#85 Provide an option to leave additional header space for cryptographic signatures
On Mac OS X we need to cryptographically sign our UPX-compressed application in order to placate the gatekeeper/quarantine feature of OS X 10.7 and later.
However, the codesign(1) tool refuses to sign the compressed binary, complaining:
can't allocate code signature data for: (for architecture i386) because larger updated load commands do not fit (the program must be relinked using a larger -headerpad value)
Is there a way to get UPX to leave space in the compressed binary for a signature? The linker manpage for -headerpad states
Specifies the minimum amount of space ("padding") following the headers for the MH_EXECUTE format and all output file types with the dynamic linker. value is a hexadecimal number. When a segment's size is rounded up to the segment alignment, there is extra space left over, which is placed between the headers and the sections, rather than at the end of the segment. The headerpad option specifies the minimum size of this padding, which can be useful if the headers will be altered later.
(From http://sourceforge.net/p/upx/discussion/6806/thread/f084d602/)
What is the meaning of "which is placed between the headers and the sections, rather than at the end of the segment"? Please give pseudo code, a diagram, or an actual example (upload ["Add attachments"] the same executable with and without headerpad [and state the value that was used for headerpad]). As I indicated in that "(From ... f084d602/)" thread, I believe that UPX already leaves enough space for code signing, and it has worked in the past. So far I have not seen an actual example where the existing code fails. Please give an actual concrete example.