//
// Sign a binary that has no notion of architecture.
// That currently means anything that isn't Mach-O format.
//
void SecCodeSigner::Signer::signArchitectureAgnostic(const Requirement::Context &context)
{
// non-Mach-O executable - single-instance signing
RefPointer<DiskRep::Writer> writer = state.mDetached ?
(new DetachedBlobWriter(*this)) : rep->writer();
CodeDirectory::Builder builder(state.mDigestAlgorithm);
InternalRequirements ireqs;
ireqs(state.mRequirements, rep->defaultRequirements(NULL, state), context);
populate(*writer);
populate(builder, *writer, ireqs, rep->signingBase(), rep->signingLimit());
// add identification blob (made from this architecture) only if we're making a detached signature
if (state.mDetached) {
CFRef<CFDataRef> identification = rep->identification();
writer->component(cdIdentificationSlot, identification);
}
CodeDirectory *cd = builder.build();
CFRef<CFDataRef> signature = signCodeDirectory(cd);
if (!state.mDryRun) {
writer->codeDirectory(cd);
writer->signature(signature);
writer->flush();
}
::free(cd);
}
//
// Remove any existing code signature from code
//
void SecCodeSigner::Signer::remove(SecCSFlags flags)
{
// can't remove a detached signature
if (state.mDetached)
MacOSError::throwMe(errSecCSNotSupported);
rep = code->diskRep();
if (Universal *fat = state.mNoMachO ? NULL : rep->mainExecutableImage()) {
// architecture-sensitive removal
MachOEditor editor(rep->writer(), *fat, kSecCodeSignatureNoHash, rep->mainExecutablePath());
editor.allocate(); // create copy
editor.commit(); // commit change
} else {
// architecture-agnostic removal
RefPointer<DiskRep::Writer> writer = rep->writer();
writer->remove();
writer->flush();
}
}