Checking signatures with WhatsYourSign

Apple is rightly keen that as many as possible of the apps and other executable components which we download and install are signed. A valid signature is no absolute guarantee of safety, but it greatly reduces the chances of something being malware.

Signatures consist of two parts: a secure certificate which identifies the developer, which Gatekeeper can check against the whitelist database stored on your Mac, and a hash which verifies the integrity of the contents. If someone tampers with a correctly signed app, the hash is invalidated, and Gatekeeper will barf over the file.

whatsyoursign1

Gatekeeper goes quite a long way to checking that installed apps have valid signatures, but it does its checks behind the scenes. It only warns us when it detects something wrong. There are ways of obtaining apps and executable components which bypass Gatekeeper, and Gatekeeper is itself not foolproof. It does not ordinarily check software downloaded by BitTorrent clients, in mail attachments, or obtained from network shares or removable drives (including USB Flash drives). If you do want Gatekeeper to run its checks on such downloads, there is no easy way to arrange that, except by resorting to Terminal hackery.

The wise and wary user therefore needs some way of manually checking installers, apps, etc., to ensure that they are correctly signed. There has, of course, been a way to do this all the time – the shell command codesign can be used in Terminal for this purpose. But I’ll hazard a guess that hardly anyone outside of the developer, sysadmin, and security communities ever does. I wrote a little AppleScript droplet for the purpose and posted it here more than a year ago, but it has hardly proved popular.

Now Patrick Wardle of Objective-See has done a proper job and produced WhatsYourSign, a neat Finder Sync tool to check the signature of anything – and it’s free from here.

whatsyoursign2

What you get is a little app which installs (or removes) the Finder Sync component. Once installed, to check the validity of the signature of any item, select it and use the Finder’s contextual menu (right-click or control-click, or two-finger tap-and-hold, etc.) for the Signing Info command. Its current limitation, due to a bug in El Capitan, is that it can only check items on your startup volume. If you have something on a Flash drive or disk image, you will have to copy it across to your startup volume in order to check it.

Every Mac user should have a copy installed and ready to use. You will never again worry whether that download was something nasty in disguise.

WhatsYourSign can only become more important with the coming of macOS Sierra, which ‘encourages’ all developers to deliver their products using signed methods.