In iOS 15, Apple introduced signed shortcuts. Ever since then I have wanted a way to sign shortcuts on more platforms than macOS, such as Linux and possibly from the web using webasm.

It has now been more than 2 years since I started my decompilation of WorkflowKit and extraction/signing related methods. At the time, no one was looking into signed shortcuts, and still at the time of writing I don't believe anyone else is. (If someone else is though, please tell me!). I have gone from not knowing anything about how signing itself works to knowing every part of how shortcuts deals with signed shortcuts and exactly how, from signing, to verification, to extraction, which lead me to find and get credited for CVE-2024-27821.

No one else is looking into signed shortcuts, and sadly my work has not really received much recognition as other reversing apple projects such as OpenAirDrop, I assume because not many people care that much about signed shortcuts. Still, even if no one else currently does, I do still see a need for my work, which does give me enough motivation to occasionally keep moving forward, even if I still do sometimes get worried I am working on something no one will use. Why I see potential in bringing shortcuts signing open source and cross platform, when no one else does, is seeing how the shortcuts community is dealing with signed shortcuts. Taylor's project Jellycuts needs a macOS server to be able to sign shortcuts, and so does electricmilk's Cherri project. So, why is that not good enough?

The problem comes in how this is done. Signed shortcuts by themselves are done to prevent malicious actors; if someone uploads a malicious shortcut, Apple can prevent that person from signing shortcuts by refusing to give out signatures to them. Using a macOS server for shortcut signing will make everyone signing a shortcut under your server be signed under you; meaning if someone uploads a malicious shortcut, Apple may ban the entirety of your server. I am not saying that doing this is bad; it's sadly the best option right now, and, well, the only option. I have a lot of respect for those who host shortcut signing servers to pay for them out of pocket as a service for the community and users of their products.

However, we do need another solution for Linux users that does not involve macOS servers, as if Apple ever decides to ban one of these services we should have a backup option. We should also provide a standard library to interact with signed shortcut files, as everything Apple does in WorkflowKit is private and closed source.

I started development on libshortcutsign about a year ago as a way for applications to interact with signed shortcut files, that being to sign them via locally dumped private keys, extract the unsigned shortcut from them, or verify a shortcut. However, while I have technically done all of these, my main goal with libshortcutsign was to provide an implementation that did not require proprietary Apple frameworks, which I was not doing at the time. Every function except auth data dumping required macOS, which I deemed a failure on my part. This is because signed shortcuts relied on yet another new Apple technology that no one had reversed yet and at the time, no one wanted to reverse; Apple Encrypted Archive, using the libAppleArchive library.

I initially deemed creating an entire library for Apple Archive too daunting of a task, and initially gave up. However, I don't know what it was, but something inside me wanted to go back, feeling like what I did was unfinished but that I could indeed do it if I wanted. So, I began work on libNeoAppleArchive, a cross platform Apple Archive parser written entirely in C. This is the big change that started for me to look back at libshortcutsign and realize my goal now is much more achievable.

Since then, I have made extraction methods cross platform, a huge feat for libshortcutsign, as well as made a (currently not yet stable) resign function. The future of libshortcutsign is moving towards a new, cross platform future, where I hope to get the entire library cross platform eventually, as well as provide it prebuilt on some Linux distros so in the future you could hopefully get it using apt, pacman, brew, etc.

However, it's becoming more and more obvious to me that if I want to achieve my goal of opening up signed shortcuts and make it easier for developers and users, a library alone will not cut it. I need a full on CLI tool, which is why I'm happy to announce `shortcut-sign`. This idea has been thought about by me for months, but I never considered libshortcutsign ready enough for me to start it.

shortcut-sign is a CLI tool for macOS and Linux that I want to use libshortcutsign to be able to sign shortcuts using locally dumped private keys, extract shortcuts from signed shortcuts, verify signature of shortcuts, and resign shortcuts. I also hope to make easily buildable on WebAssembly so someone can build and use it on a-Shell on iOS.

Another thing I want to achieve with libshortcutsign/shortcut-sign with webassembly is having a site running libshortcutsign and having a user being able to sign shortcuts on a statically hosted site. I hope that my projects will come to use and, once finished, be appreciated.

Take a look at the source:

One thing I am currently missing is contributors to help out on libshortcutsign. If you want to contribute, it is greatly apprieciated!