apple_codesign/
bundle_signing.rs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
// This Source Code Form is subject to the terms of the Mozilla Public
// License, v. 2.0. If a copy of the MPL was not distributed with this
// file, You can obtain one at https://mozilla.org/MPL/2.0/.

//! Functionality for signing Apple bundles.

use {
    crate::{
        code_directory::CodeDirectoryBlob,
        code_requirement::{CodeRequirementExpression, RequirementType},
        code_resources::{normalized_resources_path, CodeResourcesBuilder, CodeResourcesRule},
        cryptography::DigestType,
        embedded_signature::{Blob, BlobData},
        error::AppleCodesignError,
        macho::MachFile,
        macho_signing::{write_macho_file, MachOSigner},
        signing::path_identifier,
        signing_settings::{SettingsScope, SigningSettings},
    },
    apple_bundles::{BundlePackageType, DirectoryBundle},
    log::{debug, info, warn},
    simple_file_manifest::create_symlink,
    std::{
        borrow::Cow,
        collections::{BTreeMap, BTreeSet},
        io::Write,
        path::{Path, PathBuf},
    },
};

/// Copy a bundle's contents to a destination directory.
///
/// This does not use the CodeResources rules for a bundle. Rather, it
/// blindly copies all files in the bundle. This means that excluded files
/// can be copied.
///
/// Returns the set of bundle-relative paths that are installed.
pub fn copy_bundle(
    bundle: &DirectoryBundle,
    dest_dir: &Path,
) -> Result<BTreeSet<PathBuf>, AppleCodesignError> {
    let settings = SigningSettings::default();

    let mut context = BundleSigningContext {
        dest_dir: dest_dir.to_path_buf(),
        settings: &settings,
        previously_installed_paths: Default::default(),
        installed_paths: Default::default(),
    };

    for file in bundle
        .files(false)
        .map_err(AppleCodesignError::DirectoryBundle)?
    {
        context.install_file(file.absolute_path(), file.relative_path())?;
    }

    Ok(context.installed_paths)
}

/// A primitive for signing an Apple bundle.
///
/// This type handles the high-level logic of signing an Apple bundle (e.g.
/// a `.app` or `.framework` directory with a well-defined structure).
///
/// This type handles the signing of nested bundles (if present) such that
/// they chain to the main bundle's signature.
pub struct BundleSigner {
    /// All the bundles being signed, indexed by relative path.
    bundles: BTreeMap<Option<String>, SingleBundleSigner>,
}

impl BundleSigner {
    /// Construct a new instance given the path to an on-disk bundle.
    ///
    /// The path should be the root directory of the bundle. e.g. `MyApp.app`.
    pub fn new_from_path(path: impl AsRef<Path>) -> Result<Self, AppleCodesignError> {
        let main_bundle = DirectoryBundle::new_from_path(path.as_ref())
            .map_err(AppleCodesignError::DirectoryBundle)?;
        let root_bundle_path = main_bundle.root_dir().to_path_buf();

        let mut bundles = BTreeMap::default();

        bundles.insert(None, SingleBundleSigner::new(root_bundle_path, main_bundle));

        Ok(Self { bundles })
    }

    /// Find bundles in subdirectories of the main bundle and mark them for signing.
    pub fn collect_nested_bundles(&mut self) -> Result<(), AppleCodesignError> {
        let (root_bundle_path, nested) = {
            let main = self.bundles.get(&None).expect("main bundle should exist");

            let nested = main
                .bundle
                .nested_bundles(true)
                .map_err(AppleCodesignError::DirectoryBundle)?;

            (main.root_bundle_path.clone(), nested)
        };

        self.bundles.extend(
        nested.into_iter()
            .filter(|(k, bundle)| {
                // Our bundle classifier is very aggressive about annotating directories
                // as bundles. Pretty much anything with an Info.plist can get through.
                // We apply additional filtering here so we only emit bundles that can
                // be signed.
                //
                // A better solution here is to use the CodeResources rule
                // based file walker to look for directories with the "nested" flag.
                // If a bundle-looking directory exists outside of a "nested" rule,
                // it probably shouldn't be signed.

                let (has_package_type, has_signable_package_type) = if let Ok(Some(pt)) = bundle.info_plist_key_string("CFBundlePackageType") {
                    (true, pt != "dSYM")
                } else {
                    (false, false)
                };

                let has_bundle_identifier = matches!(bundle.info_plist_key_string("CFBundleIdentifier"), Ok(Some(_)));

                match (has_package_type, has_signable_package_type, has_bundle_identifier)  {
                    (true, false, _) =>{
                        debug!("{k} discarded because its CFBundlePackageType is not signable");
                        false
                    }
                    (true, _, true) => {
                        // It quacks like a bundle.
                        true
                    }
                    (false, _, false) => {
                        // This looks like a naked Info.plist.
                        debug!("{k} discarded as a signable bundle because its Info.plist lacks CFBundlePackageType and CFBundleIdentifier");
                        false
                    }
                    (true, _, false) => {
                        info!("{k} has an Info.plist with a CFBundlePackageType but not a CFBundleIdentifier; we'll try to sign it but we recommend adding a CFBundleIdentifier");
                        true
                    }
                    (false, _, true) => {
                        info!("{k} has an Info.plist with a CFBundleIdentifier but without a CFBundlePackageType; we'll try to sign it but we recommend adding a CFBundlePackageType");
                        true
                    }
                }
            })
            .map(|(k, bundle)| {
                (
                    Some(k),
                    SingleBundleSigner::new(root_bundle_path.clone(), bundle),
                )
            })
        );

        Ok(())
    }

    /// Write a signed bundle to the given destination directory.
    ///
    /// The destination directory can be the same as the source directory. However,
    /// if this is done and an error occurs in the middle of signing, the bundle
    /// may be left in an inconsistent or corrupted state and may not be usable.
    pub fn write_signed_bundle(
        &self,
        dest_dir: impl AsRef<Path>,
        settings: &SigningSettings,
    ) -> Result<DirectoryBundle, AppleCodesignError> {
        let dest_dir = dest_dir.as_ref();

        // We need to sign the leaf-most bundles first since a parent bundle may need
        // to record information about the child in its signature.
        let mut bundles = self
            .bundles
            .iter()
            .filter_map(|(rel, bundle)| rel.as_ref().map(|rel| (rel, bundle)))
            .collect::<Vec<_>>();

        // This won't preserve alphabetical order. But since the input was stable, output
        // should be deterministic.
        bundles.sort_by(|(a, _), (b, _)| b.len().cmp(&a.len()));

        if !bundles.is_empty() {
            if settings.shallow() {
                warn!("{} nested bundles will be copied instead of signed because shallow signing enabled:", bundles.len());
            } else {
                warn!(
                    "signing {} nested bundles in the following order:",
                    bundles.len()
                );
            }
            for bundle in &bundles {
                warn!("{}", bundle.0);
            }
        }

        // We keep track of root relative input paths that have been installed so we can
        // skip installing in case we encounter the path again when signing a parent
        // bundle.
        //
        // If we fail to do this, during non-shallow signing operations we may descend
        // into a child bundle that is outside a directory with the "nested" flag set.
        // Files in non-"nested" directories need to be sealed in CodeResources files
        // as regular files, not bundles. So we need to walk into the child bundle in
        // this scenario. But during the walk we want to prevent already installed files
        // from being processed again.
        //
        // In the case of Mach-O binaries in the above non-"nested" directory scenario,
        // excluding already signed files prevents the Mach-O from being signed again.
        // Signing the Mach-O twice could invalidate the bundle's signature and/or result
        // in incorrect signing settings since a bundle's main binary wouldn't be
        // recognized as such since we're outside the context of that bundle.
        //
        // In all cases, we prevent redundant work installing files if a file is seen
        // twice.
        let mut installed_rel_paths = BTreeSet::<PathBuf>::new();

        for (rel, nested) in bundles {
            let rel_path = PathBuf::from(rel);

            let nested_dest_dir = dest_dir.join(rel);
            warn!("entering nested bundle {}", rel,);

            let bundle_installed_rel_paths = if settings.shallow() {
                warn!("shallow signing enabled; bundle will be copied instead of signed");
                copy_bundle(&nested.bundle, &nested_dest_dir)?
            } else if settings.path_exclusion_pattern_matches(rel) {
                // If we excluded this bundle from signing, just copy all the files.
                warn!("bundle is in exclusion list; it will be copied instead of signed");
                copy_bundle(&nested.bundle, &nested_dest_dir)?
            } else {
                let bundle_installed = installed_rel_paths
                    .iter()
                    .filter_map(|p| {
                        if let Ok(p) = p.strip_prefix(&rel_path) {
                            Some(p.to_path_buf())
                        } else {
                            None
                        }
                    })
                    .collect::<BTreeSet<_>>();

                let info = nested.write_signed_bundle(
                    nested_dest_dir,
                    &settings.as_nested_bundle_settings(rel),
                    bundle_installed,
                )?;

                info.installed_rel_paths
            };

            for p in bundle_installed_rel_paths {
                installed_rel_paths.insert(rel_path.join(p).to_path_buf());
            }

            warn!("leaving nested bundle {}", rel);
        }

        let main = self
            .bundles
            .get(&None)
            .expect("main bundle should have a key");

        Ok(main
            .write_signed_bundle(dest_dir, settings, installed_rel_paths)?
            .bundle)
    }
}

/// Metadata about a signed Mach-O file or bundle.
///
/// If referring to a bundle, the metadata refers to the 1st Mach-O in the
/// bundle's main executable.
///
/// This contains enough metadata to construct references to the file/bundle
/// in [crate::code_resources::CodeResources] files.
pub struct SignedMachOInfo {
    /// Raw data constituting the code directory blob.
    ///
    /// Is typically digested to construct a <cdhash>.
    pub code_directory_blob: Vec<u8>,

    /// Designated code requirements string.
    ///
    /// Typically occupies a `<key>requirement</key>` in a
    /// [crate::code_resources::CodeResources] file.
    pub designated_code_requirement: Option<String>,
}

impl SignedMachOInfo {
    /// Parse Mach-O data to obtain an instance.
    pub fn parse_data(data: &[u8]) -> Result<Self, AppleCodesignError> {
        // Initial Mach-O's signature data is used.
        let mach = MachFile::parse(data)?;
        let macho = mach.nth_macho(0)?;

        let signature = macho
            .code_signature()?
            .ok_or(AppleCodesignError::BinaryNoCodeSignature)?;

        let code_directory_blob = signature.preferred_code_directory()?.to_blob_bytes()?;

        let designated_code_requirement = if let Some(requirements) =
            signature.code_requirements()?
        {
            if let Some(designated) = requirements.requirements.get(&RequirementType::Designated) {
                let req = designated.parse_expressions()?;

                Some(format!("{}", req[0]))
            } else {
                // In case no explicit requirements has been set, we use current file cdhashes.
                let mut requirement_expr = None;

                // We record the 20 byte digests of every code directory in every
                // Mach-O.
                // Note: Apple's tooling appears to always record the x86-64 Mach-O
                // first, even if it isn't first in the universal binary. Since we're
                // dealing with a bunch of OR'd code requirements expressions, we don't
                // believe this difference is worth caring about.
                for macho in mach.iter_macho() {
                    for (_, cd) in macho
                        .code_signature()?
                        .ok_or(AppleCodesignError::BinaryNoCodeSignature)?
                        .all_code_directories()?
                    {
                        let digest_type = if cd.digest_type == DigestType::Sha256 {
                            DigestType::Sha256Truncated
                        } else {
                            cd.digest_type
                        };

                        let digest = digest_type.digest_data(&cd.to_blob_bytes()?)?;
                        let expression = Box::new(CodeRequirementExpression::CodeDirectoryHash(
                            Cow::from(digest),
                        ));

                        if let Some(left_part) = requirement_expr {
                            requirement_expr = Some(Box::new(CodeRequirementExpression::Or(
                                left_part, expression,
                            )))
                        } else {
                            requirement_expr = Some(expression);
                        }
                    }
                }

                Some(format!(
                    "{}",
                    requirement_expr.expect("a Mach-O should have been present")
                ))
            }
        } else {
            None
        };

        Ok(SignedMachOInfo {
            code_directory_blob,
            designated_code_requirement,
        })
    }

    /// Resolve the parsed code directory from stored data.
    pub fn code_directory(&self) -> Result<Box<CodeDirectoryBlob<'_>>, AppleCodesignError> {
        let blob = BlobData::from_blob_bytes(&self.code_directory_blob)?;

        if let BlobData::CodeDirectory(cd) = blob {
            Ok(cd)
        } else {
            Err(AppleCodesignError::BinaryNoCodeSignature)
        }
    }

    /// Resolve the notarization ticket record name for this Mach-O file.
    pub fn notarization_ticket_record_name(&self) -> Result<String, AppleCodesignError> {
        let cd = self.code_directory()?;

        let digest_type: u8 = cd.digest_type.into();

        let mut digest = cd.digest_with(cd.digest_type)?;

        // Digests appear to be truncated at 20 bytes / 40 characters.
        digest.truncate(20);

        let digest = hex::encode(digest);

        // Unsure what the leading `2/` means.
        Ok(format!("2/{digest_type}/{digest}"))
    }
}

/// Holds state and helper methods to facilitate signing a bundle.
pub struct BundleSigningContext<'a, 'key> {
    /// Settings for this bundle.
    pub settings: &'a SigningSettings<'key>,
    /// Where the bundle is getting installed to.
    pub dest_dir: PathBuf,
    /// Bundle relative paths of files that have already been installed.
    ///
    /// The already-present destination file content should be used for sealing.
    pub previously_installed_paths: BTreeSet<PathBuf>,
    /// Bundle relative paths of files that are installed by this signing operation.
    pub installed_paths: BTreeSet<PathBuf>,
}

impl<'a, 'key> BundleSigningContext<'a, 'key> {
    /// Install a file (regular or symlink) in the destination directory.
    pub fn install_file(
        &mut self,
        source_path: &Path,
        bundle_rel_path: &Path,
    ) -> Result<PathBuf, AppleCodesignError> {
        let dest_path = self.dest_dir.join(bundle_rel_path);

        if source_path != dest_path {
            // Remove an existing file before installing the replacement. In
            // the case of symlinks this is required due to how symlink creation
            // works.
            if dest_path.symlink_metadata().is_ok() {
                std::fs::remove_file(&dest_path)?;
            }

            if let Some(parent) = dest_path.parent() {
                std::fs::create_dir_all(parent)?;
            }

            let metadata = source_path.symlink_metadata()?;
            let mtime = filetime::FileTime::from_last_modification_time(&metadata);

            if metadata.file_type().is_symlink() {
                let target = std::fs::read_link(source_path)?;
                info!(
                    "replicating symlink {} -> {}",
                    dest_path.display(),
                    target.display()
                );
                create_symlink(&dest_path, target)?;
                filetime::set_symlink_file_times(
                    &dest_path,
                    filetime::FileTime::from_last_access_time(&metadata),
                    mtime,
                )?;
            } else {
                info!(
                    "copying file {} -> {}",
                    source_path.display(),
                    dest_path.display()
                );
                // TODO consider stripping XATTR_RESOURCEFORK_NAME and XATTR_FINDERINFO_NAME.
                std::fs::copy(source_path, &dest_path)?;
                filetime::set_file_mtime(&dest_path, mtime)?;
            }
        }

        // Always record the installation even if we no-op. The intent of the
        // annotation is to mark files that are already present in the destination
        // bundle.
        self.installed_paths.insert(bundle_rel_path.to_path_buf());

        Ok(dest_path)
    }

    /// Sign a Mach-O file and ensure its new content is installed.
    ///
    /// Returns Mach-O metadata which can be recorded in a CodeResources file.

    pub fn sign_and_install_macho(
        &mut self,
        source_path: &Path,
        bundle_rel_path: &Path,
    ) -> Result<(PathBuf, SignedMachOInfo), AppleCodesignError> {
        warn!("signing Mach-O file {}", bundle_rel_path.display());

        let macho_data = std::fs::read(source_path)?;
        let signer = MachOSigner::new(&macho_data)?;

        let mut settings = self
            .settings
            .as_bundle_macho_settings(bundle_rel_path.to_string_lossy().as_ref());

        // When signing a Mach-O in the context of a bundle, always define the
        // binary identifier from the filename so everything is consistent.
        // Unless an existing setting overrides it, of course.
        if settings.binary_identifier(SettingsScope::Main).is_none() {
            let identifier = path_identifier(bundle_rel_path)?;
            info!("setting binary identifier based on path: {}", identifier);

            settings.set_binary_identifier(SettingsScope::Main, &identifier);
        }

        settings.import_settings_from_macho(&macho_data)?;

        let mut new_data = Vec::<u8>::with_capacity(macho_data.len() + 2_usize.pow(17));
        signer.write_signed_binary(&settings, &mut new_data)?;

        let dest_path = self.dest_dir.join(bundle_rel_path);

        info!("writing Mach-O to {}", dest_path.display());
        write_macho_file(source_path, &dest_path, &new_data)?;

        let info = SignedMachOInfo::parse_data(&new_data)?;

        self.installed_paths.insert(bundle_rel_path.to_path_buf());

        Ok((dest_path, info))
    }
}

/// Holds metadata describing the result of a bundle signing operation.
pub struct BundleSigningInfo {
    /// The signed bundle.
    pub bundle: DirectoryBundle,

    /// Bundle relative paths of files that are installed by this signing operation.
    pub installed_rel_paths: BTreeSet<PathBuf>,
}

/// A primitive for signing a single Apple bundle.
///
/// Unlike [BundleSigner], this type only signs a single bundle and is ignorant
/// about nested bundles. You probably want to use [BundleSigner] as the interface
/// for signing bundles, as failure to account for nested bundles can result in
/// signature verification errors.
pub struct SingleBundleSigner {
    /// Path of the root bundle being signed.
    root_bundle_path: PathBuf,

    /// The bundle being signed.
    bundle: DirectoryBundle,
}

impl SingleBundleSigner {
    /// Construct a new instance.
    pub fn new(root_bundle_path: PathBuf, bundle: DirectoryBundle) -> Self {
        Self {
            root_bundle_path,
            bundle,
        }
    }

    /// Write a signed bundle to the given directory.
    pub fn write_signed_bundle(
        &self,
        dest_dir: impl AsRef<Path>,
        settings: &SigningSettings,
        previously_installed_paths: BTreeSet<PathBuf>,
    ) -> Result<BundleSigningInfo, AppleCodesignError> {
        let dest_dir = dest_dir.as_ref();

        warn!(
            "signing bundle at {} into {}",
            self.bundle.root_dir().display(),
            dest_dir.display()
        );

        // Frameworks are a bit special.
        //
        // Modern frameworks typically have a `Versions/` directory containing directories
        // with the actual frameworks. These are the actual directories that are signed - not
        // the top-most directory. In fact, the top-most `.framework` directory doesn't have any
        // code signature elements at all and can effectively be ignored as far as signing
        // is concerned.
        //
        // But even if there is a `Versions/` directory with nested bundles to sign, the top-level
        // directory may have some symlinks. And those need to be preserved. In addition, there
        // may be symlinks in `Versions/`. `Versions/Current` is common.
        //
        // Of course, if there is no `Versions/` directory, the top-level directory could be
        // a valid framework warranting signing.
        if self.bundle.package_type() == BundlePackageType::Framework {
            if self.bundle.root_dir().join("Versions").is_dir() {
                info!("found a versioned framework; each version will be signed as its own bundle");

                // But we still need to preserve files (hopefully just symlinks) outside the
                // nested bundles under `Versions/`. Since we don't nest into child bundles
                // here, it should be safe to handle each encountered file.
                let mut context = BundleSigningContext {
                    dest_dir: dest_dir.to_path_buf(),
                    settings,
                    previously_installed_paths,
                    installed_paths: Default::default(),
                };

                for file in self
                    .bundle
                    .files(false)
                    .map_err(AppleCodesignError::DirectoryBundle)?
                {
                    context.install_file(file.absolute_path(), file.relative_path())?;
                }

                let bundle = DirectoryBundle::new_from_path(dest_dir)
                    .map_err(AppleCodesignError::DirectoryBundle)?;

                return Ok(BundleSigningInfo {
                    bundle,
                    installed_rel_paths: context.installed_paths,
                });
            } else {
                info!("found an unversioned framework; signing like normal");
            }
        }

        let dest_dir_root = dest_dir.to_path_buf();

        let dest_dir = if self.bundle.shallow() {
            dest_dir_root.clone()
        } else {
            dest_dir.join("Contents")
        };

        self.bundle
            .identifier()
            .map_err(AppleCodesignError::DirectoryBundle)?
            .ok_or_else(|| AppleCodesignError::BundleNoIdentifier(self.bundle.info_plist_path()))?;

        let mut resources_digests = settings.all_digests(SettingsScope::Main);

        // State in the main executable can influence signing settings of the bundle. So examine
        // it first.

        let main_exe = self
            .bundle
            .files(false)
            .map_err(AppleCodesignError::DirectoryBundle)?
            .into_iter()
            .find(|f| matches!(f.is_main_executable(), Ok(true)));

        if let Some(exe) = &main_exe {
            let macho_data = std::fs::read(exe.absolute_path())?;
            let mach = MachFile::parse(&macho_data)?;

            for macho in mach.iter_macho() {
                let need_sha1_sha256 = if let Some(targeting) = macho.find_targeting()? {
                    let sha256_version = targeting.platform.sha256_digest_support()?;

                    !sha256_version.matches(&targeting.minimum_os_version)
                } else {
                    true
                };

                if need_sha1_sha256
                    && resources_digests != vec![DigestType::Sha1, DigestType::Sha256]
                {
                    info!(
                        "activating SHA-1 + SHA-256 signing due to requirements of main executable"
                    );
                    resources_digests = vec![DigestType::Sha1, DigestType::Sha256];
                    break;
                }
            }
        }

        info!("collecting code resources files");

        // The set of rules to use is determined by whether the bundle *can* have a
        // `Resources/`, not whether it necessarily does. The exact rules for this are not
        // known. Essentially we want to test for the result of CFBundleCopyResourcesDirectoryURL().
        // We assume that we can use the resources rules when there is a `Resources` directory
        // (this seems obvious!) or when the bundle isn't shallow, as a non-shallow bundle should
        // be an app bundle and app bundles can always have resources (we think).
        let mut resources_builder =
            if self.bundle.resolve_path("Resources").is_dir() || !self.bundle.shallow() {
                CodeResourcesBuilder::default_resources_rules()?
            } else {
                CodeResourcesBuilder::default_no_resources_rules()?
            };

        // Ensure emitted digests match what we're configured to emit.
        resources_builder.set_digests(resources_digests.into_iter());

        // Exclude code signature files we'll write.
        resources_builder.add_exclusion_rule(CodeResourcesRule::new("^_CodeSignature/")?.exclude());
        // Ignore notarization ticket.
        resources_builder.add_exclusion_rule(CodeResourcesRule::new("^CodeResources$")?.exclude());
        // Ignore store manifest directory.
        resources_builder.add_exclusion_rule(CodeResourcesRule::new("^_MASReceipt$")?.exclude());

        // The bundle's main executable file's code directory needs to hold a
        // digest of the CodeResources file for the bundle. Therefore it needs to
        // be handled last. We add an exclusion rule to prevent the directory walker
        // from touching this file.
        if let Some(main_exe) = &main_exe {
            // Also seal the resources normalized path, just in case it is different.
            resources_builder.add_exclusion_rule(
                CodeResourcesRule::new(format!(
                    "^{}$",
                    regex::escape(&normalized_resources_path(main_exe.relative_path()))
                ))?
                .exclude(),
            );
        }

        let mut context = BundleSigningContext {
            dest_dir: dest_dir_root.clone(),
            settings,
            previously_installed_paths,
            installed_paths: Default::default(),
        };

        resources_builder.walk_and_seal_directory(
            &self.root_bundle_path,
            self.bundle.root_dir(),
            &mut context,
        )?;

        let info_plist_data = std::fs::read(self.bundle.info_plist_path())?;

        // The resources are now sealed. Write out that XML file.
        let code_resources_path = dest_dir.join("_CodeSignature").join("CodeResources");
        info!(
            "writing sealed resources to {}",
            code_resources_path.display()
        );
        std::fs::create_dir_all(code_resources_path.parent().unwrap())?;
        let mut resources_data = Vec::<u8>::new();
        resources_builder.write_code_resources(&mut resources_data)?;

        {
            let mut fh = std::fs::File::create(&code_resources_path)?;
            fh.write_all(&resources_data)?;
        }

        // Seal the main executable.
        if let Some(exe) = main_exe {
            warn!("signing main executable {}", exe.relative_path().display());

            let macho_data = std::fs::read(exe.absolute_path())?;
            let signer = MachOSigner::new(&macho_data)?;

            let mut settings = settings
                .as_bundle_main_executable_settings(exe.relative_path().to_string_lossy().as_ref());

            // The identifier for the main executable is defined in the bundle's Info.plist.
            if let Some(ident) = self
                .bundle
                .identifier()
                .map_err(AppleCodesignError::DirectoryBundle)?
            {
                info!("setting main executable binary identifier to {} (derived from CFBundleIdentifier in Info.plist)", ident);
                settings.set_binary_identifier(SettingsScope::Main, ident);
            } else {
                info!("unable to determine binary identifier from bundle's Info.plist (CFBundleIdentifier not set?)");
            }

            settings.set_code_resources_data(SettingsScope::Main, resources_data);
            settings.set_info_plist_data(SettingsScope::Main, info_plist_data);

            // Important: manually override all settings before calling this so that
            // explicitly set settings are always used and we don't get misleading logs.
            // If we set settings after the fact, we may fail to define settings on a
            // sub-scope, leading the overwrite to not being used.
            settings.import_settings_from_macho(&macho_data)?;

            let mut new_data = Vec::<u8>::with_capacity(macho_data.len() + 2_usize.pow(17));
            signer.write_signed_binary(&settings, &mut new_data)?;

            let dest_path = dest_dir_root.join(exe.relative_path());
            info!("writing signed main executable to {}", dest_path.display());
            write_macho_file(exe.absolute_path(), &dest_path, &new_data)?;

            context
                .installed_paths
                .insert(exe.relative_path().to_path_buf());
        } else {
            warn!("bundle has no main executable to sign specially");
        }

        let bundle = DirectoryBundle::new_from_path(&dest_dir_root)
            .map_err(AppleCodesignError::DirectoryBundle)?;

        Ok(BundleSigningInfo {
            bundle,
            installed_rel_paths: context.installed_paths,
        })
    }
}