Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Notes about apple code signing for developers #72

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
+127 −0
Draft

Notes about apple code signing for developers #72

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
fe3b4b6
Notes about apple code signging for developers
directionless Oct 14, 2020
a96496d
Update docs/codesigning-for-apple-developers.md
directionless Jan 25, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 127 additions & 0 deletions docs/codesigning-for-apple-developers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,127 @@
# Codesigning for Apple Developers

With the introduction of Apple's EndpointSecurity framework ([PR
6467](https://github.com/osquery/osquery/pull/6467), we've started to
need entitlements, profiles, and codesigning. Even in development.

As I understand Apple's model:
1. apps/packages/etc are signed by certs.
2. There are _many_ different flavors of certificate. For our
purposes, the ones that matter:
- Developer ID Installer: Privileged. Allows installer distribution
outside the app store.
- Developer ID Application: Privileged. Allows app distribution
outside the app store.
- Apple Development / Mac Development: Developer. Allows signing
development versions.
3. The privileged ones, coupled with an entitlements file allow
osquery to work.
4. The developer ones _also_ require a profile, which only works on
macs identified by uuid.
- `select uuid from system_info`
5. Apple accounts can have members that are `developers`. These
members can create personal developer certificates, but cannot
create distribution ones. Cannot adjust devices. Cannot adjust
profiles. According, it should be pretty reasonable to add osquery
developers to the account.

## Process for adding a new developer

_*Note*: This is for adding a new developer to the account. This
should not grant distribution permission, but they should still be somewhat trusted._

Create a foundation ticket for general tracking and details. If any of
this is considered private, consider using slack to communicate
details.

We will need the email address for their apple account. They can
create a new one, or use an existing one. This should be a
human. Apple does not like role accounts.

We need their test machine[s] uuid. This can be gathered with `select
uuid from system_info;`

### Admin Actions

Login to https://developer.apple.com/

Under `Certificates, Identifiers & Profiles` find `Devices`. Add their
uuid. Name the device something reasonable.

Find the people tab, it will take you to App Store Connect

Add them as a `Developer` Check the box to allow access to
certificates.

### Developer Actions

Xcode might be able to do this for you. These are manual instructions.

Use `Certificate Assistant`:
1. Open `Keychain Access`
2. `Keychain Access` menu -> `Certificate Assistent` -> `Request a Certificate from a CA`
3. Use your apple id email address (might not matter)
4. Maybe sure it's saved to disk
5. Save the CSR somewhere

Login to https://developer.apple.com/

You should have access to the osquery account, `3522FA9PXF`. If you
have multiple accounts, it will be in the top right pulldown.

Click `Certificates, Identifiers & Profiles` and create a certificate.

You'll want either an `Apple Development` or a `Mac Development`
certificate.

Upload the CSR generated earlier.

You should now be able to download the certificate.

### Back to the Admin

Now the admin will have to add the developer and the device to the
profile. Or create one specific to this developer. Probably doesn't
matter much.

### Back to the developer

Finally, you can download a profile. This needs to be installed on the
machines to allow the machine to trust the code signing.

## How to Use Endpoint Security

_*NOTE*: you need to be building on catalina or later_

Build something. This is using some demo esf code:

Cannot run without any signatures:

``` shell
$ ./endpointsecurity
client lacks entitlement
```


Code sign without entitlements

``` shell
$ codesign --force -s "${CODESIGN_IDENTITY}" -v --options runtime,library --timestamp ./endpointsecurity

$ ./endpointsecurity
client lacks entitlement
```

Finally, with entitlements.

``` shell
$ codesign --force -s "${CODESIGN_IDENTITY}" -v --options runtime,library --timestamp --entitlements endpointsecurity.entitlements ./endpointsecurity

$ ./endpointsecurity.entitled
Killed: 9
```


Oh no! We still need to install the profile authorizing this host.

Still `killed: 9`