Code signing for the concerned: 1 Why?

Even in Mojave, there’s no requirement that apps or other code bundles are signed, and many on your Mac still aren’t. Signing can be required for certain features, such as access to Keychains, and negotiating privacy protection enforced by TCC. Most importantly, signing may allow an app to be launched when it is run through Gatekeeper’s full checks.

Apple has stated its intention, at some time in the future, to require that all apps obtained and installed from external sources have either been delivered by its App Store, or have undergone notarization by Apple to check for malware. It hasn’t said when that will apply, nor has it explained how this might affect those who develop their own script apps, or build open source software for themselves.

There’s a lot of confusion about code signing, when it’s required, and what it does. In this and the next few articles, I’m going to try to clear that up so that you know how it applies to you, and those who provide your software. This is a complex area which isn’t always clearly documented. Apple’s last detailed guides, listed in the references below, haven’t been updated since 2016 (Sierra) either. If I have got something confused or wrong, please tell me in a comment so that I can correct it.

Why sign an app or code bundle?

Although code signatures provide verification of the integrity of a code bundle, which can be useful in itself, the primary purpose of a signature is to satisfy the designated requirements of a sub-system within macOS. The most obvious example, and the one of which we are most aware, is the thorough Gatekeeper check which apps undergo after they have been downloaded and are being run for the first time.

Code signatures on bundles are also checked for many other reasons. Most recently, these determine whether an app can be granted access to protected locations and services which are private, a function of TCC. Apps which run in a sandbox also rely on their signature to access facilities according to their entitlements.

Given that apps distributed through the App Store are required to run in a sandbox and may use entitlements extensively, they are clearly heavily reliant on their code signature to make all that work. Apps which are notarized are similarly marked as being different, by being ‘hardened’. This is different from a sandbox, and enforced by the SIP mechanism, which is detailed in this article by Jeff Johnson. As he writes there, “both sandboxing and hardening rely on code signing entitlements.”

So now and in the future, if you want your app to run in a sandbox or to be notarized, then code signing is mandatory. But what if you just want to use an app yourself, or pass it on to a few friends, and aren’t interested in sandboxing or notarization?

Until Apple gives us further details of how things will change in the future, for personal use there is little value in signing apps or code bundles unless your code requires access to a sub-system which needs code signatures. In those cases, you’ll need to follow the rules for that sub-system’s checks – which is generally unusual for non-commercial code.

What about Gatekeeper?

Gatekeeper only performs thorough checks on code signatures the first time that you open an app, and only when the quarantine flag is set on that app. If you build the app locally and don’t distribute it via an online site, then the quarantine flag won’t be set, and that thorough check will never be performed. You might be caught out, though, when copying the app to other Macs: for example, moving it by AirDrop is likely to set the quarantine flag, but copying it over local file sharing won’t.

So almost all the circumstances in which someone might think about using techniques such as self-signing an app, they are very unlikely to be needed to satisfy Gatekeeper checks (something which self-signing doesn’t do anyway). If you want to distribute your app via a website or similar, then you really must go through the process of signing up as a developer with Apple and using a Developer ID to sign your apps properly.

This doesn’t apply to apps which are supplied unbuilt, as source code. You can’t sign source or ‘pre-sign’ it in any way that will help those who build it for themselves. As far as Gatekeeper is concerned, locally-built apps won’t have a quarantine flag, and won’t get thoroughly checked.

Ad hoc signing

You’ll come across ad hoc signing on various websites, but it’s hardly mentioned by Apple. This is because some users feel that ad hoc signing addresses a problem; in truth, it doesn’t achieve much, if anything, and isn’t to be generally recommended.

Ad hoc signing isn’t really signing at all, because it doesn’t use a certificate to provide cryptographic evidence that the signature is valid. All it really does is provide a hash value which claims to verify that the code bundle hasn’t been tampered with. As you can’t validate that hash in any way, you can’t trust it, and Gatekeeper won’t either.

Where an ad hoc signature can be valuable is when the hash value can be compared against a suitably-protected known good value. As there’s currently no robust way for a user to do that, you can’t trust an ad hoc signature any further than you can forge one.

Signing with a personal certificate

Obtaining certificates is usually not free. To obtain an Apple Developer certificate, you have to pay to be a recognised developer; you can sign code using certificates which rely on another root certificate, although for code signatures on macOS these are relatively unusual, and certificate authorities don’t often provide certificates suitable for code signing free of charge.

You can, though, generate your own personal certificate which you can designate as trusted on your and other Macs. This is performed through Certificate Assistant. My next article will step you through that process.

References

Apple’s Code Signing Guide
TN2206 Code Signing in Depth

4Comments

Add yours

1

Joss on January 15, 2019 at 11:04 am

I can’t say this with certainty, but as I have understood it, running unsigned and self-signed apps and processes will still be possible in future versions of macOS, same as today. I don’t see any value at all in buying a computer that won’t run your own programs and software as is. The only thing Apple would probably change is the procedure of code-signing with an Apple developer certificate: those apps will need to go through notarization. Apps code-signed with an Apple dev cert, but without notarization, will be on the same level as self-signed apps today. That would be a good thing in terms of security and privacy, but it would still leave the door open for developers who (for ideological or other reasons) don’t like Apple’s code-signing approach.

But I might be wrong, and if I’m wrong, Apple would have to change the developer model too. One example could be: Apple-issued certificates for everyone and for free, one per computer, and those free certs will be accepted as valid only on that one local computer. And applications like Script Editor and Xcode will need auto-signing functionality on export/build/save, if only the free local certificate is found in the keychain. But if you want to distribute, you’ll need notarization, and only then will you have to pay the developer fee, or you need to ask your customers to sign your software with their local free certificate after installation. But that would be a pretty complicated thing, because then package managers like Homebrew and MacPorts would need built-in auto-signing as well.

LikeLiked by 1 person
- 2
  
  hoakley on January 15, 2019 at 1:15 pm
  
  Apple hasn’t said anything about running unsigned apps, and there’s nothing in macOS which might prevent you from doing so.
  What Apple has said is that apps which are downloaded from the Internet – hence gain a quarantine flag – will at some time in the future have to be notarized rather than just signed with a Developer ID (or be supplied by the App Store) for them to pass through Gatekeeper’s full checks.
  Currently, unsigned, ad hoc ‘signed’, and those signed using personal certificates do not pass this requirement either.
  Apps which you build yourself, scripts, Homebrew, MacPorts, etc. aren’t included in any of this, as the app doesn’t gain the quarantine flag, therefore doesn’t undergo the full Gatekeeper check.
  However, Gatekeeper is only one requirement which apps may need to satisfy with their signatures. Valid signatures may be required to satisfy other requirements. For example, if you build your own kernel extension, I think that you still need to obtain a special kext certificate from Apple before your Mac will accept it. Privacy and TCC is another area where signing requirements have become more complex.
  Howard.
  
  LikeLike
3

Weekly News Summary for Admins — 2019-01-18 – Cebu Scripts on January 18, 2019 at 4:44 pm

[…] Code signing for the concerned: 1 Why? – Howard Oakley, 2 Creating a personal certificate – The Eclectic Light Company […]

LikeLike
4

Code signing for the concerned: 1 Why? – The Eclectic Light Company – Jerry's Mac Blog on January 21, 2019 at 7:33 pm

[…] Source: Code signing for the concerned: 1 Why? – The Eclectic Light Company […]

LikeLike

Share this:

Related