Damaged apps can run normally: signature checks are complex

I’ve remarked before how, when the circumstances are right, apps which no longer match their code signatures can run perfectly normally, even though macOS is aware of the error. Since then, Apple has made changes in Mojave 10.14.5 which bring it closer to Catalina, particularly with respect to its handling of notarized apps. This article looks at those changes.

A typical basic app consists of a top-level bundle (folder) with the extension .app, within which there is a single folder named Contents. Inside that are four folders and three files:

_CodeSignature is a folder containing the file CodeResources, a compilation of hashes and other data for all the files within the app, as a dictionary in a property list;
CodeResources is a small file found in notarized apps, and includes the ‘stapled’ notarization ‘ticket’ issued by Apple;
Frameworks contains the .dylib frameworks used by the app;
Info.plist is a key property list containing a lot of information about the app, including its ID and version number;
MacOS is a folder containing the main executable code;
PkgInfo is a tiny file of 8 bytes listing the CLassic file information, normally APPL???? indicating it’s an application;
Resources is a folder which contains all non-executable resources, such as app icons, Interface Builder’s Storyboard for the app, Help book, and so on.

When an app is signed in depth, for example in preparation for its notarization by Apple, each item of executable code is signed individually, the signature being attached to that item, working from the outermost code files into the app bundle itself. Note that only executable code is signed: data in the Resources folder isn’t, but every file has its hash or checksum recorded in the CodeResources file. When a signature is checked thoroughly, that involves checking individual hashes for each item, as well as the whole tree of signatures.

Such thorough checks appear rare, even in macOS 10.14.5, occurring only at first run when the quarantine flag is set. Any changes made to the app, either to executable code or to the contents of the Resources folder, are then detected, and reported to the user in a dialog which advises the app should be placed in the Trash.

More commonly, signature checks ignore the Resources folder and its contents. Provided that an app isn’t in quarantine, tampering with the contents of the Resources folder therefore doesn’t prevent the app from being run normally, without any report of damage. This is even true of sandboxed and notarized apps, and by all accounts remains true in Catalina.

Signature checks also vary in their response to tampering with the Info.plist file and executable code. Even minor change in the Info.plist file should result in the app being crashed with a signing error, when such checks are carried out, which appears to be more frequently than in the past. Checks are normally called when an app is first run by LaunchServices from a path which has not previously been known to LaunchServices, but they can also be performed when an app is run from its normal location in /Applications.

Minor changes in a non-executable section of a signed Mach-O executable file are detected less commonly. I was able to make those changes to a normal signed app which then ran fine afterwards, as did a notarized app. However, making any change to executable code in a sandboxed app results in it being crashed with its sandbox registration invalid because its signatures doesn’t match.

Although the sandboxed app was more sensitive to changes in the Mach-O executable, no differences in behaviour were apparent between the ordinarily signed app and the app which had been notarized. These tests don’t, of course, assess any of the protection afforded by the hardened environment which is a pre-requisite for notarization.

The notarized app which I used for test purposes is my own Cirrus, which like many of my apps now performs its own code integrity check each time it’s opened. In order not to delay the opening of the app unnecessarily, this is currently performed using SecStaticCodeCheckValidityWithErrors() on the whole app bundle, with the check flags set to kSecCSCheckNestedCode with no additional requirements. This successfully detected all attempts at tampering with the contents of the app, including those limited to the Resources folder, and small changes to non-executable parts of the Mach-O executable.

Apple doesn’t currently make clear the precise checks which are performed by different options available for SecStaticCodeCheckValidityWithErrors(), nor how these equate to results returned by the spctl and codesign command tools. My next task is to correlate those so as to detail exactly what the different types of signature check actually do.

If you want any app to undergo the fullest signature check, which includes all its hashes, checksums, and the signatures of each of its executable code files, the most reliable way to do this is to attach a quarantine flag to it. If you don’t fancy doing that in Terminal, my free app xattred will do that at the click of a button. Successful first run after that is a reliable indicator that the entire contents of the app match the signatures given, and the checksums and hashes of each file listed in the CodeResources file. Of course the app may have been re-signed, and the signatures it’s now matching may not be the originals.

4Comments

Add yours

1

Joss on June 24, 2019 at 7:24 am

Another thing to note (according to a WWDC 2019 talk) is that developers shouldn’t codesign the main application with the deep argument, i.e. outside in, but they should perform what Apple calls “inside-out signing”—which is only logical, once you’ve understood how code-signing works—, i.e. start at the deepest level of the bundle, codesign every nested code individually, move up the levels until the next nested bundle, codesign again, and so on until they reach the main bundle, and then codesign the main app as the last step, but never with the deep argument. Furthermore, ./Contents/Resources is not a default code directory, so if you sign a bundle outside-in, any executable code in Resources will not be signed as code, but will only be “signed in” with the hashes into the main bundle’s code resources. So if a developer has e.g. a nested helper app, he shouldn’t put it into Resources, but e.g. into ./Contents/MacOS, or at least do a standalone inside-out codesigning run on the helper app in Resources before signing the main bundle, so when the helper app launches, macOS will at least validate it then. But if the helper app is supposed to be validated at main app launch, then it needs to be in a default code location.

LikeLiked by 1 person
- 2
  
  hoakley on June 24, 2019 at 8:15 am
  
  Thank you.
  Yes, these are important points which aren’t new, but have been required since OS X 10.9. They’re explained in Apple’s now-retired documentation.
  The big difference now is that if the developer doesn’t get this right, notarization will fail.
  Howard.
  
  LikeLike
3

Ben on June 24, 2019 at 8:17 am

There used to be an interesting little flaw with Logic 9 (which I mention only now as it is sufficiently old news).
It was originally offered on disk with a serial number, or as a downloadable demo. Then Apple withdrew the disk and offered an updated version only from the App Store. It was possible to download the demo, and run an updater on it to the latest version, which would only work if you had either the serial, or a CodeSignature for MAS.
Trouble was, to launch, the app only checked that the CodeSignature file was present. So you could simply copy a CodeSignature from any other MAS app, and it would still launch!!!!

LikeLiked by 1 person
- 4
  
  hoakley on June 24, 2019 at 9:09 am
  
  Thank you – fascinating! I suspect that would cause a sandbox error now, or so it should. But without a quarantine flag, who knows what can slip past from the App Store?!
  Howard.
  
  LikeLike

Share this:

Related