More actions
Apple Encrypted Archive is a proprietary archive format that can compress, encrypt, and/or sign a file.
Its magic number is the 4 ASCII characters "AEA1". The non-encrypted, unsigned variation of AEA is Apple Archive.
macOS Monterey ships an aea command line tool that can create and extract (decrypt) these archives (see aea manpage).
They can also be handled with public Swift API and private C API in libAppleArchive.dylib.
It's notably used since iOS 15 for signed .shortcut files created in Shortcuts, as well as for the rootFS in iOS 18 IPSWs.
Signed shortcuts are AEA files but they are actually not encrypted. They are profile AEA_PROFILE__HKDF_SHA256_HMAC__NONE__ECDSA_P256 The 32bit size for the AEA context can be found at location 0x8-0xB in the file, and the size plus 0x495c will be the starting location of an LZFSE compressed Apple Archive. (For an example of this, take a look at libshortcutsign's extract_aa_from_aea function. After decompression, the magic number is the 4 ASCII characters "AA01".
iOS 18 / macOS 15 rootFS IPSWs, however, are encrypted. They are profile AEA_PROFILE__HKDF_SHA256_AESCTR_HMAC__SYMMETRIC__NONE. Unlike Shortcuts, since it really wouldn't make sense to sign the encrypted, compressed rootFS by itself, there is no ECDSA-P256 sign checking for this profile.
 | This software article is a stub. Please add more content to this article and remove this tag. |