I do know that code signing (and entitlements, plists, and so forth.) impacts launching of binaries, or getting a activity port(for debugger), however I did not know they have an effect on non-public library operate calling as nicely. Many capabilities in SkyLight.framework are externally usable, as seen in CGSInternal. However some capabilities solely work when they’re known as from an Apple-signed binary.
For instance, the WSInfo executable in SkyLight.framework‘s Assets folder can be utilized to dump some helpful debug data of your home windows. It merely calls SLSSetDebugOptions which in the end calls CGSSetDebugOptionsPSN. Nevertheless it merely will not work for those who copy it out and take away the signature. Signing it utilizing my very own cert doesn’t work both.
My query is, how and the place is that this signature verification completed in apple’s techniques? Does it have something to do with the ‘PSN’ within the operate identify? Why cannot I see any code associated to code signature within the disassembly?
I made some preliminary search however discovered nothing. Perhaps my google-fu is just not ok. Or I do not know the correct key phrases.
Replace: I now have a greater clue. I observed SkyLight’s criticism in Console.app and by looking out that message string I narrowed down on sandbox_check_by_audit_token, however nonetheless do not know the way or if I can add this token(entitlement?) to my very own program.