Last active
June 12, 2025 21:04
-
-
Save 0xilis/2ccd34da577b693779d23e43d2e05b12 to your computer and use it in GitHub Desktop.
self-signed-shortcut-tutorial
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ req ] | |
| distinguished_name = req_distinguished_name | |
| x509_extensions = v3_intermediate_ca | |
| prompt = no | |
| [ req_distinguished_name ] | |
| C = US | |
| ST = Snooltopia | |
| L = Snoolcity | |
| O = Snoolie Inc | |
| CN = Snoolie Public Shortcut Signing Intermediate CA | |
| [ v3_intermediate_ca ] | |
| basicConstraints = critical,CA:TRUE,pathlen:0 | |
| keyUsage = critical, digitalSignature, cRLSign, keyCertSign | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid,issuer |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [ req ] | |
| distinguished_name = req_distinguished_name | |
| req_extensions = v3_req | |
| prompt = no | |
| [ req_distinguished_name ] | |
| C = US | |
| ST = Snooltopia | |
| L = Snoolcity | |
| O = Snoolie Inc | |
| CN = Snoolie Public Shortcuts Signing Root Certificate | |
| emailAddress = [email protected] | |
| [v3_req] | |
| subjectKeyIdentifier = hash | |
| keyUsage=critical,digitalSignature,keyEncipherment | |
| extendedKeyUsage=critical,serverAuth,clientAuth | |
| 1.2.840.113635.100.18.1=ASN1:UTF8String:WithLoveFromSnoolie | |
| subjectAltName = @alt_names | |
| [ alt_names ] | |
| DNS.0 = custom OID demonstration |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [v3_req] | |
| subjectKeyIdentifier = hash | |
| authorityKeyIdentifier = keyid,issuer | |
| basicConstraints = critical,CA:TRUE | |
| keyUsage = critical,digitalSignature,keyCertSign | |
| extendedKeyUsage = critical,serverAuth,clientAuth | |
| 1.2.840.113635.100.18.1=ASN1:UTF8String:WithLoveFromSnoolie | |
| subjectAltName = @alt_names | |
| [ alt_names ] | |
| DNS.0 = custom OID demonstration |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Tutorial by Snoolie K, will be available on my blogpost site https://snoolie.gay/blog soon. | |
| Change the intermediate.cnf and root.cnf if you need/want to. | |
| How to: | |
| openssl ecparam -name prime256v1 -genkey -out root.key | |
| openssl req -new -x509 -key root.key -out root.crt -days 355 -config root.cnf | |
| openssl ecparam -name prime256v1 -genkey -out intermediate.key | |
| openssl req -new -key intermediate.key -out intermediate.csr -config intermediate.cnf | |
| openssl x509 -req -in root.csr -CA intermediate.crt -CAkey intermediate.key -CAcreateserial -out root.crt -days 355 -sha256 -extfile root_sign.cnf -extensions v3_req | |
| Then, convert the certificates to DER: | |
| openssl x509 -in root.crt -outform DER -out root.der | |
| openssl x509 -in intermediate.crt -outform DER -out intermediate.der | |
| View the public key by: | |
| openssl pkey -in root.key -text -noout | |
| Congratulations, you have successfully created your certificate. Now you need to create your auth data. | |
| For your auth data, all you need is a SigningCertificateChain key. This should be an array with two elements. The first one should be the root.der and second should be intermediate.der. | |
| If you care about accuracy with how Shortcuts generates the auth data, this should be a binary plist, but I believe Shortcuts should also accept auth data as a raw XML plist as well. | |
| Now, just convert root.key to a raw X9.63 ECDSA private key (when you do openssl pkey -in root.key -text -noout it's just the pub key followed by priv, I don't know a way to convert this using openssl so currently I just manually convert this by manually typing it in a hex editor, very annoying and I'm sure someone has a better way but it works.) | |
| Then, boom, now you can sign using your self certs / auth data using shortcut-sign if you're on Linux or OS X. | |
| If you're on iOS, since shortcuts are just AEA, use an AEA formation app. The only one I know on iOS is my personal "Lina - AAR/AEA App" on the iOS app store. You will need to name your unsigned shortcut "Shortcut.wflow", create an aar, then create an aea from that aar. Note that Lina is not specifically for signing shortcuts and is meant for AAR/AEA creation so I will not trying to actively fix bugs with shortcut signing specifically in Lina, but if you find a bug in shortcut-sign/libshortcutsign I will probably fix it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment