X-Git-Url: https://git.saurik.com/apple/security.git/blobdiff_plain/e3d460c9de4426da6c630c3ae3f46173a99f82d8..ce3c8656732c924baf7e88df75eab50891bdc471:/OSX/libsecurity_codesigning/lib/signer.cpp

diff --git a/OSX/libsecurity_codesigning/lib/signer.cpp b/OSX/libsecurity_codesigning/lib/signer.cpp
index 387f68b5..b0e14edb 100644
--- a/OSX/libsecurity_codesigning/lib/signer.cpp
+++ b/OSX/libsecurity_codesigning/lib/signer.cpp
@@ -546,13 +546,15 @@ void SecCodeSigner::Signer::signArchitectureAgnostic(const Requirement::Context
 
 	// write out all CodeDirectories
 	cdSet.populate(writer);
-	writer->flush();
 
 	CFRef<CFArrayRef> hashes = cdSet.hashBag();
 	CFTemp<CFDictionaryRef> hashDict("{cdhashes=%O}", hashes.get());
 	CFRef<CFDataRef> hashBag = makeCFData(hashDict.get());
 	CFRef<CFDataRef> signature = signCodeDirectory(cdSet.primary(), hashBag);
 	writer->signature(signature);
+	
+	// commit to storage
+	writer->flush();
 }
 
 
@@ -600,7 +602,8 @@ void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::W
 	
 	writer.addDiscretionary(builder);
 	
-	if ((signingFlags() & (kSecCSSignOpaque|kSecCSSignV1)) == 0) {
+#if 0 // rdar://problem/25720754
+	if ((signingFlags() & (kSecCSSignOpaque|kSecCSSignV1)) == 0 && builder.hashType() != kSecCodeSignatureHashSHA1) {
 		// calculate sorted list of top SuperBlob keys in this EmbeddedSignatureBlob (if any)
 		// (but not for opaque or V1 construction, which must remain bit-for-bit compatible)
 		std::vector<Endian<uint32_t> > slotVector;
@@ -615,6 +618,7 @@ void SecCodeSigner::Signer::populate(CodeDirectory::Builder &builder, DiskRep::W
 		writer.component(cdTopDirectorySlot, cfSlotVector);
 		builder.specialSlot(cdTopDirectorySlot, cfSlotVector);
 	}
+#endif
 }