X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/dbe775057b53a81d9983d810772462c3233fccd3..918dce6758f4f57e8c0b650cb5eead501f6684ca:/OSX/libsecurity_codesigning/lib/signer.cpp

diff --git a/OSX/libsecurity_codesigning/lib/signer.cpp b/OSX/libsecurity_codesigning/lib/signer.cpp
index b5f07c40..eff950ab 100644
--- a/OSX/libsecurity_codesigning/lib/signer.cpp
+++ b/OSX/libsecurity_codesigning/lib/signer.cpp
@@ -429,11 +429,12 @@ void SecCodeSigner::Signer::buildResources(std::string root, std::string relBase
 
 		resources.scan(^(FTSENT *ent, uint32_t ruleFlags, const std::string relpath, Rule *rule) {
 			bool isSymlink = (ent->fts_info == FTS_SL);
+			bool isNested = (ruleFlags & ResourceBuilder::nested);
 			const std::string path(ent->fts_path);
 			const std::string accpath(ent->fts_accpath);
 			this->state.mLimitedAsync->perform(groupRef, ^{
 				CFRef<CFMutableDictionaryRef> seal;
-				if (ruleFlags & ResourceBuilder::nested) {
+				if (isNested) {
 					seal.take(signNested(path, relpath));
 				} else if (isSymlink) {
 					char target[PATH_MAX];
@@ -445,6 +446,10 @@ void SecCodeSigner::Signer::buildResources(std::string root, std::string relBase
 				} else {
 					seal.take(resources.hashFile(accpath.c_str(), digestAlgorithms(), signingFlags() & kSecCSSignStrictPreflight));
 				}
+				if (seal.get() == NULL) {
+					secerror("Failed to generate sealed resource: %d, %d, %s", isNested, isSymlink, accpath.c_str());
+					MacOSError::throwMe(errSecCSBadResource);
+				}
 				if (ruleFlags & ResourceBuilder::optional)
 					CFDictionaryAddValue(seal, CFSTR("optional"), kCFBooleanTrue);
 				CFTypeRef hash;
@@ -787,7 +792,7 @@ CFDataRef SecCodeSigner::Signer::signCodeDirectory(const CodeDirectory *cd,
 	// generate CMS signature
 	CFRef<CMSEncoderRef> cms;
 	MacOSError::check(CMSEncoderCreate(&cms.aref()));
-	MacOSError::check(CMSEncoderSetCertificateChainMode(cms, kCMSCertificateChainWithRoot));
+	MacOSError::check(CMSEncoderSetCertificateChainMode(cms, kCMSCertificateChainWithRootOrFail));
 	CMSEncoderAddSigners(cms, state.mSigner);
 	CMSEncoderSetSignerAlgorithm(cms, kCMSEncoderDigestAlgorithmSHA256);
 	MacOSError::check(CMSEncoderSetHasDetachedContent(cms, true));