From 5354699d4d9839e00843e7f4b7afa441c3968307 Mon Sep 17 00:00:00 2001 From: Carlos Holguera Date: Sun, 28 Apr 2024 11:12:14 +0200 Subject: [PATCH] Add codesign (#2609) * add codesign * add spellcheck for PR only * excluding problematic file --- .github/workflows/spell-checker-pr.yml | 29 +++++++++++++++++++ .github/workflows/spell-checker.yml | 2 +- techniques/ios/MASTG-TECH-0084.md | 4 +-- techniques/ios/MASTG-TECH-0092.md | 2 +- tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md | 2 +- tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md | 2 +- tools/ios/MASTG-TOOL-0101.md | 15 ++++++++++ 7 files changed, 50 insertions(+), 6 deletions(-) create mode 100644 .github/workflows/spell-checker-pr.yml create mode 100644 tools/ios/MASTG-TOOL-0101.md diff --git a/.github/workflows/spell-checker-pr.yml b/.github/workflows/spell-checker-pr.yml new file mode 100644 index 0000000000..4114fcd710 --- /dev/null +++ b/.github/workflows/spell-checker-pr.yml @@ -0,0 +1,29 @@ +name: Spell Checker (PR) + +on: + pull_request: + +jobs: + codespell: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - name: Get Changed Files from Pull Request + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # get file names and seperate them with space ' ' + files=$(gh pr diff ${{ github.event.pull_request.number }} --name-only | xargs -I {} sh -c 'echo "./{}"' | tr '\n' ' ') + echo "CHANGED_FILES=$files" >> "$GITHUB_ENV" + + - name: Output Changed Files + run: echo ${{ env.CHANGED_FILES }} + + - name: Check for Spelling Errors for Changed Files + uses: codespell-project/actions-codespell@master + with: + check_filenames: true + skip: "*.json,*.yml,*.apk,*.ipa,*.svg" + ignore_words_list: "aas,aaS,ba,bund,compliancy,firt,ist,keypair,ligh,Manuel,Manual,ro,ser,synopsys,theses,zuser,lief" + path: ${{ env.CHANGED_FILES }} diff --git a/.github/workflows/spell-checker.yml b/.github/workflows/spell-checker.yml index d719450ba3..1e32962374 100644 --- a/.github/workflows/spell-checker.yml +++ b/.github/workflows/spell-checker.yml @@ -2,7 +2,6 @@ name: Spell Checker on: workflow_dispatch: - pull_request: push: branches: - master @@ -16,3 +15,4 @@ jobs: with: ignore_words_list: "aas,aaS,ba,bund,compliancy,firt,ist,keypair,ligh,Manuel,Manual,ro,ser,synopsys,theses,zuser,lief" skip: "*.json,*.yml,*.apk,*.ipa,*.svg" + exclude_file: docs/contributing.md diff --git a/techniques/ios/MASTG-TECH-0084.md b/techniques/ios/MASTG-TECH-0084.md index 274faac97d..2bd646951e 100644 --- a/techniques/ios/MASTG-TECH-0084.md +++ b/techniques/ios/MASTG-TECH-0084.md @@ -9,7 +9,7 @@ Coming from a Linux background you'd expect the `ptrace` system call to be as po ## Debugging with LLDB -The default debugserver executable that Xcode installs can't be used to attach to arbitrary processes (it is usually used only for debugging self-developed apps deployed with Xcode). To enable debugging of third-party apps, the `task_for_pid-allow` entitlement must be added to the debugserver executable so that the debugger process can call `task_for_pid` to obtain the target Mach task port as seen before. An easy way to do this is to add the entitlement to the [debugserver binary shipped with Xcode](http://iphonedevwiki.net/index.php/Debugserver "Debug Server on the iPhone Dev Wiki"). +The default debugserver executable that Xcode installs can't be used to attach to arbitrary processes (it is usually used only for debugging self-developed apps deployed with Xcode). To enable debugging of third-party apps, the `task_for_pid-allow` entitlement must be added to the debugserver executable so that the debugger process can call `task_for_pid` to obtain the target Mach task port as seen before. An easy way to do this is to add the entitlement to the [debugserver binary shipped with Xcode](https://web.archive.org/web/20190223224236/https://iphonedevwiki.net/index.php/Debugserver "Debug Server on the iPhone Dev Wiki"). To obtain the executable, mount the following DMG image: @@ -36,7 +36,7 @@ You'll find the debugserver executable in the `/usr/bin/` directory on the mount ``` -Apply the entitlement with codesign: +Apply the entitlement with [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"): ```bash codesign -s - --entitlements entitlements.plist -f debugserver diff --git a/techniques/ios/MASTG-TECH-0092.md b/techniques/ios/MASTG-TECH-0092.md index a0f8d0ea16..d3fd6c9472 100644 --- a/techniques/ios/MASTG-TECH-0092.md +++ b/techniques/ios/MASTG-TECH-0092.md @@ -21,7 +21,7 @@ Next, we need to make sure that the Bundle ID in `Info.plist` matches the one sp ## Re-Signing -Finally, we use the codesign tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`. +Finally, we use the [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign") tool to re-sign both binaries. You need to use _your own_ signing identity (in this example 8004380F331DCA22CC1B47FB1A805890AE41C938), which you can output by executing the command `security find-identity -v`. ```bash $ rm -rf Payload/UnCrackable\ Level\ 1.app/_CodeSignature diff --git a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md index 48167c44c9..78c2f9f850 100644 --- a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md +++ b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0081.md @@ -13,7 +13,7 @@ masvs_v1_levels: ## Static Analysis -You have to ensure that the app is [using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format). You can retrieve the signing certificate information from the application's .app file with [codesign](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html "Code Signing Tasks"). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system. +You have to ensure that the app is [using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format). You can retrieve the signing certificate information from the application's .app file with [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"). Codesign is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system. After you get the application's IPA file, re-save it as a ZIP file and decompress the ZIP file. Navigate to the Payload directory, where the application's .app file will be. diff --git a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md index fee4fbc2fc..6a1e5c183a 100644 --- a/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md +++ b/tests/ios/MASVS-RESILIENCE/MASTG-TEST-0082.md @@ -15,7 +15,7 @@ masvs_v1_levels: Inspect the app entitlements and check the value of `get-task-allow` key. If it is set to `true`, the app is debuggable. -Using codesign: +Using [codesign](../../../tools/ios/MASTG-TOOL-0101.md "codesign"): ```bash $ codesign -d --entitlements - iGoat-Swift.app diff --git a/tools/ios/MASTG-TOOL-0101.md b/tools/ios/MASTG-TOOL-0101.md new file mode 100644 index 0000000000..2b5058d5b0 --- /dev/null +++ b/tools/ios/MASTG-TOOL-0101.md @@ -0,0 +1,15 @@ +--- +title: codesign +platform: ios +source: https://www.unix.com/man-page/osx/1/codesign/ +--- + +The codesign tool is primarily used to create, verify, and display code signatures, and to query the dynamic status of signed code in the system. Although Xcode typically automates the process of signing code during builds and before distribution, there are scenarios where manual intervention with codesign is required. This can include inspecting or verifying the details of an app's code signature, or manually re-signing an app. For more detailed tasks such as these, you can use the codesign command line tool directly, as described in Apple's Code Signing Guide. + +Learn more: + +- ["Examining a Code Signature"](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW10) +- ["Signing Code Manually"](https://developer.apple.com/library/archive/documentation/Security/Conceptual/CodeSigningGuide/Procedures/Procedures.html#//apple_ref/doc/uid/TP40005929-CH4-SW3) in Apple's Code Signing Guide +- [Using the latest code signature format](https://developer.apple.com/documentation/xcode/using-the-latest-code-signature-format) +- [codesign manpage](https://www.unix.com/man-page/osx/1/codesign/) +- [codesign source code](https://opensource.apple.com/source/Security/Security-55471/sec/Security/Tool/codesign.c.auto.html)