Code signing: confusing and weak?

I owe everyone who has downloaded any of my apps before yesterday an apology: I had messed up the signing of them, which forced you to Open them in the Finder in order to get them past Gatekeeper’s quarantine checks. Let me explain, as it is an object lesson in development and security.

The basic idea behind code signing is simple. Each app (etc.) is signed with the developer’s certificate, issued only by Apple. That signature not only identifies the developer, but it also provides a guarantee that the different components within that app have not been tampered with.

When you download an app from the internet (rather than copy it from removable storage, for example), macOS attaches a quarantine flag to that app. The first time that you open (run) that app, a full check of that app is undertaken; if it is approved, then that app is allowed to run and no further full checks are undertaken. Instead, a quick check of the app is performed each time it is started, which essentially verifies its integrity, and that the certificate hasn’t been revoked by Apple. (That glosses over a lot of detail, but I hope the broad principles are still accurate.)

Prior to Xcode 9 (released last week), there were facilities in Xcode to manage various types of certificate, but they didn’t work properly, and there were significant gaps between the documentation and what actually happened. I found the information on Apple’s website was different again, and the whole matter was greatly confusing. However, Apple recommended that leaving Xcode to manage certificates and signing was by far the best way to address this, and I followed those instructions.

None of this was made any easier by the fact that, although I am one developer, Xcode told me that I was two different entities: a team and a person. Each had their own developer certificates, which I had obtained from Apple and installed in my keychain, as the Xcode feature claimed to do that didn’t work.

codesign01

A glance at my current keychain now shows a whole bunch of different certificates, with three different IDs, each of which is recognisably mine. Until last week, I had two types of certificate:

Mac Developer, which I understood to be used for signing apps distributed independently of the App Store;
Developer ID Installer, which I knew was necessary for signing Installer packages, as used to install my command tools blowhole and unorml.

codesign02

Xcode 8.x never seemed able to show me my certificates, or relate them to the two different entities which it thought me to be. Xcode 9 now does this properly, and one of the entities now shows four of the certificates which I currently hold.

Prior to Xcode 9, I let Xcode manage the signing of my apps, and used a certificate which appeared to work. I tested it in accordance with Apple’s instructions, using the commands
spctl -a -t exec -vv xattred.app
and
codesign --verify --deep --strict --verbose=2 xattred.app

However, neither of those forces the full check which results from quarantine, so in each case I uploaded my Zipped app to this blog, downloaded it, and checked that Gatekeeper responded with the correct check and dialog. This is quite time-consuming when updating more than one app. For the Installer packages, I similarly checked that they installed correctly here, and that the installed command tool worked.

I had sporadic reports that downloaded apps failed quarantine checks, but I was never able to reproduce them here. As they were infrequent, I assumed that there was an issue between that user’s Mac and Apple’s checking system, but could never reproduce that here, or even when I downloaded apps from here onto my Macs away from home.

This week, another report took me to look at signing and my certificates again. As a result, I abandoned allowing Xcode to automatically manage signing for me. I also reviewed the new documentation in Xcode 9, which draws a clear distinction between the nine different types of certificate which are in common use; Apple also has its own certificate types (as used by its system installers), and there are special certificates for KEXTs which aren’t listed here.

codesign03

It now appears that the certificate which I had been using all this time, thanks to Xcode 8’s automatic management, was of the wrong type: for Mac Development, not Developer ID Application. Although I am still unable to get Xcode 9 to use the latter type of certificate using its automatic certificate management, I have created myself a shiny new Developer ID Application certificate and forced that manually.

codesign04

My apps, as delivered from Downloads here, still pass all the tests that I can perform here. Thankfully, as I can place my own quarantine flags using xattred (free from Downloads), I no longer have to upload each app and download it, in order to test it against Gatekeeper’s full checks. But from your comments (thank you), it looks like this has finally fixed the problem: my apps were all correctly signed, but just using the wrong type of certificate.

The irony behind all this is that, whilst app signing is now so complex and prone to failure, correctly signed malware is now the rule, rather than the exception. It does call into question whether such an elaborate system is worth anything in terms of protecting our security.

5Comments

Add yours

1

Charles Wise on September 30, 2017 at 12:22 pm

Worth anything? Yes, of course. It reduces the overall amount of malware by requiring the distributor to obtain a certificate. This is obviously not impossible, but it’s a significant requirement. Both in that a legitimate certificate can be used to help track down the distributor and so can a stolen one. Secondly, it means that the malware is very, very easy to identify without false positives.

LikeLike
- 2
  
  hoakley on September 30, 2017 at 5:39 pm
  
  Up to 18 months or so ago, I agreed with you, and have written to that effect in earlier articles here.
  However, it is easy to get a certificate. I don’t know what the going price is on the black market, but I gather it is considerably cheaper than obtaining one from Apple. But the latter is hardly difficult: you basically need an Apple ID and a credit card number, neither of which presents much of a challenge to The Bad Guys.
  The evidence of this is also now quite abundant: most if not all macOS malware is now signed, and exists in the wild, affecting users, for some time before it is detected and Apple revokes the certificate(s) involved.
  Is malware very, very easy to identify without false positives? Well, those who have run my utilities from here prior to this last week should all have seen false positives, because Xcode’s automatic management didn’t do what it promised. In fact the only positives that I have seen here have been false ones.
  And until an abused certificate has been revoked, there is ample scope for false negatives too. How long did it take to detect XcodeGhost and some other recent malware?
  I’d also love to see evidence that the current byzantine system of more than ten different types of certificate has any effect in terms of improving security. Wouldn’t it be much better to have fewer types of certificate, but a higher barrier to getting any of them in the first place?
  So whereas in the past I had good confidence in certificates giving users good security protection, I think recent evidence bears out the warnings of security experts, that certificates are actually only weak protection, particularly when they are so easily obtained.
  Howard.
  
  LikeLike
3

xz4gb8 on September 30, 2017 at 1:16 pm

This tale illustrates the perils of a developer testing on the same system used for development. Every developer perforce must customize the development environment, thus making it different in many ways from an end user’s system. Certificates are just one of these environmental customizations.

One could conjecture that many software errors are due to forgetting the separation between the development and user environment.

LikeLike
- 4
  
  hoakley on September 30, 2017 at 5:49 pm
  
  I’m not sure that is consistent with my experience reported here.
  I have followed Apple’s instructions for verifying my signing to the letter, and throughout my systems have cleared them through Gatekeeper quarantine. That was even the case when we were in Scotland in late August: I didn’t take my development system, but a MacBook Air which had no developer tools on it. In fact, it had very little on it at all, as I have recently replaced its SSD, and it hasn’t gathered the bits and pieces that would make their way across in time.
  When I downloaded one of my incorrectly-signed apps from here (I didn’t even have that installed), it passed the full Gatekeeper check in the normal way, as if it was correctly signed. That was from an IP address at the other end of the British Isles too!
  I am also puzzled that every one of my apps provided here until this last week has also been incorrectly signed. Yet I have only had a handful of people come back to me and remarked or complained that they did not pass quarantine checking in the usual way. That is also true through prolonged beta-testing, e.g. of Consolation and T2M2.
  Gatekeeper’s full checks don’t appear to be clear and consistent, which is worrying.
  Howard.
  
  LikeLike
5

jdaniel2014 on October 2, 2017 at 1:27 am

There is very little Mac adware and Apple is quick to revoke signatures. There is quite a lot of adware, but very little adware is signed. Unfortunately, it is quite common for people to have completely turned off Gatekeeper. There are many sites on the internet that instruct people to do that in order to install unsigned software and people generally do what they are told, as long as it is dangerous. If the instructions are safe, wild horses can’t pull them to the keyboard.

Almost all of Apple’s developer support resources (at least 95%) are devoted to iOS. Just being a Mac developer puts you into that unloved 5%. If you aren’t a distributing via the Mac App Store, you rate even less. Almost all of those certificates are for App Store and Mac App Store distribution. The funny thing is that since you aren’t distributing via the Mac App Store, you have no idea how truly complex it is. Using a Developer ID certificate is by far the easiest one to use. I’ve never had the “automatic” management work either. Plus, you have to be really careful in Xcode or else it will start creating duplicate certificates. And unless you use your certificate for malware development, Apple will not revoke, or allow you to revoke, a developer ID certificate.

LikeLike

Share this:

Related