Add SignedArchive project

Author: gnachman

SignedArchive/.gitignore

@@ -0,0 +1 @@
+SignedArchive.xcodeproj/xcuserdata

SignedArchive/SignedArchive.xcodeproj/project.pbxproj

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>IDEDidComputeMac32BitWarning</key>
+	<true/>
+</dict>
+</plist>

SignedArchive/SignedArchive.xcodeproj/project.xcworkspace/contents.xcworkspacedata

@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<Scheme
+   LastUpgradeVersion = "1000"
+   version = "1.3">
+   <BuildAction
+      parallelizeBuildables = "YES"
+      buildImplicitDependencies = "YES">
+      <BuildActionEntries>
+         <BuildActionEntry
+            buildForTesting = "YES"
+            buildForRunning = "YES"
+            buildForProfiling = "YES"
+            buildForArchiving = "YES"
+            buildForAnalyzing = "YES">
+            <BuildableReference
+               BuildableIdentifier = "primary"
+               BlueprintIdentifier = "53F5894F21C9B527004A372B"
+               BuildableName = "extract"
+               BlueprintName = "extract"
+               ReferencedContainer = "container:SignedArchive.xcodeproj">
+            </BuildableReference>
+         </BuildActionEntry>
+      </BuildActionEntries>
+   </BuildAction>
+   <TestAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      shouldUseLaunchSchemeArgsEnv = "YES">
+      <Testables>
+      </Testables>
+      <MacroExpansion>
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "53F5894F21C9B527004A372B"
+            BuildableName = "extract"
+            BlueprintName = "extract"
+            ReferencedContainer = "container:SignedArchive.xcodeproj">
+         </BuildableReference>
+      </MacroExpansion>
+      <AdditionalOptions>
+      </AdditionalOptions>
+   </TestAction>
+   <LaunchAction
+      buildConfiguration = "Debug"
+      selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
+      selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      launchStyle = "0"
+      useCustomWorkingDirectory = "NO"
+      ignoresPersistentStateOnLaunch = "NO"
+      debugDocumentVersioning = "YES"
+      debugServiceExtension = "internal"
+      allowLocationSimulation = "YES">
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "53F5894F21C9B527004A372B"
+            BuildableName = "extract"
+            BlueprintName = "extract"
+            ReferencedContainer = "container:SignedArchive.xcodeproj">
+         </BuildableReference>
+      </BuildableProductRunnable>
+      <CommandLineArguments>
+         <CommandLineArgument
+            argument = "/tmp/passwd.sigzip /tmp/passwd.txt"
+            isEnabled = "YES">
+         </CommandLineArgument>
+      </CommandLineArguments>
+      <AdditionalOptions>
+      </AdditionalOptions>
+   </LaunchAction>
+   <ProfileAction
+      buildConfiguration = "Release"
+      shouldUseLaunchSchemeArgsEnv = "YES"
+      savedToolIdentifier = ""
+      useCustomWorkingDirectory = "NO"
+      debugDocumentVersioning = "YES">
+      <BuildableProductRunnable
+         runnableDebuggingMode = "0">
+         <BuildableReference
+            BuildableIdentifier = "primary"
+            BlueprintIdentifier = "53F5894F21C9B527004A372B"
+            BuildableName = "extract"
+            BlueprintName = "extract"
+            ReferencedContainer = "container:SignedArchive.xcodeproj">
+         </BuildableReference>
+      </BuildableProductRunnable>
+   </ProfileAction>
+   <AnalyzeAction
+      buildConfiguration = "Debug">
+   </AnalyzeAction>
+   <ArchiveAction
+      buildConfiguration = "Release"
+      revealArchiveInOrganizer = "YES">
+   </ArchiveAction>
+</Scheme>

SignedArchive/SignedArchive.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>$(DEVELOPMENT_LANGUAGE)</string>
+	<key>CFBundleExecutable</key>
+	<string>$(EXECUTABLE_NAME)</string>
+	<key>CFBundleIdentifier</key>
+	<string>$(PRODUCT_BUNDLE_IDENTIFIER)</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>$(PRODUCT_NAME)</string>
+	<key>CFBundlePackageType</key>
+	<string>FMWK</string>
+	<key>CFBundleShortVersionString</key>
+	<string>1.0</string>
+	<key>CFBundleVersion</key>
+	<string>$(CURRENT_PROJECT_VERSION)</string>
+	<key>NSHumanReadableCopyright</key>
+	<string>Copyright © 2018 George Nachman. All rights reserved.</string>
+</dict>
+</plist>

SignedArchive/SignedArchive.xcodeproj/project.xcworkspace/xcuserdata/gln.xcuserdatad/UserInterfaceState.xcuserstate

@@ -0,0 +1,32 @@
+//
+//  SIGArchiveBuilder.h
+//  SignedArchive
+//
+//  Created by George Nachman on 12/16/18.
+//  Copyright © 2018 George Nachman. All rights reserved.
+//
+
+#import <Foundation/Foundation.h>
+
+#import "SIGArchiveChunk.h"
+
+NS_ASSUME_NONNULL_BEGIN
+
+@class SIGIdentity;
+
+@interface SIGArchiveBuilder : NSObject
+
+@property (nonatomic, readonly) NSURL *payloadFileURL;
+@property (nonatomic, readonly) SIGIdentity *identity;
+
+- (instancetype)initWithPayloadFileURL:(NSURL *)payloadFileURL
+                              identity:(SIGIdentity *)identity NS_DESIGNATED_INITIALIZER;
+
+- (instancetype)init NS_UNAVAILABLE;
+
+- (BOOL)writeToURL:(NSURL *)url
+             error:(out NSError **)error;
+
+@end
+
+NS_ASSUME_NONNULL_END

SignedArchive/SignedArchive.xcodeproj/project.xcworkspace/xcuserdata/gnachman.xcuserdatad/UserInterfaceState.xcuserstate

@@ -0,0 +1,188 @@
+//
+//  SIGArchiveBuilder.m
+//  SignedArchive
+//
+//  Created by George Nachman on 12/16/18.
+//  Copyright © 2018 George Nachman. All rights reserved.
+//
+
+#import "SIGArchiveBuilder.h"
+
+#import "SIGArchiveChunk.h"
+#import "SIGArchiveVerifier.h"
+#import "SIGCertificate.h"
+#import "SIGError.h"
+#import "SIGIdentity.h"
+#import "SIGKey.h"
+#import "SIGSHA2SigningAlgorithm.h"
+
+@implementation SIGArchiveBuilder {
+    long long _offset;
+}
+
+- (instancetype)initWithPayloadFileURL:(NSURL *)url
+                              identity:(SIGIdentity *)identity {
+    self = [super init];
+    if (self) {
+        _payloadFileURL = url;
+        _identity = identity;
+    }
+    return self;
+}
+
+#pragma mark - API
+
+- (BOOL)writeToURL:(NSURL *)url
+             error:(out NSError * _Nullable __autoreleasing *)error {
+    NSData *signature = [self signature:error];
+    if (!signature) {
+        return NO;
+    }
+    
+    NSData *certificate = _identity.signingCertificate.data;
+    if (!certificate) {
+        if (error) {
+            *error = [SIGError errorWithCode:SIGErrorCodeNoCertificate];
+        }
+        return NO;
+    }
+
+    NSOutputStream *writeStream = [NSOutputStream outputStreamWithURL:url append:NO];
+    if (!writeStream) {
+        if (error) {
+            *error = [SIGError errorWithCode:SIGErrorCodeIOWrite detail:@"Could not create write stream"];
+        }
+        return NO;
+    }
+    [writeStream open];
+    
+    if (![self writeHeaderToStream:writeStream error:error]) {
+        return NO;
+    }
+    if (![self writeMetadataToStream:writeStream error:error]) {
+        return NO;
+    }
+    if (![self writePayloadToStream:writeStream error:error]) {
+        return NO;
+    }
+    if (![self writeSignature:signature toStream:writeStream error:error]) {
+        return NO;
+    }
+    if (![self writeCertificate:certificate toStream:writeStream error:error]) {
+        return NO;
+    }
+    [writeStream close];
+    return YES;
+}
+
+#pragma mark - Write Chunks
+
+- (BOOL)writeHeaderToStream:(NSOutputStream *)stream error:(out NSError * _Nullable __autoreleasing *)error {
+    NSData *data = [SIGArchiveHeaderMagicString dataUsingEncoding:NSUTF8StringEncoding];
+    const NSInteger desiredLength = data.length;
+    SIGArchiveChunkWriter *chunkWriter = [[SIGArchiveChunkWriter alloc] initWithTag:SIGArchiveTagHeader
+                                                                             length:desiredLength
+                                                                             offset:_offset];
+    const BOOL ok = [chunkWriter writeData:data
+                                  toStream:stream
+                                     error:error];
+    _offset += chunkWriter.chunkLength;
+    return ok;
+}
+
+- (BOOL)writePayloadToStream:(NSOutputStream *)writeStream error:(out NSError * _Nullable __autoreleasing *)errorOut {
+    NSInputStream *readStream = [[NSInputStream alloc] initWithURL:_payloadFileURL];
+    if (!readStream) {
+        return NO;
+    }
+    [readStream open];
+    
+    NSError *error = nil;
+    NSInteger length = [[NSFileManager defaultManager] attributesOfItemAtPath:_payloadFileURL.path error:&error].fileSize;
+    if (length <= 0 || error != nil) {
+        if (errorOut) {
+            *errorOut = [SIGError errorWrapping:error
+                                         code:SIGErrorCodeIORead
+                                         detail:@"Error checking file size"];
+        }
+        return NO;
+    }
+    SIGArchiveChunkWriter *chunkWriter = [[SIGArchiveChunkWriter alloc] initWithTag:SIGArchiveTagPayload
+                                                                             length:length
+                                                                             offset:_offset];
+    const BOOL ok = [chunkWriter writeStream:readStream
+                                    toStream:writeStream
+                                       error:errorOut];
+    _offset += chunkWriter.chunkLength;
+    return ok;
+}
+
+- (BOOL)writeMetadataToStream:(NSOutputStream *)writeStream error:(out NSError * _Nullable __autoreleasing *)error {
+    NSArray<NSString *> *fields = @[ @"version=1",
+                                     @"digest-type=SHA2" ];
+    NSString *metadata = [fields componentsJoinedByString:@"\n"];
+    NSData *data = [metadata dataUsingEncoding:NSUTF8StringEncoding];
+    SIGArchiveChunkWriter *chunkWriter = [[SIGArchiveChunkWriter alloc] initWithTag:SIGArchiveTagMetadata
+                                                                             length:data.length
+                                                                             offset:_offset];
+    const BOOL ok = [chunkWriter writeData:data
+                                  toStream:writeStream
+                                     error:error];
+    _offset += chunkWriter.chunkLength;
+    return ok;
+}
+
+- (BOOL)writeSignature:(NSData *)signature toStream:(NSOutputStream *)writeStream error:(out NSError * _Nullable __autoreleasing *)error {
+    SIGArchiveChunkWriter *chunkWriter = [[SIGArchiveChunkWriter alloc] initWithTag:SIGArchiveTagSignature
+                                                                             length:signature.length
+                                                                             offset:_offset];
+    const BOOL ok = [chunkWriter writeData:signature
+                                  toStream:writeStream
+                                     error:error];
+    _offset += chunkWriter.chunkLength;
+    return ok;
+}
+
+- (BOOL)writeCertificate:(NSData *)certificate toStream:(NSOutputStream *)writeStream error:(out NSError * _Nullable __autoreleasing *)error {
+    SIGArchiveChunkWriter *chunkWriter = [[SIGArchiveChunkWriter alloc] initWithTag:SIGArchiveTagCertificate
+                                                                             length:certificate.length
+                                                                             offset:_offset];
+    const BOOL ok = [chunkWriter writeData:certificate
+                                  toStream:writeStream
+                                     error:error];
+    _offset += chunkWriter.chunkLength;
+    return ok;
+}
+
+#pragma mark - Signing
+
+- (id<SIGSigningAlgorithm>)signingAlgorithm:(out NSError **)error {
+    id<SIGSigningAlgorithm> algorithm = [[SIGSHA2SigningAlgorithm alloc] init];
+    if (!algorithm) {
+        if (error) {
+            *error = [SIGError errorWithCode:SIGErrorCodeAlgorithmCreationFailed];
+        }
+    }
+    return algorithm;
+}
+
+- (NSData *)signature:(out NSError **)error {
+    id<SIGSigningAlgorithm> algorithm = [self signingAlgorithm:error];
+    if (!algorithm) {
+        return nil;
+    }
+
+    NSInputStream *readStream = [NSInputStream inputStreamWithFileAtPath:_payloadFileURL.path];
+    if (!readStream) {
+        if (error) {
+            *error = [SIGError errorWithCode:SIGErrorCodeIORead];
+        }
+        return nil;
+    }
+    
+    return [algorithm signatureForInputStream:readStream
+                                usingIdentity:_identity
+                                        error:error];
+}
+
+@end