what exactly is being stapled to the app?

Code Signing General
Gilllissie OP
Created May ’20
Replies 1
Boosts 0
Views 707
Participants 2

I have successfully signed, notarized, and stapled. However, I'm trying to script as much as possible to make it easier to automate. I am very confused about the staple step, since it doesn't have an argument for what is being stapled to the target app. This makes me unsure whether I can make this call from a different working directory (in bash) and still have it know what to staple.

Replies  1
Boosts  0
Views  707
Participants  2
DTS Engineer OP
Apple
May ’20

When you staple a ticket to a product, 

stapler
does the following:

  1. It gets the cdhash from the product. This code directory hash value uniquely identifies the code. You see it for yourself using 

    codesign -d
    .

  2. It asks the Apple servers for a ticket that includes that cdhash. This ticket was generated and stored on the Apple servers when you notarised the product.

  3. It attaches that ticket to your product. The exact mechanism for doing this varies but, for a bundled product like an app, it simply copies the the ticket to 

    Contents/CodeResources
    [1]. Critically, that file is not sealed by the app’s code signature, and thus can be modified without breaking the seal on that signature.

You can actually see each of these steps in action if you enable verbose mode (

-v
).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"

[1] Note that this is different from 

Contents/_CodeSignature
, which holds important info about your app’s code signature.
0
what exactly is being stapled to the app?
First post date Last post date
 
 
Q