Cameron Katri's Manual Page Server

Manual Page Search Parameters
LDID(1) General Commands Manual LDID(1)

ldidLink Identity Editor

ldid [-Acputype:subtype] [-a] [-C[adhoc | enforcement | expires | hard | host | kill | library-validation | restrict | runtime]] [-D] [-d] [-Enum:file] [-e] [-H[sha1 | sha256]] [-h] [-Iname] [-Kfile [-Upassword] [-Xfile]] [-M] [-P[num]] [-Qrequirements] [-q] [-r | -Sfile.xml | -s] [-u] [-w] [-arch arch_type] file ...

ldid adds SHA1 and SHA256 hashes to a Mach-O file so that they can be run on a system that has validation, but not signature verification.

cputype:subtype
When used with -a, -D, -e, -h, -q, or -u, only act on the slice specified by cputype and subtype. cputype and subtype should both be integers.
Print the CPU types and subtypes in hexadecimal.
arch_type
The same as -A, except the name of the architecture is used. The list of currently known arch_types can be found in arch(3). This is a Procursus extension.
[adhoc | enforcement | expires | hard | host | kill | library-validation | restrict | runtime | linker-signed]
Specify the option flags to embed in the code signature. See codesign(1) for details about these options.
Reset the cryptid.
Print the cryptid in the binaries if it exists.
num:file
Embed the hashes of file in the special codesign slot at num.
Print the entitlements in each slice, or the slice specified by -A or -arch to stdout.
[sha1 | sha256]
Disable the hash not specified. This is useful to replicate the default behavior of codesign(1), which only provides a sha256 signature.
Print information about the signature, such as hash types, flags, CDHash, and CodeDirectory version to stdout.
name
Set the identifier used in the binaries signature to name. If not specified, the basename of the binary is used.
file
Sign using the identity in file. Must be either a p12 or pkcs11: URI. This will give the binary a valid signature so that it can be run on a system with signature validation. If the p12 has a password, you will be prompted for it, or you can specify from the command line with -U. To specify the certificate separate from the private key, use -X.
When used with -S, merge the new and existing entitlements instead of replacing the existing entitlements. This is useful for adding a few specific entitlements to a handful of binaries.
[num]
Mark the Mach-O as a platform binary. If num is specified, the platform field in the CodeDirectory will be set to that number. The default number is 13, as per Apple binaries. Specifying the platform using -P is a Procursus extension.
requirements.xml
Embed the requirements found in requirements.
Print embedded requirements of the binaries.
Remove the signature from the Mach-O.
[file.xml]
Pseudo-sign the Mach-O binaries. If file.xml is specified then the entitlements found in file.xml will be embedded in the Mach-O.
Resign the Mach-O binaries while keeping the existing entitlements.
password
Use password as the password for the p12 certificate instead of prompting. This is a Procursus extension.
If the binary was linked against UIKit, then print the UIKit version that the Mach-O binary was linked against.
Shallow sign. Only the main binary of the specified bundle will be signed, as specified by CFBundleIdentifier in Info.plist. Any nested bundles and/or stray binaries will be completely left alone and interpreted at face-value. Applicable only when the signing target is a bundle directory, and not a specific Mach-O file. -w can be used on any bundle, not just the root .app, including frameworks, appexes, and more.
file
Adds file as a certificate to be used when signing. The first file must be the certificate for the signing key, each additional will be added as part of the chain. Must be either DER encoded certificate or pkcs11: URI.

To fakesign file with no entitlements

ldid -S file

To sign file using the key in /path/to/key.p12 with entitlements found in ent.xml, marking it as an adhoc signature

ldid -Cadhoc -K/path/to/key.p12 -Sent.xml file

To add entitlements from ent.xml to the entitlements already in file

ldid -S -Cadhoc,linker-signed file

will fakesign file with no entitlements, and mark it as adhoc and linker-signed signature.

The command:

ldid -Sent.xml -M file

To save the entitlements found in each slice of file to ent.xml

ldid -e file > ent.xml

codesign(1)

The ldid utility was written by Jay ("Saurik") Freeman. iPhoneOS 1.2.0 and 2.0 support was added on April 6, 2008. -S was added on June 13, 2008. SHA256 support was added on August 25, 2016, fixing iOS 11 support. iOS 14 support was added on July 31, 2020 by Kabir Oberai. iOS 15 support was added on June 11, 2021.

January 20, 2022 ldid