Digital certificate extraction or validation using the custom public key

[kushalagrawal]

Hi blacktop,

we have multiple maco and fat binaries which are internal binaries. These binaries are signed by the internal CA and then uploaded to a remote location.
before I serve it to end user, I wants to make sure they are not tempered therefore I wants to validate using the internal CA's public key. if they are signed by that internal CA. Is There any direct way that I can extract the certificate chain associate with maco and fat binary.

Thanks
Kushal

[blacktop]

I assume you have seen ipsw macho info MACHO --sig ?

[kushalagrawal]

I believe you are talking about this:

root@my-machine [ ~ ]# ./ipsw macho info OPSWAT_GEARS_Client_3445-7c867995737c1853977386e89a5560c5.app --sig
Error: error reading magic number in record at byte 0x0
  ⨯ error reading magic number in record at byte 0x0

[blacktop]

the macho is inside the .app folder, most likely in the Contents/MacOS folder

[kushalagrawal]

Thanks, it shows the content of the signature certificate.
It would be really great if we can have way to dump the cert bytes as well. That way we validate it based on an custom Internal certificate rather than apple singed certificate.

[blacktop]

I have created an issue corresponding to this discussion here #74

[kushalagrawal]

thanks.. that would be really helpful :)

[blacktop]

If you are a Gopher you can use my go-macho lib to pull it, otherwise, I can add the ability to dump the cert bytes as well?

[kushalagrawal]

Yes, I was looking go-macho lib as an alternative option. because our code is in java which means there are 2 ways to do it. build a golang based API server having go-macho as a library. that will read the executable (macho/fat) file and provide the details of the binary file as a response or create a command-line utility same as ipsw to fulfill my need.

[blacktop]

this has been added, see the issue for details

[blacktop]

You can parse/print the cert like this:

❯ openssl pkcs7 -in MACHO.pem -print_certs -text -inform DER

[blacktop]

I'll see how easy it would be to output as well, I think it just requires asn1 parsing

[blacktop]

So I can create the cert like you list above, however, Apple binaries have 3 sig certs and I'm not sure what I should name them? MACHO.0.perm, MACHO.1.pem, MACHO.2.pem? seems wrong?

[kushalagrawal]

I think it would be better to print them in a single file as cert chain.

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

[blacktop]

should be fixed in latest release 👍

[blacktop]

@kushalagrawal I got an email notification of your question, but don't see it here. However, the error msg ipsw gives you tells you the available arches so --arch x86_64 would work to get the first bin and --arch arm64 would get the second one.

[kushalagrawal]

Hey @blacktop, yeah I had added that earlier but later after adding the addition x86_64 it started working. So, deleted the comment to avoid bothering you. thanks for noting my comments.