Skip to content

Instantly share code, notes, and snippets.

@nmoinvaz

nmoinvaz/codesign-ticket-fmt.md

Last active April 16, 2024 14:38
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nmoinvaz/cd8651ffb3659161423534b29824510a to your computer and use it in GitHub Desktop.
Save nmoinvaz/cd8651ffb3659161423534b29824510a to your computer and use it in GitHub Desktop.
Download ZIP
Apple MachO Code Signature Ticket Format
Raw
codesign-ticket-fmt.md

Apple MachO Code Signature with Ticket file format structure

  • Super blob (embedded signature = 0xfade0cc0)
    • Blob (code directory = 0xfade0c02)
      • Code signature (DER encoded)
    • Blob wrapper (fade0b01)
      • Length [4]
      • Offset [4]
      • Type? [4] = 256? (signature?)
      • Unknown [4] 239?
      • Ticket
        • Trailer length [4] = 66
        • Certificate (DER encoded)
        • Trailer
          • Magic [4] ("g8tk" ? great ticket)
          • Version [2] = 2
          • Type [2] = 20
          • Length/flags?? [4] = 512??
          • Reserved [4] = zeros
          • Crc32? [4]
          • Reserved? [4] = zeros
          • Contents code directory hash list
            • Digest algorithm [1] = 2 (sha256)
            • Code directory hash (sha256)
        • Contents (DER encoded / sha256)
          • Hash list for each code resource in submission?

Notes:

  • Trailer magic of "t8lr" might be legacy or only be used for .pkg files
  • The notarization service works like a timestamping service that is used in code signing; the notarization ticket ceritifcate can be used to validate the status of an app even if the system is offline
  • cdTicketSlot = 0x10002 (virtual)

Additional Resources:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment