Preparing for new security rules: how signatures can get stripped

We should be reassured that Apple currently has no intention to stop us from running unsigned code in macOS, but it has stated clearly that “a future version” of macOS will check signatures more fully when opening apps which aren’t in quarantine. Depending on how its latest requirements for notarization work out, that “future version” could be 10.16, which we should start seeing in beta in less than seven months. Now is the time to start thinking about the consequences.

If we’ll still be able to run unsigned code in 10.16, but app signatures are checked more thoroughly whenever their code is run, the best plan for now is to ensure that as much of the executable code on your Mac is properly signed, and notarized where possible. If you do have a developer signature and write your own scripts, it seems wise now to ensure that all those scripts are signed, even when saved (for example) as Compiled OSA Scripts (.scpt).

One enemy of signing apps and any other form of executable file is that signatures aren’t always stored robustly. For example, if you Zip up a script at the command line, chances are that the signature and supporting information will be stripped from it, and lost. Any deliberate policy of stripping extended attributes will also cause problems. This is because, in some circumstances, signatures and supporting data are attached to scripts in the form of extended attributes, which can so easily and inadvertently be removed.

Simple apps, including AppleScripts exported in app form, are bundles, containing their signature in the _CodeSignature folder. Zip these up in Terminal, or move them using iCloud Drive, and their structure and signatures should be preserved. Signed single-file Mach-O executables should embed any signature and Info.plist file within their binary structure, so they should be safe too.

But sign a Script file, and there’s no way that its signature can be embedded other than as an attached extended attribute (xattr). Look at this using a xattr editor such as my free xattred and you’ll see not only its signature in the com.apple.cs.CodeSignature xattr, but three additional xattrs, com.apple.cs.CodeDirectory, com.apple.cs.CodeRequirements, and com.apple.cs.CodeRequirements-1. All of these are essential for that signature to pass Gatekeeper and similar checks.

scriptsign

This also applies to scripts and other single-file executable code (other than Mach-O binaries) which might be embedded in apps: they should be individually signed, and when their signatures are saved in xattrs, they are easily stripped.

So what actions will strip those xattrs and break the code’s signature?

Compressing the file, alone or with others, using the zip command tool. Although its man page implies that all xattrs are preserved, in reality all four signing xattrs are stripped.
Passing the file through iCloud Drive to another system. This is strange, as three of the four xattrs are preserved, but com.apple.cs.CodeRequirements-1 is currently stripped, which would appear to be a bug. This results in a signing error -67061, indicating an invalid signature in which the signature has been modified.

The reason that the signing xattrs are stripped by the command tool version of zip is that it only appears to preserve xattr types which are designated for preservation. Apple could of course fix this, either by overriding the system settings by appending #P to the xattr name, or by adding these xattr types to the default behaviour list, as explained here. It’s unclear why Apple has chosen to do neither, putting signature xattrs at risk in this way.

Actions which appear safe for the moment include:

Transferring the file to another Mac using AirDrop. Curiously, this preserves all the essential xattrs, although it also attaches a quarantine flag, making them essential.
Compressing the file, alone or with others, using Archive Utility, even when the destination format is a Zip file.
Moving or copying between volumes and disks with APFS or HFS+ format.

The command tool ditto is also xattr-preserving, as are disk images and installer packages, although under the new security rules in Catalina, they could also require to be signed and even notarized, of course, so may not be your preferred solution.

The practice of stripping xattrs from files to ‘clean’ then, or remove quarantine flags, is potentially harmful. If you need to remove quarantine flags from documents, for example, use my free utility Sandstrip, which doesn’t touch other xattrs. To check whether executable code is correctly signed, Taccy inspects single apps and packages, and Signet scans whole folders for you.

Actions which Apple can take to make this work better:

Add xattr type com.apple.cs.CodeRequirements-1 to the list of xattrs preserved in iCloud Drive.
Add all four code-signing xattrs to the system defaults list of xattrs which default to #P handling, so preserving them on export.

Thanks to @rosyna for drawing attention to these issues.

8Comments

Add yours

1

Adam on November 12, 2019 at 2:25 pm

Can you please elaborate on why stripping xattrs from files is potentially harmful? I create my own application bundles and Apple scripts and sometimes I have to use the “xattr -cr” command in terminal to clean then before copying them to my relatives’ Macs. Otherwise I get erroneous messages that the apps are “damaged” and have to be moved to the trash.

LikeLiked by 1 person
- 2
  
  hoakley on November 12, 2019 at 2:35 pm
  
  If you sign a .scpt file, the signature can’t be incorporated into the file itself, as it would be in a Mach-O binary. Instead, it is attached to it in the form of four xattrs, as detailed above. If you strip those xattrs, at best you have removed its signature. If you only strip some of them, then Gatekeeper won’t allow you to open it at all, as it reports that the signature is damaged, which it is.
  If you distribute unsigned bundles, then this isn’t an issue – there’s no signature to cause problems. But the moment that you start signing single-file executables which aren’t Mach-O binaries, then it can cause problems.
  At present – even in Catalina – this isn’t a problem so long as the apps/scripts which you distribute don’t get a quarantine flag, as it’s only then that they will under a full Gatekeeper check. However, Apple has warned that in future, signatures will be checked even after first run, and in all code not just that with a quarantine flag.
  So if there are .scpt scripts which today get their signatures damaged, when this future version of macOS is released, all those scripts will be rendered useless because of their damaged signatures.
  Is that a bit clearer?
  Howard.
  
  LikeLike
- 3
  
  Adam on November 12, 2019 at 2:37 pm
  
  Correction – I have to use xattr -cr *after* copying my apps to other Macs, and then they seem to work. I’m confused as to why that happens.
  
  LikeLiked by 1 person
  - 4
    
    hoakley on November 12, 2019 at 2:41 pm
    
    That sounds like you’re stripping the remains of signatures, and possibly any quarantine flag too (depending on how you move them).
    As I wrote above, Apple has said that it has no plans to stop users from running unsigned code. But it’s a serious security vulnerability, and may well get increasingly awkward in future versions of macOS.
    Howard.
    
    LikeLike
5

Adam on November 12, 2019 at 2:53 pm

Thanks, that does help me understand it better. My main concern is that my self-made app bundles (made from Applescripts or bash scripts) will continue to work on my family’s Macs. I have no intention of publishing the apps and they are for private use only. It seems I should avoid signing anything for now and then I shouldn’t have to use xattr commands.

LikeLiked by 1 person
- 6
  
  hoakley on November 12, 2019 at 2:58 pm
  
  That’s up to you, but as macOS can’t check the integrity of unsigned code, it makes your apps vulnerable.
  The apps I distribute here (all free) are signed using my developer signature, hardened, notarized, and each checks its own integrity every time it is opened. I wouldn’t want others to have any less protection.
  Howard.
  
  LikeLike
7

sstanleyau on November 19, 2019 at 3:51 am

For the specific case of .scpt files, you can save as .scptd files instead. They should be basically interchangeable, and as bundles they can hold a more robust signature. But both formats suffer from a deeper problem in terms of code-signing: when scripts are run, they are generally loaded from disk, run, and if any top-level values change, the modified script is saved back to disk. That’s likely to invalidate signatures. There are ways to stop this — making the files read-only, or constructing the scripts so that the values of top-level variables never change — but the issue needs to be considered before anyone decides to start signing scripts willy-nilly.

LikeLiked by 1 person
- 8
  
  hoakley on November 19, 2019 at 11:06 am
  
  Thank you.
  Scripts which modify their source are inevitably going to prove a problem, and I think that writing has been on the wall for some time. In an ideal world, Apple would update AppleScript to provide easy access to a more secure solution. I won’t hold my breath.
  Howard.
  
  LikeLike

Share this:

Like this:

Related