Kordophone/server/README.md

#  Entitlements

You might to enable this default to use private entitlements
```
sudo defaults write /Library/Preferences/com.apple.security.coderequirements Entitlements -string always
```

Maybe a better thing to do is to DYLD_PRELOAD `imagent` and swizzle `IMDAuditTokenTaskHasEntitlement` to always return YES. 

Included in the project is "kordophoned-RestrictedEntitlements.plist", which contains all necessary restricted entitlements. 
On production macOS builds, the kernel will kill kordophoned immediately if it's signed using restricted entitlements, so agent hook is a
better option when running on prod machines. By default, the project is configured to ignore kordophoned-RestrictedEntitlements.plist when building. 

## Building/linking 
If you get dyld errors running from the command line, use `install_name_tool` to update the @rpath (where @rpath points to where linked Frameworks like GCDWebServer is).
    `install_name_tool -add_rpath . ./kordophoned`


## Running
You need to hook imagent first to bypass entitlements check. Look at `hookAgent.sh`


## SSL
If you want to run with SSL, you have to generate a self-signed certificate, and have the Mac trust the root cert.

### Generate a root cert
1. Generate root key
    `openssl genrsa -out Kordophone-root.key 4096`
2. Generate root certificate
    `openssl req -x509 -new -nodes -key Kordophone-root.key -sha256 -days 1024 -out Kordophone-root.crt`
3. Add this certificate to the Mac's trust store via Keychain Access. Set to "Always Trust"

### Create signing certificate by signing a new cert with the root cert
1. Generate signing key
    `openssl genrsa -out kp.localhost.key 2048`
2. Create certificate signing request
    `openssl req -new -key kp.localhost.key -out kp.localhost.csr`
3. Sign the cert with the root cert
    `openssl x509 -req -in kp.localhost.csr -CA Kordophone-root.crt -CAkey Kordophone-root.key -CAcreateserial -out kp.localhost.crt -days 365 -sha256`
4. kordophoned works with a signing cert in PKCS12 format. Convert the cert and the privkey to PKCS12
    `openssl pkcs12 -export -in kp.localhost.crt -inkey kp.localhost.key -out certificate.p12 -name "Kordophone"`

### Start kordophone with the SSL options and provide the p12
`kordophoned -s -c certificate.p12`

## Authentication
Basic Authentication is also optional, but requires SSL to be enabled as well. To configure basic authentication, create a file containing your username and password on two separate lines encrypted with your GPG key.

`echo "username\npassword" > password.txt"`
`gpg -e -r (your email) -o password.asc password.txt`

Then run kordophoned with the following option
`kordophone -s -c certificate.p12 -a password.asc`

You may need to unlock your GPG keyring (via gpg-agent) when running kordophoned the first time.
Initial commit Message receiving works, sending sort of works 2018-11-12 20:10:46 -08:00			`# Entitlements`

			`You might to enable this default to use private entitlements`
			```
			`sudo defaults write /Library/Preferences/com.apple.security.coderequirements Entitlements -string always`
			```

			Maybe a better thing to do is to DYLD_PRELOAD `imagent` and swizzle `IMDAuditTokenTaskHasEntitlement` to always return YES.
Try to not use private entitlements 2018-11-13 22:39:03 -08:00
Don't build using restricted entitlements by default. 2022-08-03 16:56:53 -07:00			`Included in the project is "kordophoned-RestrictedEntitlements.plist", which contains all necessary restricted entitlements.`
			`On production macOS builds, the kernel will kill kordophoned immediately if it's signed using restricted entitlements, so agent hook is a`
			`better option when running on prod machines. By default, the project is configured to ignore kordophoned-RestrictedEntitlements.plist when building.`
Try to not use private entitlements 2018-11-13 22:39:03 -08:00
			`## Building/linking`
			If you get dyld errors running from the command line, use `install_name_tool` to update the @rpath (where @rpath points to where linked Frameworks like GCDWebServer is).
			`install_name_tool -add_rpath . ./kordophoned`


			`## Running`
			You need to hook imagent first to bypass entitlements check. Look at `hookAgent.sh`
Experimental SSL support 2019-01-22 23:31:36 -08:00

			`## SSL`
			`If you want to run with SSL, you have to generate a self-signed certificate, and have the Mac trust the root cert.`

			`### Generate a root cert`
			`1. Generate root key`
			`openssl genrsa -out Kordophone-root.key 4096`
			`2. Generate root certificate`
			`openssl req -x509 -new -nodes -key Kordophone-root.key -sha256 -days 1024 -out Kordophone-root.crt`
Addendum to README regarding self-signed ssl certs 2019-01-22 23:32:35 -08:00			`3. Add this certificate to the Mac's trust store via Keychain Access. Set to "Always Trust"`
Experimental SSL support 2019-01-22 23:31:36 -08:00
			`### Create signing certificate by signing a new cert with the root cert`
			`1. Generate signing key`
			`openssl genrsa -out kp.localhost.key 2048`
			`2. Create certificate signing request`
			`openssl req -new -key kp.localhost.key -out kp.localhost.csr`
			`3. Sign the cert with the root cert`
			`openssl x509 -req -in kp.localhost.csr -CA Kordophone-root.crt -CAkey Kordophone-root.key -CAcreateserial -out kp.localhost.crt -days 365 -sha256`
			`4. kordophoned works with a signing cert in PKCS12 format. Convert the cert and the privkey to PKCS12`
			`openssl pkcs12 -export -in kp.localhost.crt -inkey kp.localhost.key -out certificate.p12 -name "Kordophone"`

			`### Start kordophone with the SSL options and provide the p12`
			`kordophoned -s -c certificate.p12`

Basic authentication support 2019-01-23 20:26:35 -08:00			`## Authentication`
			`Basic Authentication is also optional, but requires SSL to be enabled as well. To configure basic authentication, create a file containing your username and password on two separate lines encrypted with your GPG key.`

			`echo "username\npassword" > password.txt"`
			`gpg -e -r (your email) -o password.asc password.txt`

			`Then run kordophoned with the following option`
			`kordophone -s -c certificate.p12 -a password.asc`

			`You may need to unlock your GPG keyring (via gpg-agent) when running kordophoned the first time.`
Experimental SSL support 2019-01-22 23:31:36 -08:00