Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Apple macho codesign with stapled ticket file format

Apple MachO Code Signature with Ticket file format structure

  • Super blob (embedded signature = 0xfade0cc0)
    • Blob (code directory = 0xfade0c02)
      • Code signature (DER encoded)
    • Blob wrapper (fade0b01)
      • Length [4]
      • Offset [4]
      • Type? [4] = 256? (signature?)
      • Unknown [4] 239?
      • Ticket
        • Trailer length [4] = 66
        • Certificate (DER encoded)
        • Trailer
          • Magic [4] ("g8tk" ? great ticket)
          • Version [2] = 2
          • Type [2] = 20
          • Length/flags?? [4] = 512??
          • Reserved [4] = zeros
          • Crc32? [4]
          • Reserved? [4] = zeros
          • Contents code directory hash list
            • Digest algorithm [1] = 2 (sha256)
            • Code directory hash (sha256)
        • Hash list? (DER encoded / sha256)
          • Hash of what thou?

Notes:

  • Trailer magic of "t8lr" might be legacy or only be used for .pkg files
  • The notarization service works like a timestamping service that is used in code signing; the notarization ticket ceritifcate can be used to validate the status of an app even if the system is offline
  • cdTicketSlot = 0x10002 (virtual)

Additional Resources:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.