Reconsider Xcode re-signing instruction.

[r-plus]

Current re-signing Xcode step is for disable "Library Validation" feature since Xcode 8.

This is codesing information original Xcode and re-signed Xcode.

original 12.4

Executable=/Applications/Xcode_12.4.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20200 size=722 flags=0x2000(library-validation) hashes=15+5 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=89179fda01d07ba9862d293b896020a0b3516de6
CandidateCDHashFull sha256=89179fda01d07ba9862d293b896020a0b3516de69e03f4885f58239c24ea6a40
Hash choices=sha256
CMSDigest=89179fda01d07ba9862d293b896020a0b3516de69e03f4885f58239c24ea6a40
CMSDigestType=2
CDHash=89179fda01d07ba9862d293b896020a0b3516de6
Signature size=4547
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Info.plist entries=44
TeamIdentifier=59GAB85EFG
Sealed Resources version=2 rules=13 files=478483
Internal requirements count=1 size=68

re-signed 12.4

$ codesign -dvvv /Applications/Xcode.app
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=683 flags=0x0(none) hashes=15+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=4d8e4e0d729d83a8afe1da4155560c764b23a821
CandidateCDHashFull sha256=4d8e4e0d729d83a8afe1da4155560c764b23a82128ad61e11d8d1b863b230742
Hash choices=sha256
CMSDigest=4d8e4e0d729d83a8afe1da4155560c764b23a82128ad61e11d8d1b863b230742
CMSDigestType=2
CDHash=4d8e4e0d729d83a8afe1da4155560c764b23a821
Signature size=1604
Authority=XcodeSigner
Signed Time=Apr 20, 2021 10:04:14
Info.plist entries=44
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=478483
Internal requirements count=1 size=96

original old versions

7.3.1 has 0x0(none) flags

Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20100 size=387 flags=0x0(none) hashes=7+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6
CandidateCDHashFull sha1=2f2627e806af4be59bb320774a0b200ce6ae27f6
CandidateCDHash sha256=3dc708c9c3e773179aa3b58523a94706f83d176a
CandidateCDHashFull sha256=3dc708c9c3e773179aa3b58523a94706f83d176aeed06e3d3b025079e6fc18ff
Hash choices=sha1,sha256
CMSDigest=63c87bc3848fa4ffec5cadabf519ccd0d9a69253e12ae2f3a17ef16c95ffc320
CMSDigestType=2
CDHash=3dc708c9c3e773179aa3b58523a94706f83d176a
Signature size=4658
Authority=Software Signing
Authority=Apple Code Signing Certification Authority
Authority=Apple Root CA
Signed Time=Oct 5, 2019 9:36:14
Info.plist entries=34
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=401974
Internal requirements count=1 size=68

CodeDirectory flags changed to 0x0(none) from flags=0x2000(library-validation).
and TeamIdentifier will be not set.

In this case, I'm thinking that re-sign with self signed cert and simply removing signature are equivalent.
Both Xcode (re-sign and remove) no longer prevent malicious plugin like XcodeGhost, thus removing codesign signature is same risk.

Removing codesign signature from Xcode is simple, faster and no expire period.
NOTE: not resolve sign-in to Apple ID via Xcode on BigSur.

tested on Intel mac.
TBD for M1 mac.

xcode	env	load system	x64	arm64
re-signed	any	Xcode Plugin	✅	✅
remove codesign (don't use! this occur `tccd` problem)	any	Xcode Plugin	✅	TBD
original	disable library-validation	Xcode Plugin	TBD	TBD
	disable library-validation and SIP	Xcode Plugin	✅	TBD
		SIMBL	✅	MacForge 1.1.0 not yet support M1

hmm, is re-signing for tccd process performance...?
in my use case, could not run app on iOS simulator.

[r-plus]

I learned why unsign is not good.
stuck something via tccd process issue. inket/update_xcode_plugins#51

[r-plus]

$ sudo codesign -f -s - /Applications/Xcode.app
command will codesign as adhoc.

$ codesign -dvvv /Applications/Xcode.app
Executable=/Applications/Xcode.app/Contents/MacOS/Xcode
Identifier=com.apple.dt.Xcode
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=651 flags=0x2(adhoc) hashes=14+3 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=b869b3d9079c8b2ceb427f94a0eb2660470f4073
CandidateCDHashFull sha256=b869b3d9079c8b2ceb427f94a0eb2660470f40733c9c53a63314685f7e631449
Hash choices=sha256
CMSDigest=b869b3d9079c8b2ceb427f94a0eb2660470f40733c9c53a63314685f7e631449
CMSDigestType=2
CDHash=b869b3d9079c8b2ceb427f94a0eb2660470f4073
Signature=adhoc
Info.plist entries=44
TeamIdentifier=not set
Sealed Resources version=2 rules=13 files=477681
Internal requirements count=0 size=12

If this way have not any problem, we can skip create self signed cert (XcodeSigner) for re-codesign step.
I'll test it for a few days...

NOTE: yes, this will not resolve login to Apple ID via Xcode issue on BigSur.

[r-plus]

adhoc re-codesigning is no problem in my daily use case.