You can push metaphors and analogies too far, but I quite like that of the walled garden in security. At its entrance is Gatekeeper, only admitting those who pass its scrutiny. The sad fact is that there are plenty out there who want to enter our walled garden to damage it. Some try arriving in disguise, hoping that they can cheat their way past Gatekeeper, but others climb over the wall.
Since the introduction of app and bundle signatures over a decade ago, macOS has had the ability to check signed apps whenever they’re run, but hasn’t done so, only checking signatures at first run.
There are plenty of good reasons for this: full and robust checking can require extensive remote access to verify all the certificates involved, and in some cases can take many seconds. Although in reality app launch time isn’t as important as is often made out, it’s commonly used to disparage operating systems and hardware: “xxOS is so much worse, it now takes twenty seconds to open an app”.
So despite Apple’s original claim that signatures can be used to check that malware hasn’t altered signed software, until Mojave arrived, they were only ever used for that once.
Thomas Reed, one of the top Mac security researchers, has on several occasions demonstrated how this convenient limitation can readily be exploited by malware. You can read reports of his presentation at VB2018 in Montreal by Lily Hay Newman for Wired and by Tara Seals for Threatpost. His latest presentation slides, from his talk in November at the Objective by the Sea Mac security conference, are available here and are largely self-explanatory.
Modification of app data isn’t exactly new. It was the basis of what was probably the largest iOS and macOS malware outbreak, with XcodeGhost, which managed to infect as many as four thousand App Store apps, and came close to destroying the store altogether. It was also only detected very late. In XcodeGhost, the code modification occurred on developer systems which then uploaded infected products for distribution by the App Stores, which is different to the modification of already-run apps on individual Macs.
Reed’s concluding recommendations as to what we should do are:
- “Look at the signature for every app you use
- If broken/missing/etc, report it to the vendor
- If you are a developer, get it right!
- Spread the word”
I’ve been working this week on Signet, which provides me with a convenient way to do exactly this.
My original instigation to look at bundle signatures was the realisation that, tucked away in my /Library/QuickTime folder, I had some very old plug-ins which were also unsigned. They’d been migrated across from much older Macs, but having Codecs like these around looked quite risky: even if software were interested in checking their integrity, without signatures they are permanently untestable. Yet you don’t like to arbitrarily remove them, as you don’t know what media would cease to open.
When Signet was first up and running, I expected to discover plenty of unsigned bundles, and I wasn’t disappointed. I was rather overwhelmed at how many even quite recent bundles shipped with commercial products are still delivered to users without any signatures, and that includes at least one product supplied by Apple’s App Store, which I would have expected to have a more stringent policy.
What I hadn’t expected to encounter was software whose certificates have been revoked – and not just one old and unsupported app, but a total of thirteen. I might guess that the reasons are benign, but I’ll never find out because such certificate revocation is performed in secret.
What I was looking at using Signet was clearly not a well-kept walled garden, but one in which the weeds have been left to grow. Only until now, users have been unable to see their true extent, as they have only been able to check one bundle at a time, either using Objective-See’s What’s Your Sign or rather complex commands in Terminal.
There’s nothing forcing you to inspect your weeds. Signet is optional, a choice which you can make. It doesn’t tell you to get rid of any of your weeds, merely makes them visible. You may well want to keep them if they’re still useful, and there’s no more secure replacement.
Apple’s plan is that, sometime in the not too distant future, all your new apps will either come from its App Store or be notarized. Yesterday, I showed how those are more robust in the face of attempts to hijack their bundles, even after their first run.
Today, I offer an improved version of Signet, its second beta release. This should now run on High Sierra as well as Mojave (but as I’m unable to test it on older macOS, I’d appreciate feedback please), adds the option to perform less stringent signature testing, and has some interface improvements. Signet 1.0b2 is available from here: signet10b2
and from Downloads above.
Using strict checking, it finds 22 signing errors in my test folder.
Using more basic checks, it only finds 16, which are almost all bundles which are unsigned, or for which the certificate has been revoked.
For the sake of completeness and fairness, the following cautionary words are in its documentation:
So what should you do with a bundle for which errors are reported? That depends on what the bundle is for and what the error is. Some reputable software developers consider that what Signet does is completely worthless. They argue that signatures are only there for Gatekeeper, and as Gatekeeper is only there to check apps when they are first run, it doesn’t matter once the app has passed that check.
Others consider that checking signatures is “security theatre”, and unless those checks were accompanied by databases containing ‘true’ signature references, they are worthless.
I built Signet for myself. If you want to use it, you’re very welcome. I use it to discover old and potentially vulnerable software so that I can look for more modern replacements, or simply get rid of them as expired. I think that this is all part of good hygiene, or housekeeping if you prefer, and the information which Signet provides about signatures is a useful input to my decisions about what to keep and what to get rid of. In the course of doing that, I think that I am making my Mac significantly more secure, particularly when I can replace an old unsigned app with one from the App Store or which is notarized. I’d like you to have the same choice: if you don’t feel that it helps, then by all means trash it, but please don’t ask for your money back or complain that it wasn’t worth using.