{"id":35795,"date":"2022-05-07T15:43:00","date_gmt":"2022-05-07T19:43:00","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=35795"},"modified":"2025-10-11T12:17:50","modified_gmt":"2025-10-11T16:17:50","slug":"inside-code-signing-technotes","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2022\/05\/07\/inside-code-signing-technotes\/","title":{"rendered":"Inside Code Signing Technotes"},"content":{"rendered":"<p><a href=\"https:\/\/developer.apple.com\/documentation\/technotes\/tn3125-inside-code-signing-provisioning-profiles\">TN3125: Provisioning Profiles<\/a>:<\/p>\n<blockquote cite=\"https:\/\/developer.apple.com\/documentation\/technotes\/tn3125-inside-code-signing-provisioning-profiles\"><p>A macOS app can claim certain entitlements without them being authorized by a provisioning profile.  These <em>unrestricted entitlements<\/em> include:<\/p><ul><li><p><code>com.apple.security.get-task-allow<\/code><\/p><\/li><li><p><code >com.apple.security.application-groups<\/code><\/p><\/li><li><p>Those used to enable and configure the <a href=\"https:\/\/developer.apple.com\/documentation\/security\/app_sandbox\">App Sandbox<\/a><\/p><\/li><li><p>Those used to configure the <a href=\"https:\/\/developer.apple.com\/documentation\/security\/hardened_runtime\">Hardened Runtime<\/a><\/p><\/li><\/ul><p>In contrast, <em>restricted entitlements<\/em> must be authorized by a provisioning profile.  This is an important security feature on macOS.  For example, the fact that the <code>keychain-access-groups<\/code> entitlement must be authorized by a profile means that other developers can&rsquo;t impersonate your app in order to steal its keychain items.<\/p>\n<p>[&#8230;]<\/p>\n<p>Modern systems no longer treat the profile&rsquo;s property list as the source of truth.  Rather, they use the binary form of the profile stored in the profile&rsquo;s <code>DER-Encoded-Profile<\/code> property[&#8230;]<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/developer.apple.com\/documentation\/technotes\/tn3126-inside-code-signing-hashes\">TN3126: Hashes<\/a>:<\/p>\n<blockquote cite=\"https:\/\/developer.apple.com\/documentation\/technotes\/tn3126-inside-code-signing-hashes\"><p>Every now and again an issue crops up where you actually need to understand how code signing works.  For example:<\/p><ul><li><p><a href=\"https:\/\/developer.apple.com\/documentation\/Xcode\/using-the-latest-code-signature-format\">Using the Latest Code Signature Format<\/a> has a diagnostic process that involves code signing hash slots.  While that process is actionable in and of itself, it makes more sense if you know what those hash slots hold.<\/p><\/li><li><p>The issue covered by <a href=\"https:\/\/developer.apple.com\/documentation\/security\/updating_mac_software\">Updating Mac Software<\/a> makes more sense once you understand code signing&rsquo;s lazy per-page signature checking.<\/p><\/li><\/ul><p>This technote explains how code signing uses hashes to protect the code&rsquo;s executable pages, resources, and metadata from tampering. This technology is absolutely central to code signing&rsquo;s core function: protecting code from malicious modification.<\/p><\/blockquote>\n\n<p><a href=\"https:\/\/developer.apple.com\/documentation\/technotes\/tn3127-inside-code-signing-requirements\">TN3127: Requirements<\/a>:<\/p>\n<blockquote cite=\"https:\/\/developer.apple.com\/documentation\/technotes\/tn3127-inside-code-signing-requirements\"><p>However, in some cases requirements are important, especially on macOS.  For example:<\/p><ul><li><p>If you&rsquo;re building an XPC service, you might want to restrict it to specific clients.  The best way to do this is by setting a code signing requirement on the connection with <code>xpc_connection_set_peer_code_signing_requirement<\/code>.  But what requirement to use?<\/p><\/li><li><p>When working with privacy-protected resources on macOS, like the microphone, you might find that the system fails to remember your choices during development.<\/p><\/li><li><p>You might find that the keychain presents unexpected authorization alerts when you deploy your app through a new channel, like TestFlight.<\/p><\/li><\/ul><\/blockquote>\n\n<p>Previously:<\/p>\n<ul>\n<li><a href=\"https:\/\/mjtsai.com\/blog\/2022\/02\/09\/new-apple-technotes\/\">New Apple Technotes<\/a><\/li>\n<\/ul>","protected":false},"excerpt":{"rendered":"<p>TN3125: Provisioning Profiles: A macOS app can claim certain entitlements without them being authorized by a provisioning profile. These unrestricted entitlements include:com.apple.security.get-task-allowcom.apple.security.application-groupsThose used to enable and configure the App SandboxThose used to configure the Hardened RuntimeIn contrast, restricted entitlements must be authorized by a provisioning profile. This is an important security feature on macOS. For [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"2022-05-07T19:43:03Z","apple_news_api_id":"b6cbf755-9544-4cb2-8f46-4160482aa26d","apple_news_api_modified_at":"2023-12-06T19:22:01Z","apple_news_api_revision":"AAAAAAAAAAAAAAAAAAAAAA==","apple_news_api_share_url":"https:\/\/apple.news\/Atsv3VZVETLKPRkFgSCqibQ","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[4],"tags":[466,164,2518,31,2078,1583,30,2077,71,2848,1473],"class_list":["post-35795","post","type-post","status-publish","format-standard","hentry","category-programming-category","tag-codesigning","tag-documentation","tag-entitlements","tag-ios","tag-ios-15","tag-keychain","tag-mac","tag-macos-12","tag-programming","tag-provisioning-profiles","tag-xpc"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/35795","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=35795"}],"version-history":[{"count":1,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/35795\/revisions"}],"predecessor-version":[{"id":35796,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/35795\/revisions\/35796"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=35795"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=35795"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=35795"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}