Solution to 7-day signing for Yalu may be coming: avoid other methods!

Those of you who have jailbroken in recent times, with either yalu1011, yalu102, Home Depotor Pangu 9.2-9.3.3, can’t have failed to notice a new feature of these tools which jailbreakers never had to contend with before.

I’m not referring to the semi-untether here, but rather to the installing of a profile on your device which signs the jailbreak app for a certain amount of time. iOS 10 jailbreakers particularly have felt the irritation of this limitation, but all that may be about to change, based on some tentative words from Cydia creator Jay Freeman (Saurik).

At the same time, other workarounds for the seven-day signing limit have started surfacing; these are almost all a bad idea, and should be avoided.

As you can see from the above Reddit comment, Saurik appears to confirm here that he is now working on a “much more interesting solution” to the certification issue which has plagued jailbreakers in recent times.

To give some background information on the problem being faced: in days of yore jailbreaks tended to be easier to achieve, and consequently, tended to obtain persistence in the form of an untether. This meant that they were already jailbroken on boot, and so did not require a re-jailbreaking app to be installed on the device, meaning that the certification issue never arose. An untethered jailbroken device also does not need its apps to be signed anyway (think AppSync), so even if it did need a jailbreak app on it, the certification issue would not have arisen. Of course, on an untethered jailbreak a jailbreak app would have no purpose, so the point would be moot.

All this changed with iOS 9 and 10. As iOS’ security was hardened, and especially with the inclusion of KPP, jailbreaks became harder to achieve, particularly the ability to gain persistence between reboots. Jailbreak developers consequently avoided the untether issue by booting unjailbroken, and re-jailbreaking each time. This necessitated re-jailbreaking apps, and because these apps are only used when the device is in an unjailbroken state, they needed to be signed to be run.

Pangu 9.2-9.3.3 made this fairly painless by providing a one-year enterprise certificate, and more recently, Luca Todesco cut the strings completely by offering a browser-based exploit which obviated the need for a certificate at all. It is on the Home Depot and Yalu jailbreaks that so far users have been bound by Apple’s seven-day signing limits.

A Reddit thread discussing the need for a solution to this quandary unexpectedly saw Saurik weigh in with the comment shown above, which he followed up with the statement below:

It seems Saurik and an unknown developer are working on a solution which completely circumvents the signing issue, and which Saurik has claimed we will “enjoy or be amused by”. This seems to imply a novel or imaginative solution to the restrictions Apple has enforced.

Yalu developer Luca Todesco has also commented, offering his advice on the topic:

A word of caution about third-party hacks

Both developers warn against using more shady methods. There are date-tricks, which can mess up other settings on your device; illegal websites which add your device to someone else’s developer account; and tweaks which circumnavigate the signing requirements, but can endanger your jailbreak.

All of these methods have risks, and should be avoided. You should especially steer clear of versions of the jailbreak from sources other than Luca Todesco’s site. These may have been tampered with, and are not under Todesco’s control. Similarly, services which install a signing profile on your device which you do not control should not be used. They give an unknown entity the ability to install and run unverified apps on your device.

Given that Saurik has said it may well be “the last time” you have to use Cydia Impactor to re-sign the jailbreak app, it stands to reason (given the length of signing) that his solution may well be out within a week, or at least in the very near future. There is therefore no need to resort to other methods.

This is great news for iOS 10 jailbreakers everywhere, meaning that the Yalu jailbreaks will reach parity in terms of convenience with Pangu 9.2-9.3.3. It has yet to be seen whether this fix will be a general method for avoiding signing which can be applied to any jailbreak, including Home Depot, or whether it is specific to the Yalu release, but I would tentatively suggest the former.

While we wait to see the nature of this certification fix, be patient, do not hassle Saurik or Luca Todesco, and avoid using the more sketchy methods mentioned above. It is not worth endangering your jailbreak for the sake of one more week’s use of Cydia Impactor.

Are you waiting until a long-term solution to signing is out before you move to iOS 10.2? I know I am. How are you finding using Impactor at the moment? Let me know your thoughts in the comments.