Introduce v2 of signed archives. The signature goes at the end and signs everything that precedes it, rather than just the payload. Version 1 is still accepted as input. Output contains the v1 header but also contains the v2 signature, which is preferred when available. The migration path will be to ship this and rebuild all its files with it. Then the next version will build only v2. Then the version after that will accept only v2, and the migration code can be deleted.

Author: gnachman

SignedArchive/.gitignore

@@ -1 +1,3 @@
 SignedArchive.xcodeproj/xcuserdata
+SignedArchive.xcodeproj/project.xcworkspace/xcuserdata
+SignedArchive.xcodeproj/xcshareddata/xcschemes

SignedArchive/SignedArchive.xcodeproj/project.xcworkspace/xcuserdata/gnachman.xcuserdatad/UserInterfaceState.xcuserstate

@@ -9,6 +9,7 @@
 #import "SIGArchiveBuilder.h"
 
 #import "SIGArchiveChunk.h"
+#import "SIGArchiveFlags.h"
 #import "SIGArchiveVerifier.h"
 #import "SIGCertificate.h"
 #import "SIGError.h"
@@ -34,11 +35,12 @@ - (instancetype)initWithPayloadFileURL:(NSURL *)url
 
 - (BOOL)writeToURL:(NSURL *)url
              error:(out NSError * _Nullable __autoreleasing *)error {
+#if ENABLE_SIGARCHIVE_MIGRATION_CREATION
     NSData *signature = [self signature:error];
     if (!signature) {
         return NO;
     }
-    
+#endif
     NSData *certificate = _identity.signingCertificate.data;
     if (!certificate) {
         if (error) {
@@ -47,44 +49,73 @@ - (BOOL)writeToURL:(NSURL *)url
         return NO;
     }
 
-    NSOutputStream *writeStream = [NSOutputStream outputStreamWithURL:url append:NO];
-    if (!writeStream) {
+    // Write everything but the signature to a buffer in memory.
+    NSOutputStream *combinedOutputStream = [NSOutputStream outputStreamToMemory];
+    if (!combinedOutputStream) {
         if (error) {
             *error = [SIGError errorWithCode:SIGErrorCodeIOWrite detail:@"Could not create write stream"];
         }
         return NO;
     }
-    [writeStream open];
-    
-    if (![self writeHeaderToStream:writeStream error:error]) {
+    [combinedOutputStream open];
+
+    if (![self writeHeaderToStream:combinedOutputStream error:error]) {
         return NO;
     }
-    if (![self writeMetadataToStream:writeStream error:error]) {
+    if (![self writeMetadataToStream:combinedOutputStream error:error]) {
         return NO;
     }
-    if (![self writePayloadToStream:writeStream error:error]) {
+    if (![self writePayloadToStream:combinedOutputStream error:error]) {
         return NO;
     }
-    if (![self writeSignature:signature toStream:writeStream error:error]) {
+#if ENABLE_SIGARCHIVE_MIGRATION_CREATION
+    if (![self writeSignature:signature toStream:combinedOutputStream error:error]) {
         return NO;
     }
-    if (![self writeCertificate:certificate toStream:writeStream error:error]) {
+#endif
+    if (![self writeCertificate:certificate toStream:combinedOutputStream error:error]) {
         return NO;
     }
 
     // NOTE: The signing certificate must be first. This is a requirement of SecTrustCreateWithCertificates
     // which is implicit in the file format.
     SIGCertificate *issuerCertificate = _identity.signingCertificate.issuer;
     while (issuerCertificate != nil) {
-        if (![self writeCertificate:issuerCertificate.data toStream:writeStream error:error]) {
+        if (![self writeCertificate:issuerCertificate.data toStream:combinedOutputStream error:error]) {
             return NO;
         }
         if ([issuerCertificate.issuer isEqual:issuerCertificate]) {
             break;
         }
         issuerCertificate = issuerCertificate.issuer;
     }
+    [combinedOutputStream close];
+
+    // Now compute the signature of that buffer.
+    NSData *combinedData = [combinedOutputStream propertyForKey:NSStreamDataWrittenToMemoryStreamKey];
+    if (!combinedData) {
+        return NO;
+    }
+    NSData *signature2 = [self signatureForData:combinedData error:error];
+    if (!signature2) {
+        return NO;
+    }
+
+    // Concatenate the combined data and the signature chunk to a file on disk.
+    NSOutputStream *writeStream = [NSOutputStream outputStreamWithURL:url append:NO];
+    [writeStream open];
+    const long long length = [writeStream write:combinedData.bytes maxLength:combinedData.length];
+    if (length != combinedData.length) {
+        if (error) {
+            *error = [SIGError errorWithCode:SIGErrorCodeIOWrite];
+        }
+        return NO;
+    }
+    if (![self writeSignature2:signature2 toStream:writeStream error:error]) {
+        return NO;
+    }
     [writeStream close];
+
     return YES;
 }
 
@@ -131,8 +162,14 @@ - (BOOL)writePayloadToStream:(NSOutputStream *)writeStream error:(out NSError *
 }
 
 - (BOOL)writeMetadataToStream:(NSOutputStream *)writeStream error:(out NSError * _Nullable __autoreleasing *)error {
-    NSArray<NSString *> *fields = @[ @"version=1",
-                                     @"digest-type=SHA2" ];
+    // Version 1 signed only the payload. Version 2 signs the container except the signature's chunk.
+    NSArray<NSString *> *fields = @[
+#if ENABLE_SIGARCHIVE_MIGRATION_CREATION
+        @"version=1",
+#else
+        @"version=2",
+#endif
+        @"digest-type=SHA2" ];
     NSString *metadata = [fields componentsJoinedByString:@"\n"];
     NSData *data = [metadata dataUsingEncoding:NSUTF8StringEncoding];
     SIGArchiveChunkWriter *chunkWriter = [[SIGArchiveChunkWriter alloc] initWithTag:SIGArchiveTagMetadata
@@ -145,6 +182,7 @@ - (BOOL)writeMetadataToStream:(NSOutputStream *)writeStream error:(out NSError *
     return ok;
 }
 
+#if ENABLE_SIGARCHIVE_MIGRATION_CREATION
 - (BOOL)writeSignature:(NSData *)signature toStream:(NSOutputStream *)writeStream error:(out NSError * _Nullable __autoreleasing *)error {
     SIGArchiveChunkWriter *chunkWriter = [[SIGArchiveChunkWriter alloc] initWithTag:SIGArchiveTagSignature
                                                                              length:signature.length
@@ -155,6 +193,18 @@ - (BOOL)writeSignature:(NSData *)signature toStream:(NSOutputStream *)writeStrea
     _offset += chunkWriter.chunkLength;
     return ok;
 }
+#endif
+
+- (BOOL)writeSignature2:(NSData *)signature toStream:(NSOutputStream *)writeStream error:(out NSError * _Nullable __autoreleasing *)error {
+    SIGArchiveChunkWriter *chunkWriter = [[SIGArchiveChunkWriter alloc] initWithTag:SIGArchiveTagSignature2
+                                                                             length:signature.length
+                                                                             offset:_offset];
+    const BOOL ok = [chunkWriter writeData:signature
+                                  toStream:writeStream
+                                     error:error];
+    _offset += chunkWriter.chunkLength;
+    return ok;
+}
 
 - (BOOL)writeCertificate:(NSData *)certificate toStream:(NSOutputStream *)writeStream error:(out NSError * _Nullable __autoreleasing *)error {
     SIGArchiveChunkWriter *chunkWriter = [[SIGArchiveChunkWriter alloc] initWithTag:SIGArchiveTagCertificate
@@ -179,6 +229,7 @@ - (BOOL)writeCertificate:(NSData *)certificate toStream:(NSOutputStream *)writeS
     return algorithm;
 }
 
+#if ENABLE_SIGARCHIVE_MIGRATION_CREATION
 - (NSData *)signature:(out NSError **)error {
     id<SIGSigningAlgorithm> algorithm = [self signingAlgorithm:error];
     if (!algorithm) {
@@ -192,6 +243,26 @@ - (NSData *)signature:(out NSError **)error {
         }
         return nil;
     }
+
+    return [algorithm signatureForInputStream:readStream
+                                usingIdentity:_identity
+                                        error:error];
+}
+#endif
+
+- (NSData *)signatureForData:(NSData *)data error:(out NSError **)error {
+    id<SIGSigningAlgorithm> algorithm = [self signingAlgorithm:error];
+    if (!algorithm) {
+        return nil;
+    }
+
+    NSInputStream *readStream = [NSInputStream inputStreamWithData:data];
+    if (!readStream) {
+        if (error) {
+            *error = [SIGError errorWithCode:SIGErrorCodeIORead];
+        }
+        return nil;
+    }
 
     return [algorithm signatureForInputStream:readStream
                                 usingIdentity:_identity

SignedArchive/SignedArchive/SIGArchiveBuilder.m

@@ -14,8 +14,9 @@ typedef NS_ENUM(long long, SIGArchiveTag) {
     SIGArchiveTagHeader = 0,
     SIGArchiveTagPayload = 1,
     SIGArchiveTagMetadata = 2,
-    SIGArchiveTagSignature = 3,
+    SIGArchiveTagSignature = 3,  // Deprecated. Signs only the payload.
     SIGArchiveTagCertificate = 4,
+    SIGArchiveTagSignature2 = 5,  // Signs the entire file excluding the signature2 chunk. Must be the last entry.
 };
 
 extern NSString *const SIGArchiveHeaderMagicString;

SignedArchive/SignedArchive/SIGArchiveChunk.h

@@ -0,0 +1,10 @@
+// Create archives readable by older versions?
+#define ENABLE_SIGARCHIVE_MIGRATION_CREATION 1
+
+// Accept archives from older versions?
+#define ENABLE_SIGARCHIVE_MIGRATION_VALIDATION 1
+
+#if ENABLE_SIGARCHIVE_MIGRATION_CREATION || ENABLE_SIGARCHIVE_MIGRATION_VALIDATION
+#warning NOTE: SIGArchive migration flags enabled
+#endif
+

SignedArchive/SignedArchive/SIGArchiveFlags.h

@@ -8,6 +8,8 @@
 
 #import <Foundation/Foundation.h>
 
+#import "SIGArchiveFlags.h"
+
 NS_ASSUME_NONNULL_BEGIN
 
 @interface SIGArchiveReader : NSObject
@@ -22,8 +24,16 @@ NS_ASSUME_NONNULL_BEGIN
 
 - (nullable NSString *)header:(out NSError **)error;
 - (nullable NSString *)metadata:(out NSError **)error;
+
+#if ENABLE_SIGARCHIVE_MIGRATION_VALIDATION
 - (nullable NSData *)signature:(out NSError **)error;
+#endif
+
+- (NSData *)signature2:(out NSError * _Nullable __autoreleasing *)error;
+
+
 - (nullable NSInputStream *)payloadInputStream:(out NSError **)error;
+- (nullable NSInputStream *)payload2InputStream:(out NSError **)error;
 - (nullable NSArray<NSData *> *)signingCertificates:(out NSError **)error;
 
 @end

SignedArchive/SignedArchive/SIGArchiveReader.h

@@ -10,6 +10,7 @@
 
 #import "SIGArchiveBuilder.h"
 #import "SIGArchiveChunk.h"
+#import "SIGArchiveFlags.h"
 #import "SIGError.h"
 #import "SIGPartialInputStream.h"
 
@@ -86,6 +87,7 @@ - (NSString *)metadata:(out NSError **)error {
     return string;
 }
 
+#if ENABLE_SIGARCHIVE_MIGRATION_VALIDATION
 - (NSData *)signature:(out NSError * _Nullable __autoreleasing *)error {
     SIGArchiveChunk *chunk = [self chunkWithTag:SIGArchiveTagSignature];
     if (!chunk) {
@@ -96,6 +98,18 @@ - (NSData *)signature:(out NSError * _Nullable __autoreleasing *)error {
     }
     return [chunk data:error];
 }
+#endif
+
+- (NSData *)signature2:(out NSError * _Nullable __autoreleasing *)error {
+    SIGArchiveChunk *chunk = [self lastChunk];
+    if (chunk.tag != SIGArchiveTagSignature2) {
+        if (error) {
+            *error = [SIGError errorWithCode:SIGErrorCodeNoSignature];
+        }
+        return nil;
+    }
+    return [chunk data:error];
+}
 
 - (NSArray<NSData *> *)signingCertificates:(out NSError * _Nullable __autoreleasing *)error {
     NSArray<SIGArchiveChunk *> *chunks = [self chunksWithTag:SIGArchiveTagCertificate];
@@ -129,6 +143,29 @@ - (NSInputStream *)payloadInputStream:(out NSError **)error {
                                                                   chunk.payloadLength)];
 }
 
+- (NSInputStream *)payload2InputStream:(out NSError **)error {
+    // The last chunk is the signature. It signs the chunks that precede it. Find the chunk before
+    // the signature to establish the number of bytes to sign.
+    SIGArchiveChunk *chunk = [self penultimateChunk];
+    if (!chunk) {
+        if (error) {
+            *error = [SIGError errorWithCode:SIGErrorCodeNoPayload];
+        }
+        return nil;
+    }
+
+    const long long length = [chunk payloadOffset] + [chunk payloadLength];
+    if (length <= 0) {
+        if (error) {
+            *error = [SIGError errorWithCode:SIGErrorCodeNoPayload];
+        }
+        return nil;
+    }
+
+    return [[SIGPartialInputStream alloc] initWithURL:_url
+                                                range:NSMakeRange(0, length)];
+}
+
 - (long long)payloadLength {
     SIGArchiveChunk *chunk = [self chunkWithTag:SIGArchiveTagPayload];
     if (!chunk) {
@@ -187,6 +224,17 @@ - (BOOL)load:(out NSError **)errorOut {
 
 #pragma mark - Private
 
+- (SIGArchiveChunk *)lastChunk {
+    return _chunks.lastObject;
+}
+
+- (SIGArchiveChunk *)penultimateChunk {
+    if (_chunks.count < 2) {
+        return nil;
+    }
+    return _chunks[_chunks.count - 2];
+}
+
 - (SIGArchiveChunk *)chunkWithTag:(SIGArchiveTag)tag {
     NSInteger index = [_chunks indexOfObjectPassingTest:^BOOL(SIGArchiveChunk * _Nonnull obj,
                                                               NSUInteger idx,