From a30533e7b593a6a7c8a3e9e0d0f4e5ce888590c3 Mon Sep 17 00:00:00 2001 From: Michael Kirk Date: Fri, 3 Nov 2017 09:52:04 -0400 Subject: [PATCH 1/7] Add GTSGIAG3 to censorship circumvention trust store openssl x509 -outform der -in GIAG3.pem -out GIAG3.crt // FREEBIE --- Podfile.lock | 2 +- Signal.xcodeproj/project.pbxproj | 1 + SignalServiceKit.podspec | 3 +- .../src/Network/OWSSignalService.m | 67 +++++++++++++----- .../Security/PinningCertificate/GTSGIAG3.crt | Bin 0 -> 1120 bytes 5 files changed, 52 insertions(+), 21 deletions(-) create mode 100644 SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt diff --git a/Podfile.lock b/Podfile.lock index 3ae641b9b..05cec605f 100644 --- a/Podfile.lock +++ b/Podfile.lock @@ -168,7 +168,7 @@ SPEC CHECKSUMS: PureLayout: 4d550abe49a94f24c2808b9b95db9131685fe4cd Reachability: 33e18b67625424e47b6cde6d202dce689ad7af96 SAMKeychain: 483e1c9f32984d50ca961e26818a534283b4cd5c - SignalServiceKit: bfac5572f3a1ff8a853ead9b5413274a075f3cb4 + SignalServiceKit: 1594ae26a08129175c6ca91690602aa47898f24c SocketRocket: dbb1554b8fc288ef8ef370d6285aeca7361be31e SQLCipher: 43d12c0eb9c57fb438749618fc3ce0065509a559 TwistedOakCollapsingFutures: f359b90f203e9ab13dfb92c9ff41842a7fe1cd0c diff --git a/Signal.xcodeproj/project.pbxproj b/Signal.xcodeproj/project.pbxproj index 324703f87..5a1e56b02 100644 --- a/Signal.xcodeproj/project.pbxproj +++ b/Signal.xcodeproj/project.pbxproj @@ -2090,6 +2090,7 @@ "${PODS_ROOT}/SAMKeychain/Support/SAMKeychain.bundle", "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/textsecure.cer", "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt", + "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt", ); name = "[CP] Copy Pods Resources"; outputPaths = ( diff --git a/SignalServiceKit.podspec b/SignalServiceKit.podspec index b71357df1..5c2cf8eae 100644 --- a/SignalServiceKit.podspec +++ b/SignalServiceKit.podspec @@ -28,7 +28,8 @@ An Objective-C library for communicating with the Signal messaging service. s.source_files = 'SignalServiceKit/src/**/*.{h,m,mm}' s.resources = ['SignalServiceKit/src/Security/PinningCertificate/textsecure.cer', - 'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt'] + 'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt', + 'SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt'] s.prefix_header_file = 'SignalServiceKit/src/TSPrefix.h' s.xcconfig = { 'OTHER_CFLAGS' => '$(inherited) -DSQLITE_HAS_CODEC' } diff --git a/SignalServiceKit/src/Network/OWSSignalService.m b/SignalServiceKit/src/Network/OWSSignalService.m index 037ab126c..90fee8fb0 100644 --- a/SignalServiceKit/src/Network/OWSSignalService.m +++ b/SignalServiceKit/src/Network/OWSSignalService.m @@ -5,6 +5,7 @@ #import "OWSSignalService.h" #import "NSNotificationCenter+OWS.h" #import "OWSCensorshipConfiguration.h" +#import "OWSError.h" #import "OWSHTTPSecurityPolicy.h" #import "TSAccountManager.h" #import "TSConstants.h" @@ -259,35 +260,63 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange = #pragma mark - Google Pinning Policy ++ (nullable NSData *)certificateDataWithName:(NSString *)name error:(NSError **)error +{ + if (!name.length) { + OWSFail(@"%@ expected name with length > 0", self.tag); + *error = OWSErrorMakeAssertionError(); + return nil; + } + + NSString *path = [NSBundle.mainBundle pathForResource:name ofType:@"crt"]; + if (![[NSFileManager defaultManager] fileExistsAtPath:path]) { + OWSFail(@"%@ Missing certificate for name: %@", self.tag, name); + *error = OWSErrorMakeAssertionError(); + return nil; + } + + NSData *_Nullable certData = [NSData dataWithContentsOfFile:path options:0 error:error]; + + if (*error != nil) { + OWSFail(@"%@ Failed to read cert file with path: %@", self.tag, path); + return nil; + } + + if (certData.length == 0) { + OWSFail(@"%@ empty certData for name: %@", self.tag, name); + return nil; + } + + DDLogVerbose(@"%@ read cert data with name: %@ length: %lu", self.tag, name, (unsigned long)certData.length); + return certData; +} + /** * We use the Google Pinning Policy when connecting to our censorship circumventing reflector, * which is hosted on Google. */ -+ (AFSecurityPolicy *)googlePinningPolicy { ++ (AFSecurityPolicy *)googlePinningPolicy +{ static AFSecurityPolicy *securityPolicy = nil; static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ NSError *error; - NSString *path = [NSBundle.mainBundle pathForResource:@"GIAG2" ofType:@"crt"]; - - if (![[NSFileManager defaultManager] fileExistsAtPath:path]) { - @throw [NSException - exceptionWithName:@"Missing server certificate" - reason:[NSString stringWithFormat:@"Missing signing certificate for service googlePinningPolicy"] - userInfo:nil]; + NSData *GIAG2CertData = [self certificateDataWithName:@"GIAG2" error:&error]; + if (error) { + DDLogError(@"%@ Failed to get GIAG2 certificate data with error: %@", self.tag, error); + @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate" + reason:error.description + userInfo:nil]; } - - NSData *googleCertData = [NSData dataWithContentsOfFile:path options:0 error:&error]; - if (!googleCertData) { - if (error) { - @throw [NSException exceptionWithName:@"OWSSignalServiceHTTPSecurityPolicy" reason:@"Couln't read google pinning cert" userInfo:nil]; - } else { - NSString *reason = [NSString stringWithFormat:@"Reading google pinning cert faile with error: %@", error]; - @throw [NSException exceptionWithName:@"OWSSignalServiceHTTPSecurityPolicy" reason:reason userInfo:nil]; - } + NSData *GTSGIAG3CertData = [self certificateDataWithName:@"GTSGIAG3" error:&error]; + if (error) { + DDLogError(@"%@ Failed to get GIAG3 certificate data with error: %@", self.tag, error); + @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate" + reason:error.description + userInfo:nil]; } - - NSSet *certificates = [NSSet setWithObject:googleCertData]; + + NSSet *certificates = [NSSet setWithArray:@[ GIAG2CertData, GTSGIAG3CertData ]]; securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certificates]; }); return securityPolicy; diff --git a/SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt b/SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt new file mode 100644 index 0000000000000000000000000000000000000000..ffb1a0ff9ae57f1cd25324a04d5bf82fe7937c23 GIT binary patch literal 1120 zcmXqLVu>+mVs=@;%*4pV#LM`2rGd6II z*qB3ExP`^tbMliCbAmI|^Av*e^Gg(*9TjvHf{YA>4Fo|dxP-Y7Dqw=l$btrP;=G3D z24;q)20&n96eZ4UWN2sv=Ng0fHT%r)1 zT2z*qoLX$CYM=~~XBL)$%6sOOq!#6+mMA!umSp4?WtLPbxEmWZF)AT@i;n7 zny>veMLHU|`z_=evLtF`_fEI2sCD%;^LISE=s{VyO@?7*%E`RzfpTew7p3S_9(bO5 zIIJZ&$~pJ+EGC6Z@1-&?ZkSuV=z&&3YJlPS-<$RK3wAi@ZS@r3=gPY?{nvh-`K*@Q z5h3f@roA}Y$0)XEg_N)3(a94R$t~>u^zUGYisxc?@1w$ucbA6?WhQCA{-^Lh^S9N~ z4|SUF-cA$yzEOU`lL@L1jG34j85kEgF@i!$-+&Joq_X^sjQ?3!fa#;nKo-PTWf3zF zVdKzdV`ODzXJ&-6m<)tK(!wC+90qJaiiwc{qJ@t|j76mU(2jsv>1Aabbq}>&XkJja ztZtXLfjmfyGK++PScAyyN9^J0GI9s9*zQGcnWcOGj%1sjfho*y+K(8P>Q!gEuH1yMpi;N76K<3J`Xd3|aEKpsb+@=Usn_QHGsuZkV z4=8M457MK+VqsurV8X_h-pB*Y5e8ZY8ZaA~7{z2jrW6CMgxgk>T999yS(0B=sgInn zfcXWOuoxL+ws%f@68v`eo7*dl80YIOKAXGNNvM4Dj%O#CgAx>~!_|)oZnaP6ov9NY zbxMir?!4Xd-X8Y-Ot#&MEv~Y;U;nSk=scV9=-Rb7heLf@-`|T|He2Fg@YP6EbW+*x zx_QB`4we0}T-)(4ZIaqcnIjfwJ%2g3e~7&n=G%C^{^Oy$8+`vA*2=4ypBM8s$!X@p z?`H2rdUO;XyG@TOXFjmtm{-SN2c`C+D2Z2dmL8Ad=y}4rq;_YEX?&+y7@vc!(2L!s zMQ_)0g!ygQt+#Uali#v-+{q_qdrx#p3qK&TW!i^3I^p&~ENiE(s`b6_iD&*ChZomE Vi+9=FpKzKXT2V0l&|4$9djL9mhAIF6 literal 0 HcmV?d00001 From 11e07370a979a64d85b62075e4fda93e127983b8 Mon Sep 17 00:00:00 2001 From: Michael Kirk Date: Fri, 3 Nov 2017 10:15:17 -0400 Subject: [PATCH 2/7] more logging // FREEBIE --- SignalServiceKit/src/Network/OWSSignalService.m | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/SignalServiceKit/src/Network/OWSSignalService.m b/SignalServiceKit/src/Network/OWSSignalService.m index 90fee8fb0..1156dcd0a 100644 --- a/SignalServiceKit/src/Network/OWSSignalService.m +++ b/SignalServiceKit/src/Network/OWSSignalService.m @@ -158,7 +158,7 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange = - (AFHTTPSessionManager *)signalServiceSessionManager { if (self.isCensorshipCircumventionActive) { - DDLogInfo(@"%@ using reflector HTTPSessionManager", self.tag); + DDLogInfo(@"%@ using reflector HTTPSessionManager via: %@", self.tag, self.domainFrontingBaseURL); return self.reflectorSignalServiceSessionManager; } else { return self.defaultSignalServiceSessionManager; @@ -218,7 +218,7 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange = - (AFHTTPSessionManager *)CDNSessionManager { if (self.isCensorshipCircumventionActive) { - DDLogInfo(@"%@ using reflector CDNSessionManager", self.tag); + DDLogInfo(@"%@ using reflector CDNSessionManager via: %@", self.tag, self.domainFrontingBaseURL); return self.reflectorCDNSessionManager; } else { return self.defaultCDNSessionManager; From 39e3e9b44f68bf12a830089ad07fa259dc96e5e2 Mon Sep 17 00:00:00 2001 From: Michael Kirk Date: Fri, 3 Nov 2017 10:49:19 -0400 Subject: [PATCH 3/7] use .com when in US // FREEBIE --- Signal/src/ViewControllers/OWSCountryMetadata.m | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Signal/src/ViewControllers/OWSCountryMetadata.m b/Signal/src/ViewControllers/OWSCountryMetadata.m index 758a538d0..542100141 100644 --- a/Signal/src/ViewControllers/OWSCountryMetadata.m +++ b/Signal/src/ViewControllers/OWSCountryMetadata.m @@ -779,8 +779,8 @@ NS_ASSUME_NONNULL_BEGIN googleDomain:@"google.co.ug" countryCode:@"UG"], [OWSCountryMetadata countryMetadataWithName:@"United States" - tld:@".us" - googleDomain:@"google.us" + tld:@".com" + googleDomain:@"google.com" countryCode:@"US"], [OWSCountryMetadata countryMetadataWithName:@"Uruguay" tld:@".uy" From 6c13d46be21be782cd8f09320a29ebb619cc8a53 Mon Sep 17 00:00:00 2001 From: Michael Kirk Date: Fri, 3 Nov 2017 10:49:37 -0400 Subject: [PATCH 4/7] use manually specified censorship host // FREEBIE --- SignalServiceKit/src/Network/OWSSignalService.m | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/SignalServiceKit/src/Network/OWSSignalService.m b/SignalServiceKit/src/Network/OWSSignalService.m index 1156dcd0a..b43c84b19 100644 --- a/SignalServiceKit/src/Network/OWSSignalService.m +++ b/SignalServiceKit/src/Network/OWSSignalService.m @@ -187,13 +187,18 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange = // Target fronting domain OWSAssert(self.isCensorshipCircumventionActive); - NSString *frontingHost = [self.censorshipConfiguration frontingHost:localNumber]; + + NSURL *baseURL; + if (self.isCensorshipCircumventionManuallyActivated && self.manualCensorshipCircumventionDomain.length > 0) { - frontingHost = self.manualCensorshipCircumventionDomain; - }; - NSURL *baseURL = [[NSURL alloc] initWithString:[self.censorshipConfiguration frontingHost:localNumber]]; - OWSAssert(baseURL); + baseURL = [[NSURL alloc] initWithString:[NSString stringWithFormat:@"https://%@", self.manualCensorshipCircumventionDomain]]; + } + if (baseURL == nil) { + baseURL = [[NSURL alloc] initWithString:[self.censorshipConfiguration frontingHost:localNumber]]; + } + + OWSAssert(baseURL); return baseURL; } From 92557bf3efe9cf4340d5b487811139b1d2a26d06 Mon Sep 17 00:00:00 2001 From: Matthew Chen Date: Fri, 3 Nov 2017 11:57:30 -0400 Subject: [PATCH 5/7] Bump build to 2.18.0.8. // FREEBIE --- Signal/Signal-Info.plist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Signal/Signal-Info.plist b/Signal/Signal-Info.plist index 6a8e88db9..7cb958790 100644 --- a/Signal/Signal-Info.plist +++ b/Signal/Signal-Info.plist @@ -55,7 +55,7 @@ CFBundleVersion - 2.18.0.7 + 2.18.0.8 ITSAppUsesNonExemptEncryption LOGS_EMAIL From 81cff837ae4219ac0f9ee7494e1122d592ace4e1 Mon Sep 17 00:00:00 2001 From: Michael Kirk Date: Fri, 3 Nov 2017 13:46:52 -0400 Subject: [PATCH 6/7] Include root certs from pki.goog // FREEBIE --- Podfile.lock | 2 +- Signal.xcodeproj/project.pbxproj | 7 +++- SignalServiceKit.podspec | 8 +++- .../src/Network/OWSSignalService.m | 38 +++++++++++------- .../src/Security/PinningCertificate/GSR2.crt | Bin 0 -> 958 bytes .../src/Security/PinningCertificate/GSR4.crt | Bin 0 -> 485 bytes .../Security/PinningCertificate/GTSGIAG3.crt | Bin 1120 -> 0 bytes .../src/Security/PinningCertificate/GTSR1.crt | Bin 0 -> 1374 bytes .../src/Security/PinningCertificate/GTSR2.crt | Bin 0 -> 1374 bytes .../src/Security/PinningCertificate/GTSR3.crt | Bin 0 -> 528 bytes .../src/Security/PinningCertificate/GTSR4.crt | Bin 0 -> 526 bytes 11 files changed, 37 insertions(+), 18 deletions(-) create mode 100644 SignalServiceKit/src/Security/PinningCertificate/GSR2.crt create mode 100644 SignalServiceKit/src/Security/PinningCertificate/GSR4.crt delete mode 100644 SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt create mode 100644 SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt create mode 100644 SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt create mode 100644 SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt create mode 100644 SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt diff --git a/Podfile.lock b/Podfile.lock index 05cec605f..697c914ed 100644 --- a/Podfile.lock +++ b/Podfile.lock @@ -168,7 +168,7 @@ SPEC CHECKSUMS: PureLayout: 4d550abe49a94f24c2808b9b95db9131685fe4cd Reachability: 33e18b67625424e47b6cde6d202dce689ad7af96 SAMKeychain: 483e1c9f32984d50ca961e26818a534283b4cd5c - SignalServiceKit: 1594ae26a08129175c6ca91690602aa47898f24c + SignalServiceKit: b84d80de0bfd5f863994a1ce1f5b742b91c46cb5 SocketRocket: dbb1554b8fc288ef8ef370d6285aeca7361be31e SQLCipher: 43d12c0eb9c57fb438749618fc3ce0065509a559 TwistedOakCollapsingFutures: f359b90f203e9ab13dfb92c9ff41842a7fe1cd0c diff --git a/Signal.xcodeproj/project.pbxproj b/Signal.xcodeproj/project.pbxproj index 5a1e56b02..506e2b93a 100644 --- a/Signal.xcodeproj/project.pbxproj +++ b/Signal.xcodeproj/project.pbxproj @@ -2090,7 +2090,12 @@ "${PODS_ROOT}/SAMKeychain/Support/SAMKeychain.bundle", "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/textsecure.cer", "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt", - "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt", + "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GSR2.crt", + "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GSR4.crt", + "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt", + "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt", + "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt", + "${PODS_ROOT}/../SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt", ); name = "[CP] Copy Pods Resources"; outputPaths = ( diff --git a/SignalServiceKit.podspec b/SignalServiceKit.podspec index 5c2cf8eae..8c9bfd872 100644 --- a/SignalServiceKit.podspec +++ b/SignalServiceKit.podspec @@ -29,7 +29,13 @@ An Objective-C library for communicating with the Signal messaging service. s.resources = ['SignalServiceKit/src/Security/PinningCertificate/textsecure.cer', 'SignalServiceKit/src/Security/PinningCertificate/GIAG2.crt', - 'SignalServiceKit/src/Security/PinningCertificate/GTSGIAG3.crt'] + 'SignalServiceKit/src/Security/PinningCertificate/GSR2.crt', + 'SignalServiceKit/src/Security/PinningCertificate/GSR4.crt', + 'SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt', + 'SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt', + 'SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt', + 'SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt'] + s.prefix_header_file = 'SignalServiceKit/src/TSPrefix.h' s.xcconfig = { 'OTHER_CFLAGS' => '$(inherited) -DSQLITE_HAS_CODEC' } diff --git a/SignalServiceKit/src/Network/OWSSignalService.m b/SignalServiceKit/src/Network/OWSSignalService.m index b43c84b19..ad31ebbcc 100644 --- a/SignalServiceKit/src/Network/OWSSignalService.m +++ b/SignalServiceKit/src/Network/OWSSignalService.m @@ -305,23 +305,31 @@ NSString *const kNSNotificationName_IsCensorshipCircumventionActiveDidChange = static AFSecurityPolicy *securityPolicy = nil; static dispatch_once_t onceToken; dispatch_once(&onceToken, ^{ - NSError *error; - NSData *GIAG2CertData = [self certificateDataWithName:@"GIAG2" error:&error]; - if (error) { - DDLogError(@"%@ Failed to get GIAG2 certificate data with error: %@", self.tag, error); - @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate" - reason:error.description - userInfo:nil]; - } - NSData *GTSGIAG3CertData = [self certificateDataWithName:@"GTSGIAG3" error:&error]; - if (error) { - DDLogError(@"%@ Failed to get GIAG3 certificate data with error: %@", self.tag, error); - @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate" - reason:error.description - userInfo:nil]; + + NSMutableSet *certificates = [NSMutableSet new]; + + // GIAG2 cert plus root certs from pki.goog + NSArray *certNames = @[ @"GIAG2", @"GSR2", @"GSR4", @"GTSR1", @"GTSR2", @"GTSR3", @"GTSR4" ]; + + for (NSString *certName in certNames) { + NSError *error; + NSData *certData = [self certificateDataWithName:certName error:&error]; + if (error) { + DDLogError(@"%@ Failed to get %@ certificate data with error: %@", self.tag, certName, error); + @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate" + reason:error.description + userInfo:nil]; + } + + if (!certData) { + DDLogError(@"%@ No data for certificate: %@", self.tag, certName); + @throw [NSException exceptionWithName:@"OWSSignalService_UnableToReadCertificate" + reason:error.description + userInfo:nil]; + } + [certificates addObject:certData]; } - NSSet *certificates = [NSSet setWithArray:@[ GIAG2CertData, GTSGIAG3CertData ]]; securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModeCertificate withPinnedCertificates:certificates]; }); return securityPolicy; diff --git a/SignalServiceKit/src/Security/PinningCertificate/GSR2.crt b/SignalServiceKit/src/Security/PinningCertificate/GSR2.crt new file mode 100644 index 0000000000000000000000000000000000000000..4d937187ede7ff4298754f14e5399502f844f389 GIT binary patch literal 958 zcmXqLV%}xY#I$GuGZP~d6E_P35HRw$sXgO0;AP{~YV&CO&dbQi%F1BiW2j&t$HpAW z!YwTBo|B)Hm=m0to~IC$pI@Tj?5Lot5M*R1Y#<0y!6nRvPyrKUMiw-X6X!KBGc+zmHFpYDPz}E}G_kLH`6?d!&>ZtZw zcFJ>E+=}HrQG$D_nqKegdAWJbG*$NLUNg1W^|#2C@9*N@%2XpgZO74_RyupG3GI9x zS^MY$TU&gbXVzBBxDJyydn$N1X0+t2IP1M-K`l?E?}r__rxj0K&55pkxInXI;m^xc zJWs16O;p%(m;36?Ge2Lcb7>b(JT_N)&56@59xV8xKcUx3U|cJ ze=wOVaC%qNx%I2BeqY78Dq-)PoALLHRwf9?F)*I=`enc56+5#cQ(x05=0mglnV1xMeab8n24W4^4Mt6mzzAeynAsTIE|W36ZQ`2;UOQa4S2wOv_rG>< zhm3Q@W}aDpUg_B6B})5xYkr;2Dyw#I$IE7hB-d>#IVSI1Y3waA>(Gz(4!_%X3r(aB zhTL+qe{flAb#92#SF5D63i-Px$JdDU|DrA7C*cV9Tr zASvT|K)2_`58WjtVV*}>xB83T%X6u)Y+q5g`*Wql#NA)==N|mfW7-qT`1^3~&i5|4 zm2QT0T>n-!9sK`(b)LeJfRpiaeP@gJ@H}Naxxg{2IQZAnfGv5d{J(u9zWfck*_XNT rg&_aEjvK#aJ-@HIH}$+i#i0bD+o}#dS%2!BEF4mVzRzoXI9U$>x7>1) literal 0 HcmV?d00001 diff --git a/SignalServiceKit/src/Security/PinningCertificate/GSR4.crt b/SignalServiceKit/src/Security/PinningCertificate/GSR4.crt new file mode 100644 index 0000000000000000000000000000000000000000..160d545fc28b8cebba1b65d475f09a4544933af4 GIT binary patch literal 485 zcmXqLVti=O#Mr)onTe5!Nl?pTiOe)EmU~W{G?sF|Fqy$*z{SR))#h=|mW7$gAiz+? zK#7exl!aSZ+C3*fDKRHFGd)ki)!A7gC_leM!P!wkS0Tv6P}o2aq>4+J3!w@o$c!v# zAScdiXk=(;XlwumQR2MD76yifmIlU#CI;qFG_Wz!K$wjk>?0;dsMnYo*_oXfSauw% zyxgCo$~RxnQc{L_$+}rjE!jE6P9<;L+4iF={9yPwr(eYjzo$C=mpjO?DX*CC|8d2q z5=&OyEVN&7W#_pb*~Lx<4hDQckIV8iGX7@)1{foo0Y8W@4C1pIFas$AS&#r9ix`VY z$cE~*t~(w%)c@wn`@PTjq|M@%tH{C4?7?8*%B09}XVSt2!pqJxZ+Lb@ar%T`BH_Bs zZ{FEl&O5atr)+mVs=@;%*4pV#LM`2rGd6II z*qB3ExP`^tbMliCbAmI|^Av*e^Gg(*9TjvHf{YA>4Fo|dxP-Y7Dqw=l$btrP;=G3D z24;q)20&n96eZ4UWN2sv=Ng0fHT%r)1 zT2z*qoLX$CYM=~~XBL)$%6sOOq!#6+mMA!umSp4?WtLPbxEmWZF)AT@i;n7 zny>veMLHU|`z_=evLtF`_fEI2sCD%;^LISE=s{VyO@?7*%E`RzfpTew7p3S_9(bO5 zIIJZ&$~pJ+EGC6Z@1-&?ZkSuV=z&&3YJlPS-<$RK3wAi@ZS@r3=gPY?{nvh-`K*@Q z5h3f@roA}Y$0)XEg_N)3(a94R$t~>u^zUGYisxc?@1w$ucbA6?WhQCA{-^Lh^S9N~ z4|SUF-cA$yzEOU`lL@L1jG34j85kEgF@i!$-+&Joq_X^sjQ?3!fa#;nKo-PTWf3zF zVdKzdV`ODzXJ&-6m<)tK(!wC+90qJaiiwc{qJ@t|j76mU(2jsv>1Aabbq}>&XkJja ztZtXLfjmfyGK++PScAyyN9^J0GI9s9*zQGcnWcOGj%1sjfho*y+K(8P>Q!gEuH1yMpi;N76K<3J`Xd3|aEKpsb+@=Usn_QHGsuZkV z4=8M457MK+VqsurV8X_h-pB*Y5e8ZY8ZaA~7{z2jrW6CMgxgk>T999yS(0B=sgInn zfcXWOuoxL+ws%f@68v`eo7*dl80YIOKAXGNNvM4Dj%O#CgAx>~!_|)oZnaP6ov9NY zbxMir?!4Xd-X8Y-Ot#&MEv~Y;U;nSk=scV9=-Rb7heLf@-`|T|He2Fg@YP6EbW+*x zx_QB`4we0}T-)(4ZIaqcnIjfwJ%2g3e~7&n=G%C^{^Oy$8+`vA*2=4ypBM8s$!X@p z?`H2rdUO;XyG@TOXFjmtm{-SN2c`C+D2Z2dmL8Ad=y}4rq;_YEX?&+y7@vc!(2L!s zMQ_)0g!ygQt+#Uali#v-+{q_qdrx#p3qK&TW!i^3I^p&~ENiE(s`b6_iD&*ChZomE Vi+9=FpKzKXT2V0l&|4$9djL9mhAIF6 diff --git a/SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt b/SignalServiceKit/src/Security/PinningCertificate/GTSR1.crt new file mode 100644 index 0000000000000000000000000000000000000000..c0310642c08c8930b7b3c7330bf12d77539e33ed GIT binary patch literal 1374 zcmXqLVvRCrVs=`<%*4pVB#`I6@~F2v5APe}3!OV!|u1Q{C0iSrto8JHOv8Gu2QIIl4>mwFa8F)1N?f{~ShxrvFN!JvtW zi>Zl;kzt!4Q@7mXh2^uY@9dvqw|(kz2b+a|n|{_Bu{9Nb`_@zc`^D`&S$fl_FYfXF zsr_x^&vPxZ8-E_1e((LxPm5pf5$cRvzA9+-4`ub!OE%6)zI}aW-3P9?*BQ&c9E)=2 z^%XFF?6*;P@d=3>?>B!qC)}T#qN%FPzHrMWTfKw_=Pz-#?>_7C!S~Ris*bMRyUs^S zUR&S4fqla~!;eh|58T&VmYXBVxAjJynv^TE?S{%FQ#97{*Q-5U!SQd}3!987!S9-_ zIZO-fEVJZF7{4>_sPCwMre_)Tp0q&T+-`Y2u=B$wjsBd}Tb9T~Y zg_p*Af@ZEa+N!x(RcnjK&!UH?QocWH66k#~_fS{IFN?IUKgmBCe^&ghjw%0D*8c0w z{f&H;Q^U9HReOJp@#1SSuHAjyTaO;?3SE79&8vytnr9@J7^(VceN1(^z;tfaInOPx z=GQcDaHxLnyn1=g;{Mvs#$P^5|6lDpe9rs9)*GAqT+f#scYK8i} zI8PCVMGW<`Rw!;;xpC@-r8{}W1aBSB@vw1tP{$i}Hq7SYbk?1xz291T&pBd$DO5O5 zWy7_?UtbRHI`dZg>%T_F8w@jStxl|~nqe-%I+cl;k%4islYxT)A26B9@-s62XJG+m z1~vnJ5MLO?XEk63QU0I87yo|l9B$+J+7C|sz0}7g?^v?5W>w3Tr=R4WnFkro;l7wCyInyCSyYJWA~ci6%)MF-+N!5Klyo+*|}L6JWbEfUl96{km6X*QOV6i@v)a6P9JX^s%P}&yL#Py{$_&M#g=~dU$u?w-lFk&jOnj z(~b$+eLm;@ZjOe$>aG84(x%=u<&Sx;;xlv{zT20+}Nx+-K!?5Xp7~A?d7K{ z|7KcEGJl(Ak?L0WGGT9J$Mkp$p)c>&M>m~lyZUfuZV$_+vR$6v@?Pf3#V>fT-c;uB zW7*}17=9h6TTaKSJ4}uryx}_gpxx0#*_+7$p5IJbvmQts&2wMv=%hLOTLSMT!^_Dt zlqW|qG|us?p{IzMhLx@Cxmo?H&l(C7wYOHE`Kc<__|PzZ z;o>^6C3D2Grc3NCD_Y7uPuA?2{zCnI1rzyKJiGPd$Rvjx)w=4fuWfMokg>FX zO6mWSs23}kYIrywt@P$z(8`^(^Zi1@Nx$EJ3uNicd9ku&;coHGTmO3U*Vw#imQZl^ zyE=K-7L$$gVrKF@&r&SKeC|B>CwpRLlC8t5Q%6mhwyf*yFgCrTBV2q#{o{qAccs=! Y_hw|IMSnb&>>et!Ybi%y=`s&h0Er}BD*ylh literal 0 HcmV?d00001 diff --git a/SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt b/SignalServiceKit/src/Security/PinningCertificate/GTSR2.crt new file mode 100644 index 0000000000000000000000000000000000000000..79e2a480be60cbd7aa27a96251abfe7058d4b9b0 GIT binary patch literal 1374 zcmXqLVvRCrVs=`<%*4pVB#`I6@>ta7=L$y+X4z*1eabiBW#iOp^Jx3d%gD&X%3$Db z$Zf#M#vIDRCd?EXY^Y?Q0OD{7OS!|u1Q{8~iSrto8JHOv8Gu2QIIl4>mwFa8F)1N?f{~ShxrvFN!JvtW zi>Zl;k>T9Ezsr8Vc_U(C!_F3!6Zu`z^zQeAb3<2MK5M;Xa?yLPU%7L?eQ0fnUg!}t z-}318cN%NnpDxP~*?E60W6n(ZBTBOK{}q)#(1~9Egk`^f(E=%x880j|-b_`kE?f94 zb7!mM-p-zXYu}o^D&F(I`O)dxgO|>EZSG~A*X=p^{=w)Ad2t`~4D_1*{MxfcoXg{B z$LyoCv+r#?SK+$HZmaal>!r5_uUH3W8S=G+lh?yyL0M&+@8_f_B7JzY?LC6PbS+s3}<*2995 z8;3F${yfO@a^a);-Jv#RZ11xC&P?hs@SU~SpW91(e>3(hr~CB66RuIQyFPpf7IhpNXsIAwOa zBk{M~_6w)qiT%F3%;(;urB@!^|H>9}Pj9aGmdOUI8qeL8x)WH;>tFEl={7M%$;wU7 zI=M?zPF-EShx4Gs!v9x77Pi{_6;WZ{)P8x%b|z*<2FArs1`Y;%z+@`R&&c?ng$0-y z*bMkVd|?ou)qojD8OVYJ_*lePM0Wo_)u%k)f99#%k201m6;&6PyUB-~%79q~n93L# zwq<@;R{n3^JMPA{4-c$7{?k;}p=tFqmM!;Bf0yNN{!l0E+uQT*v9Z!&%RdhH^BldM zg7=Aae7s~4cO+w`%#5JPJUu{!wHr&?c&_;{|_J>l{H=_}_XluLwet>c({ z{=zq#bY{^+&Yz8yU*7~TnSZjMvAg(4dD)%jMPGS5rB;;Pn>0J+$7Y?Q>X+FMa5OBL zG3hbmG^SNd@A|EeUd-h(HYl#x=^rAtpPPN*l9*?wPsX(L^FI(R*QryhyLH6-_Hwau z_6=uCUlciAo7ytBt@+cF31>OouXHmP+=@EJ?DXZW`JxZf0U_ReH(KsVYRqhOU&kqJ z?{V>P{-X^E;$Pn>GcCQv5S=?=^}9tcrLA8ccTsok%bx#rNz0z{pV`yb*af;S5?pqs z^&MBnC%XWPDwQNTaRu|-EZ^;%vrqn667hB0?>T-FyQeZeU$}NQ`#ZC2l}naw2PZcN zTxxV%5uX&UvpXlHgCp;~a7g@J-6QGAm(O>a@1Lvi<#$!{>;-a-3;~Cp@F+zF3A}X< zYiIZ&60}^ldvebrU$=VoV}-L-?mfBH*3Da&t#I(byoaebvKB9U(b{dr&LOkwYk%l0 ziPE~KZyM7sDi$v^b>VKXjh+*iuO&Y1VzY8bTJE#9M+HXuK}ye0Jg+~ZlMt(ac>O$A X*267K+yClt1o=1JUHsun8z&P0@xWTd literal 0 HcmV?d00001 diff --git a/SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt b/SignalServiceKit/src/Security/PinningCertificate/GTSR3.crt new file mode 100644 index 0000000000000000000000000000000000000000..310219dfa956b8ac16752f89ea95c10e1b993d87 GIT binary patch literal 528 zcmXqLV&XAqVw|{unTe5!Ng&UCJkHs&Ff$vt8*&?P zvN4CUun9AT1{*3FD1bOz!jkU!`RO^S3L!CsYPX($*IK(K0eNdA_hVrHO#`? z?jgYnLHYS53PHvOa^k#(W(H|pmZF|x60H?lA&F()yw z$om_&8*6qgY`J&(xMGB3=c}-}+TN|lWPQ~4)T;#+fvqRG5YpEeX)~) zg8?7VE`M}hrI(PPU<}2@9d^eRLC~o4K6LX77nu57&S32y? zNI3d%M~L-7GjY`$2loQC%rl)-(yAKxRpm`ekV?Q(`P(l}pDcUxrYY}ht3>dN9gk;e Uu9|kaS^4CW>cq`wm|nyJ0COp=ApigX literal 0 HcmV?d00001 diff --git a/SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt b/SignalServiceKit/src/Security/PinningCertificate/GTSR4.crt new file mode 100644 index 0000000000000000000000000000000000000000..13d993b9e85009d8c276340f3e375fcab5568907 GIT binary patch literal 526 zcmXqLV&XDrVw|{unTe5!Ng&UC<%#Yo+g|Lp*1EB1)4`brTx=X#Z64=rS(up(+zq)6 zIN6v(S=fY`LW2#J3=}{dE@4Uc{QUHsRE3bD(&7?@;MAhB%;eN!1s@-0LlFZZkQ!!T zZugL2g`oWW5``cW137VCLo)+2BO?Pah!W>DM&?q_qA~*kHg>T4nHbqvwHsL&l$etk zSU#5&FVE;sSm(UM^k}0&wYTTo-v<-VJ-g?&H~VU$gy}kmyT#u-CmKY(wt3fDv&f;$ zdgZYl?l-iaPnwuj{BmQF<$TTgi)LJokBewa Date: Fri, 3 Nov 2017 13:55:33 -0400 Subject: [PATCH 7/7] Bump build to 2.18.0.9. // FREEBIE --- Signal/Signal-Info.plist | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Signal/Signal-Info.plist b/Signal/Signal-Info.plist index 7cb958790..88a652edb 100644 --- a/Signal/Signal-Info.plist +++ b/Signal/Signal-Info.plist @@ -55,7 +55,7 @@ CFBundleVersion - 2.18.0.8 + 2.18.0.9 ITSAppUsesNonExemptEncryption LOGS_EMAIL