Checking signatures on apps

Before upgrading to Catalina, there are lots of things to check, among the most important being that you aren’t reliant on any 32-bit software. Although Big Sur doesn’t impose many additional hurdles, except on apps and tools which run native on ARM processors, this is a good time to start preparing if you intend upgrading before the end of this year. This article looks at one aspect, signing of code, and releases a new version of my free app Signet.

As I’ve shown previously, there are plenty of times that macOS checks code signatures after that code has passed its first run checks. What’s different about those later checks is that they’re not so stringent, in that they don’t go so deep as to check every bit of code, nor are the signing certificates checked online. They thus allow many apps to run even though they’re not signed at all, or their original signature is broken.

This is starting to change when running Big Sur on Apple Silicon Macs, in that code built to run native on those new Macs will need to be signed in some way, even if it’s just with an ad-hoc signature. That doesn’t apply to Intel code, which will there be run using the Rosetta 2 translation features of macOS 11. Neither does any of this change anything on Intel Macs, which can continue running code which is completely unsigned.

Making the transition to Big Sur, particularly when running on a new Apple Silicon Mac, is thus going to involve taking more interest in whether apps and other executable code are signed.

Nearly two years ago I started to develop a utility which performs signature checks on folders of apps, Signet. Although this has been available for well over a year, it has proved to be something of a minority sport, and little-used.

To ensure it gets the best out of Big Sur and Apple Silicon hardware, I’m pleased to release a new version which is a Universal App, so will run optimally on both Intel and Apple Silicon Macs, and in any version of macOS from High Sierra to Big Sur betas. This is now available from here: signet13
from Downloads above, from its Product Page, and through its auto-update mechanism.

As with my other Universal Apps, I will leave its previous Intel-only version available for anyone who has problems with this new version.

Signet is about to change, though. Noting the changed signature requirements for ARM-native code, there’s a new role which it can play with the introduction of Apple Silicon systems: the next version will feature a specific check for signatures on all ARM-native executable code, so that you can check Universal Apps and binaries, and any ARM-only executables.

There’s an interesting twist to this too. Executable code for individual architectures is signed separately.* Some time ago there was a vulnerability in signature-checking in which supplying one signed binary could lead to acceptance of that signature for binaries supporting other architectures. I don’t know whether that has since been fixed, but it remains possible to use different signatures, or to omit one or more signatures altogether, in Universal (multi-architecture) binaries. So a future version of Signet could perhaps check signature coherence within Universal binaries too.

I should also point out that the new version of Signet doesn’t (yet) check Mach-O executable code, only apps and bundles, and extending its checks to cover other executable code including Mach-O files is needed for Big Sur systems anyway.

I will be starting work on this new version of Signet soon. In the meantime, the most extensive range of signature and related checks comes in my free utility ArchiChect, available from its Product Page.

* To clarify: normally, when someone signs a Universal binary, all architectures are signed together, and they don’t sign them individually. However, signatures are appended to each of the single-architecture binaries within the Universal binary. Using lipo, it is possible to assemble a custom Universal binary in which the binaries for individual architectures are signed using different signatures, or not signed at all.

4Comments

Add yours

1

Joss on September 5, 2020 at 7:16 am

Quote: “Executable code for individual architectures is signed separately.” How would that work in Terminal with the `codesign –sign` command? I’ll occasionally need to sign e.g. Platypus apps, sometimes also their nested code (helper executables). This stuff is made outside of Xcode, and will be unsigned universal binary at first. Do I then need to split the architectures with lipo, then code-sign them individually, then lipo-join them again? But how would that even work with Code Resources, i.e. all the stuff that isn’t code, but gets “written in” too? Or does the codesign command handle universal binary signing out of the box?

LikeLiked by 1 person
- 2
  
  hoakley on September 5, 2020 at 7:26 am
  
  No – the act of signing is normally done in a single command, but the individual architecture binaries each has its own signature. Using lipo you could join binaries with different signatures, or unsigned altogether if you wished, but standard is to automatically sign all together.
  Howard
  
  LikeLike
  - 3
    
    Joss on September 5, 2020 at 7:29 am
    
    Ah, wonderful, thank you. I’m relieved. 🙂
    
    LikeLike
    - 4
      
      hoakley on September 5, 2020 at 8:36 am
      
      Good. I have added a note to clarify that, and spare anyone else getting concerned that they have to sign each architecture individually.
      Some time I must check whether that vulnerability has been fixed.
      Howard.
      
      LikeLike

Share this:

Like this:

Related