Checking your app’s own signature

Last Christmas, I looked in detail at how the code signatures of apps are checked, or rather how they are so seldom checked. Given that almost all apps are now signed, it might seem logical that each time you launch an app, it should at least have its integrity checked. However, unless an app decides to do it itself, that doesn’t happen, at least not in macOS Mojave and earlier. Not even when the app runs in a sandbox, is hardened or notarized.

There’s nothing inherently wrong with that: those are the rules, and many apps rely on them for accomplishing tasks such as updating themselves in place using the Sparkle system. But what if you want to check that your app hasn’t been quietly subverted, or even just corrupted? Could your app run its own signature check each time that it’s started?

Some apps, security products such as anti-malware scanners, are known targets for malware and their developers normally incorporate extensive self-integrity checks to ensure that each time they run, they know that nothing has nobbled them. Not only that, but they may need to verify their integrity more dynamically too. I’m not suggesting for a moment that you take this to such extremes. But the cost in code and time to perform a basic signature check is very small.

All I have done is add some code to the standard applicationDidFinishLaunching() function built into every app’s App Delegate:
func applicationDidFinishLaunching(_ aNotification: Notification) {

First get your app’s main bundle URL:
let myURL = Bundle.main.bundleURL

Then use that to create it as Static Code for assessment:
var code: SecStaticCode? = nil let err: OSStatus = SecStaticCodeCreateWithPath(myURL as CFURL, [], &code) if (err == OSStatus(noErr)) && (code != nil) {

Performing the signature check requires setting up the parameters to be passed. The first is the flag so set the type and depth of testing to be performed. Here I’m opting for a basic check to include all nested code, which shouldn’t check the certificate in full:
var checkFlags: SecCSFlags? = nil checkFlags = SecCSFlags.init(rawValue: kSecCSCheckNestedCode) let secReq: SecRequirement? = nil var secErr: Unmanaged<CFError>?

Then you can perform the check itself, ensuring that it returns any errors:
let csErr: OSStatus = SecStaticCodeCheckValidityWithErrors(code!, checkFlags!, secReq, &secErr)

You choose what to do when an error is returned. The aggressive approach would simply crash the app immediately with the security error; a gentler approach would be to show an alert, then quit when that’s dismissed. I chose a middle way which terminates the app gracefully, but doesn’t hang around explaining why:
if csErr != errSecSuccess { NSApplication.shared.terminate(self) }

Finally, remember to release the Unmanaged variable:
if secErr != nil { secErr?.release() } } }

checksig

The most difficult part of this is testing your app. When freshly built, it should fly through your check and run normally. But unless you test the error condition, you’ll never know whether your code is doing anything at all.

What I do is make a copy of the built app and change a single character in its Info.plist, say in the date shown in its copyright. If the check picks that up, it demonstrates that it’s at least checking the checksum on the app bundle. But if you simply make a copy of the app in your documents folder, change that character, then run the app, it will crash with a macOS security error: the first time an app is run from a new path, macOS performs a full security check on it, and that’s what happens.

What you need to do is move the app to a folder from which it’s usually run, like /Applications. Run it once unmodified to check that it launches fine from there. Then modify that copy by changing a single character or byte, and run it again. On that occasion, macOS shouldn’t react by crashing the app, but your new mechanism should kick in.

Is any of this worth the effort, though? Isn’t a little extra security actually worse than the status quo?

Against a determined attacker, checking integrity without doing a full signature check may not be effective, as malware can easily replace your signature and its checksum with new. But the most likely reason for an app differing from its original checksum – unless it’s been updated by Sparkle or similar – is that it has simply become corrupted in storage. And who knows whether an attacker will go to the lengths of writing a new and correctly-updated signature?

The cost in terms of coding effort or launch time is so small that any benefit seems worth it, provided of course that you warn your users, and not just in the app’s own Help.

I look forward to the debate. In the meantime, at least you now know how to do it.

Postscript

Thanks to @DubiousMind for pointing out that in some circumstances even hash checks on signatures can take some time. If you happen to have 2 GB of data in your app bundle, forcing even the most superficial of signature checks could delay app launch by a minute or more. When tested here, for example, running a full and deep check on Xcode takes just over 30 seconds. You probably wouldn’t want to run such a check if that were the case. But in the great majority of instances, checking hashes is almost instant. It’s not hard to assess this during development.

5Comments

Add yours

1

Bryan Christianson on May 26, 2019 at 9:04 pm

Howard
Thank you for posting the code. I have decided to incorporate it into my own applications. I have made 2 changes to your example.

1. I override NSApplicationDelegate.init and make the call to the checker from there, rather than waiting until applicationDidFinishLaunching() and call exit(1) on failure.

2. On reading the (rather scanty) Apple documentation, I have added kSecCSStrictValidate to the SecCSFlags() with:
checkFlags = SecCSFlags(rawValue: kSecCSStrictValidate | kSecCSCheckNestedCode)

(2) maybe belt and braces but it seems like a good way to check I that have correctly structured my bundle.

Bryan

LikeLiked by 1 person
- 2
  
  hoakley on May 26, 2019 at 10:19 pm
  
  Bryan,
  Thank you. I did think about exiting earlier and harder, but thought that a little later and softer might be more proportionate, given that none of my apps are likely to be targeted by malware, so the most likely cause of an error here was simple corruption of the app. One thing which worries me a bit about Apple’s crashing approach in particular is that users can confuse it with a crash on open, and just ditch the app as broken.
  My apps don’t (currently) have nested helpers etc, so I thought that a simple rather than nested check should suffice for them. Strict validation does incur a more significant delay, and there are occasions when I’ve seen it very slow to return. Again, any deliberate subversion of an app by malware would either leave the signature broken, or the doctored app would be correctly signed using a different certificate, something which should be very hard for a notarized app, but when done properly would of course pass even strict validation. So I wasn’t convinced that the added protection of that was worth the longer delay.
  I may change my mind in the light of experience, of course, but I am getting to like this relatively simple technique.
  Howard.
  
  LikeLike
  - 3
    
    Bryan Christianson on May 26, 2019 at 10:53 pm
    
    Thanks for the comments Howard.
    
    In my testing I have not seen any significant delays at startup so I’m happy to stick with what I have. Of course user feedback may make me change my mind :).
    
    exit(1) is still relatively soft. It does not cause the generation of a crashdump but still notifies the caller (launchd?) that something went awry.
    
    A lot of my applications have embedded helpers and shell scripts. The helpers are signed but I am not sure how notarization deals with them. The shell scripts are somewhat problematic because they are NOT signed and live (Apple recommendation) in the resource directory of the bundle. Any tampering *should* be picked up but its still a source of doubt for me.
    
    Bryan
    
    LikeLiked by 1 person
4

Joss on May 28, 2019 at 11:30 pm

I assume a hacker could circumvent such a self-test. Still, I wonder… I would like to have a self-check for certain shell scripts, e.g. those running in a Platypus application. You could tell the script to check its own integrity or the integrity of the bundle it’s running from, no biggie, even check the actual signature, but a malicious actor could just change the embedded data the app is tested against (Team ID, subject key identifier, fingerprint etc.), then codesign it again, and to the unsuspecting user it would seem like everything is OK.

Is there any *tamper-proof* way an app or shell script can check itself for any modifications? Haven’t found anything yet. (Maybe something with GPG?)

LikeLiked by 1 person
- 5
  
  hoakley on May 29, 2019 at 6:07 am
  
  Yes, a hacker can remove the signature and re-sign the app after modification, although the app wouldn’t run unless correctly re-signed. That’s not a trivial task, though, and an extra mile which they wouldn’t have to go to tamper with most other apps. Like almost all protection, it’s not absolute, but should reduce the risk. I am working on a free tool which can spot that as well.
  You can sign scripts, putting the signature data into an extended attribute, which is already used by Apple in some circumstances. However there’s no current way to check and enforce that signature when trying to run a script, which would need to be built into the shell itself. You could write a script which first checks its own signature, but again that’s simply circumvented by editing it to remove that initial check – that’s much harder to do in the case of a compiled app, of course.
  Howard.
  
  LikeLike

Share this:

Like this:

Related