SHA-256 hashes #91
Description
We seem not to have a public issue for this, so, creating one! (Sauce Labs has an internal issue at RDC-407).
Many months ago, Apple added secondary SHA-256 hashes to the CodeDirectory and _CodeSignature/CodeResources ("seal"). At present, iOS 10.2 still accepts the "old" SHA-1 hashes, so it has not been an urgent issue. We simply fall back to the old SHA-1 hashes and the phone accepts this.
In 2017, attacks on SHA-1 have started to become practical, so, sooner or later Apple will require SHA-256 in modern versions of iOS. Probably without warning, because Apple.
There are two things to do:
Update code_resources.py and if necessary code_resources_template.xml
... to use the new structure. The obvious difference is, that in the files2 section, each dictionary has two hashes, e.g.
<key>files2</key>
<dict>
<key>Base.lproj/LaunchScreen.storyboardc/01J-lp-oVM-view-Ze5-6b-2t3.nib</key>
<dict>
<key>hash</key>
<data>
zv6wZBrAOQ5Wg7TabAhS/99TWK4=
</data>
<key>hash2</key>
<data>
0B6uHUtSt9OuuOugGHsjjOarFGAVk+ymE6JBuAo3VbY=
</data>
</dict>
As is apparent from the length, the first hash is SHA-1, and the second is SHA-256.
Update codesig.py to deal with the new structure
There have been a couple of attempts to fix this, but I haven't verified if they are still compatible with iOS 8.x and 9.x.
See this PR: #72 .
And this branch: https://github.com/saucelabs/isign/tree/al-sha256
I'm still figuring out which approach is better -- it's possible that a combination of both approaches is required.
General notes
Unfortunately, it will be impossible to test if our efforts work until Apple brings the hammer down. But we can try to mirror everything that we see Apple doing. One general problem is that isign doesn't produce byte-identical output as codesign, so it can be hard to measure progress.