sign: Add support for entitlements

cfergeau · cfergeau · commit d9fd6491e07e · 2024-03-01T15:55:46.000+01:00
With the abstraction work done in the previous commit, adding support for entitlements is now fairly straightforward, just need to build the entitlements blob and hashes using user-provided XML data. This fixes anchore#4 Signed-off-by: Christophe Fergeau <cfergeau@redhat.com>
diff --git a/cmd/quill/cli/commands/sign.go b/cmd/quill/cli/commands/sign.go
@@ -72,6 +72,7 @@ func sign(binPath string, opts options.Signing) error {
 
 	cfg.WithIdentity(opts.Identity)
 	cfg.WithTimestampServer(opts.TimestampServer)
+	cfg.WithEntitlements(opts.Entitlements)
 
 	return quill.Sign(cfg)
 }
diff --git a/cmd/quill/cli/options/signing.go b/cmd/quill/cli/options/signing.go
@@ -20,7 +20,8 @@ type Signing struct {
 	FailWithoutFullChain bool   `yaml:"fail-without-full-chain" json:"fail-without-full-chain" mapstructure:"fail-without-full-chain"`
 
 	// unbound options
-	Password string `yaml:"password" json:"password" mapstructure:"password"`
+	Password     string `yaml:"password" json:"password" mapstructure:"password"`
+	Entitlements string `yaml:"entitlements" json:"entitlements" mapstructure:"entitlements"`
 }
 
 func DefaultSigning() Signing {
@@ -60,6 +61,12 @@ func (o *Signing) AddFlags(flags fangs.FlagSet) {
 		"ad-hoc", "",
 		"perform ad-hoc signing. No cryptographic signature is included and --p12 key and certificate input are not needed. Do NOT use this option for production builds.",
 	)
+
+	flags.StringVarP(
+		&o.Entitlements,
+		"entitlements", "",
+		"path to an XML file containing the entitlements for the binary being signed",
+	)
 }
 
 func (o *Signing) DescribeFields(d fangs.FieldDescriptionSet) {
diff --git a/quill/sign.go b/quill/sign.go
@@ -21,6 +21,7 @@ type SigningConfig struct {
 	SigningMaterial pki.SigningMaterial
 	Identity        string
 	Path            string
+	Entitlements    string
 }
 
 func NewSigningConfigFromPEMs(binaryPath, certificate, privateKey, password string, failWithoutFullChain bool) (*SigningConfig, error) {
@@ -66,6 +67,11 @@ func (c *SigningConfig) WithTimestampServer(url string) *SigningConfig {
 	return c
 }
 
+func (c *SigningConfig) WithEntitlements(path string) *SigningConfig {
+	c.Entitlements = path
+	return c
+}
+
 func Sign(cfg SigningConfig) error {
 	f, err := os.Open(cfg.Path)
 	if err != nil {
@@ -212,14 +218,24 @@ func signSingleBinary(cfg SigningConfig) error {
 		log.Warnf("only ad-hoc signing, which means that anyone can alter the binary contents without you knowing (there is no cryptographic signature)")
 	}
 
+	entitlementsXML := ""
+	if cfg.Entitlements != "" {
+		log.Infof("Loading entitlements from %s", cfg.Entitlements)
+		data, err := os.ReadFile(cfg.Entitlements)
+		if err != nil {
+			return err
+		}
+		entitlementsXML = string(data)
+	}
+
 	// (patch) add empty LcCodeSignature loader (offset and size references are not set)
 	if err = m.AddEmptyCodeSigningCmd(); err != nil {
 		return err
 	}
 
 	// first pass: add the signed data with the dummy loader
 	log.Debugf("estimating signing material size")
-	superBlobSize, sbBytes, err := sign.GenerateSigningSuperBlob(cfg.Identity, m, cfg.SigningMaterial, 0)
+	superBlobSize, sbBytes, err := sign.GenerateSigningSuperBlob(cfg.Identity, m, cfg.SigningMaterial, entitlementsXML, 0)
 	if err != nil {
 		return fmt.Errorf("failed to add signing data on pass=1: %w", err)
 	}
@@ -232,7 +248,7 @@ func signSingleBinary(cfg SigningConfig) error {
 
 	// second pass: now that all of the sizing is right, let's do it again with the final contents (replacing the hashes and signature)
 	log.Debug("creating signature for binary")
-	_, sbBytes, err = sign.GenerateSigningSuperBlob(cfg.Identity, m, cfg.SigningMaterial, superBlobSize)
+	_, sbBytes, err = sign.GenerateSigningSuperBlob(cfg.Identity, m, cfg.SigningMaterial, entitlementsXML, superBlobSize)
 	if err != nil {
 		return fmt.Errorf("failed to add signing data on pass=2: %w", err)
 	}
diff --git a/quill/sign/entitlements.go b/quill/sign/entitlements.go
@@ -0,0 +1,29 @@
+package sign
+
+import (
+	"fmt"
+	"hash"
+
+	"github.com/anchore/quill/quill/macho"
+	"github.com/go-restruct/restruct"
+)
+
+func generateEntitlements(h hash.Hash, entitlementsXML string) (*SpecialSlot, error) {
+	if entitlementsXML == "" {
+		return nil, nil
+	}
+	entitlementsBytes := []byte(entitlementsXML)
+	blob := macho.NewBlob(macho.MagicEmbeddedEntitlements, entitlementsBytes)
+	blobBytes, err := restruct.Pack(macho.SigningOrder, &blob)
+	if err != nil {
+		return nil, fmt.Errorf("unable to encode entitlements blob: %w", err)
+	}
+
+	// the requirements hash is against the entire blob, not just the payload
+	h.Write(blobBytes)
+	if err != nil {
+		return nil, err
+	}
+
+	return &SpecialSlot{macho.CsSlotEntitlements, &blob, h.Sum(nil)}, nil
+}
diff --git a/quill/sign/signing_super_blob.go b/quill/sign/signing_super_blob.go
@@ -16,7 +16,7 @@ type SpecialSlot struct {
 	HashBytes []byte
 }
 
-func GenerateSigningSuperBlob(id string, m *macho.File, signingMaterial pki.SigningMaterial, paddingTarget int) (int, []byte, error) {
+func GenerateSigningSuperBlob(id string, m *macho.File, signingMaterial pki.SigningMaterial, entitlementsData string, paddingTarget int) (int, []byte, error) {
 	var cdFlags macho.CdFlag
 	if signingMaterial.Signer != nil {
 		// TODO: add options to enable more strict rules (such as macho.Hard)
@@ -29,6 +29,14 @@ func GenerateSigningSuperBlob(id string, m *macho.File, signingMaterial pki.Sign
 
 	specialSlots := []SpecialSlot{}
 
+	entitlements, err := generateEntitlements(sha256.New(), entitlementsData)
+	if err != nil {
+		return 0, nil, fmt.Errorf("unable to create entitlements: %w", err)
+	}
+	if entitlements != nil {
+		specialSlots = append(specialSlots, *entitlements)
+	}
+
 	requirements, err := generateRequirements(id, sha256.New(), signingMaterial)
 	if err != nil {
 		return 0, nil, fmt.Errorf("unable to create requirements: %w", err)
@@ -37,8 +45,6 @@ func GenerateSigningSuperBlob(id string, m *macho.File, signingMaterial pki.Sign
 		specialSlots = append(specialSlots, *requirements)
 	}
 
-	// TODO: add entitlements, for the meantime, don't include it
-
 	cdBlob, err := generateCodeDirectory(id, sha256.New(), m, cdFlags, specialSlots)
 	if err != nil {
 		return 0, nil, fmt.Errorf("unable to create code directory: %w", err)

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,7 @@ func sign(binPath string, opts options.Signing) error {`
`72`	`72`
`73`	`73`	`cfg.WithIdentity(opts.Identity)`
`74`	`74`	`cfg.WithTimestampServer(opts.TimestampServer)`
	`75`	`+ cfg.WithEntitlements(opts.Entitlements)`
`75`	`76`
`76`	`77`	`return quill.Sign(cfg)`
`77`	`78`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,8 @@ type Signing struct {`
`20`	`20`	FailWithoutFullChain bool `yaml:"fail-without-full-chain" json:"fail-without-full-chain" mapstructure:"fail-without-full-chain"`
`21`	`21`
`22`	`22`	`// unbound options`
`23`		- Password string `yaml:"password" json:"password" mapstructure:"password"`
	`23`	+ Password string `yaml:"password" json:"password" mapstructure:"password"`
	`24`	+ Entitlements string `yaml:"entitlements" json:"entitlements" mapstructure:"entitlements"`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`func DefaultSigning() Signing {`
`@@ -60,6 +61,12 @@ func (o *Signing) AddFlags(flags fangs.FlagSet) {`
`60`	`61`	`"ad-hoc", "",`
`61`	`62`	`"perform ad-hoc signing. No cryptographic signature is included and --p12 key and certificate input are not needed. Do NOT use this option for production builds.",`
`62`	`63`	`)`
	`64`	`+`
	`65`	`+ flags.StringVarP(`
	`66`	`+ &o.Entitlements,`
	`67`	`+ "entitlements", "",`
	`68`	`+ "path to an XML file containing the entitlements for the binary being signed",`
	`69`	`+ )`
`63`	`70`	`}`
`64`	`71`
`65`	`72`	`func (o *Signing) DescribeFields(d fangs.FieldDescriptionSet) {`