Remove OSX dependency (aka support Linux)

[trufae]

As described in this project: https://github.com/saucelabs/isign

Looks like it is basically running openssl commands to do all that signing thing without depending on Apple hw or sw. (thanks @oleavr for the finding)

[dweinstein]

:+1: do you want to get this out before we open this repo up to the public or nah?

[trufae]

it is not mandatory but it will be nice to have. The problem of this python implementation is that it also requires a tool that is not distributed with openssl and it needs to be a very specific version. We can release as is for now, and investigate later on this to make it fully portable without depending on system programs.

On Tue, Feb 16, 2016 at 8:57 PM, David Weinstein [email protected] wrote:

[image: :+1:] do you want to get this out before we open this repo up to the public or nah?

— Reply to this email directly or view it on GitHub https://github.com/viaforensics/node-applesign/issues/6#issuecomment-184853830 .

[trufae]

IMHO this issue is not blocking

[oleavr]

IMHO this issue is not blocking

+1

[trufae]

For a quick approach we can just write a bunch of shellscript or python lines to implement the codesign and security programs using isign. But ideally we should have those implemented in pure node.

Those are all the four commands used in applesign

codesign -v —no-strict binaryName        # verify
codesign —no-strict —fs identityFile —entitlements=$entitlementsfile binaryToSign  # sin binary using given identity
security find-identity -v -p codesigning      # enumerate all identities with support for codesigning (maybe hardcoded)
security cms -D -i embedded.mobileprovision    # encode CMS messages 

[dweinstein]

yeah I'm investing my time fixing some issues with isign so it could work out... though longer term I'd love to see something pure-node too

[trufae]

See 2d8caec33bee4cbdc58aff4b3a38501dd0693a59

[trufae]

Also see https://github.com/nowsecure/node-applesign/blob/master/tools.js

[mkayswork]

An pure node solution without os x dependency would be great, I've been looking for this a few weeks..

[trufae]

@mkayswork there's https://pypi.python.org/pypi/isign/ but from my experience it is pretty hard to setup and it is pretty buggy, so it is not a reliable option

[mkayswork]

Ty, I know that project because I have to use it to get rid of that OS X dependency. It's also working, but pure node would be far better for me..

The setup itself isn't that hard anymore, the issues also give good hints for some use cases.. ;)

[trufae]

You can help on this by writing separate standalone tools that mimic osx functionality but using isign under the hood to get applesign working outside osx.

After this it will be desirable to slowly reimplement those commands as node modules that can be used to replace the tools.js thing

On 15 Aug 2016, at 11:00, Matthias Kühnel [email protected] wrote:

Ty, I know that project because I have to use it to get rid of that OS X dependency. It's also working, but pure node would be far better for me..

The setup itself isn't that hard anymore, the issues also give good hints for some use cases.. ;)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[mkayswork]

I don't have enough knowledge regarding the signing process of os x. From what I've learned, the proccess is very complex. I managed to get it working on linux with isign https://pypi.python.org/pypi/isign/ . It's because It relies on OpenSSL which is only available as a third party solution on Windows. Since the code signing process is very complex, I don't want to rely on those, which is why I started using Isign.