitlement to the [debugserver binary shipped with Xcode](https://web.archive.org/web/20190223224236/https://iphonedevwiki.net/index.php/Debugserver "Debug Server on the iPhone Dev Wiki").
 
 To obtain the executable, mount the following DMG image:
 
@@ -36,7 +36,7 @@ You'll find the debugserver executable in the `/usr/bin/` directory on the mount
 </plist>
 ```
 
-Apply the entitlement with codesign:
+Apply the entitlement with [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"):
 
 ```bash
 codesign -s - --entitlements entitlements.plist -f debugserver

diff --git a/techniques/ios/MASTG-TECH-0092.md b/techniques/ios/MASTG-TECH-0092.md
@@ -21,7 +21,7 @@ Next, we need to make sure that the Bundle ID in `Info.plist` matches the one sp
 
 ## Re-Signing
 
-Finally, we use the codesign tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`.
+Finally, we use the [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign") tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`.
 
 ```bash
 $ rm -rf Payload/UnCrackable\ Level\ 1.app/_CodeSignature

diff --git a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md
@@ -13,7 +13,7 @@ masvs_v1_levels:
 
 ## Static Analysis
 
-You have to ensure that the app is [using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format). You can retrieve the signing certificate information from the application's .app file with [codesign](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html "Code Signing Tasks"). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system.
+You have to ensure that the app is [using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format). You can retrieve the signing certificate information from the application's .app file with [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system.
 
 After you get the application's IPA file, re-save it as a ZIP file and decompress the ZIP file. Navigate to the Payload directory, where the application's .app file will be.
 

diff --git a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md
@@ -15,7 +15,7 @@ masvs_v1_levels:
 
 Inspect the app entitlements and check the value of `get-task-allow` key. If it is set to `true`, the app is debuggable.
 
-Using codesign:
+Using [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"):
 
 ```bash
 $ codesign -d --entitlements - iGoat-Swift.app

diff --git a/tools/ios/MASTG-TOOL-0101.md b/tools/ios/MASTG-TOOL-0101.md
@@ -0,0 +1,15 @@
+---
+title: codesign
+platform: ios
+source: https://www.unix.com/man-page/osx/1/codesign/
+---
+
+The codesign tool is primarily used to create, verify, and display code signatures, and to query the dynamic status of signed code in the system. Although Xcode typically automates the process of signing code during builds and before distribution, there are scenarios where manual intervention with codesign is required. This can include inspecting or verifying the details of an app's code signature, or manually re-signing an app. For more detailed tasks such as these, you can use the codesign command line tool directly, as described in Apple's Code Signing Guide.
+
+Learn more:
+
+- ["Examining a Code Signature"](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW10)
+- ["Signing Code Manually"](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW3) in Apple's Code Signing Guide
+- [Using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format)
+- [codesign manpage](https://www.unix.com/man-page/osx/1/codesign/)
+- [codesign source code](https://opensource.apple.com/source/Security/Security-55471/sec/Security/Tool/codesign.c.auto.html)