hoakley November 16, 2020 Macs, Technology

Checks on executable code in Catalina and Big Sur: a first draft

All eyes have turned to the checks that recent versions of macOS make when preparing to load and run executable code. To date, as far as I can see, there are disparate accounts of what have been considered certificate and notarization checks, and a few marginal notes about changes when running native code on Apple Silicon Macs. What I attempt in this article is a coherent account of how macOS checks executable code before it’s loaded and run, in macOS 10.15 and 11.0. This is my first draft, so please bear with my errors and help me correct them to build a more accurate picture. You can see my external sources listed at the end, to which you can add a succession of my own articles here.

These processes don’t just occur when you open an app, but also when any other executable code is loaded, for example when using a command tool, or when running code needs to load an executable from another source such as a dylib. I’m not going to consider the loading of code contained within the protected System volume, or that signed by Apple, and that run in sandboxed apps supplied from the App Store may also differ in parts. I’m also going to ignore the handling of code for Intel architecture on Apple Silicon Macs, which involves its translation by Rosetta 2.

Code signing

There’s an important difference between loading natively executable code on Intel and Apple Silicon Macs: the former allows code to be completely unsigned, but the latter refuses to load ARM code which isn’t signed at all. However, that requirement is enforced not to establish any chain of trust from its signing certificate (using an ad hoc certificate is sufficient), but so that the cdhashes created during the signing process are available.

Has this code been run before?

The first question to be answered is whether this copy of macOS has run this code before. To determine that, if the code is signed its hash is looked up in the cdhashes created during the signing process. If there are no cdhashes (because the code is unsigned), then macOS has to compute its hash on the fly. That takes time, particularly if this is a large app, so Apple Silicon Macs attain superior performance by refusing to compute the hash of native code, so block its loading. The code signing requirement on Apple Silicon Macs is therefore to eliminate the first run delays which many have noticed on Intel Macs running Catalina. Although a minor nuisance for some users, this should hasten app launch and execution.

Armed with the hash for the code to be run, this is looked up in the local security database, which establishes whether that code has been run before. If it has, checks move on to examine the code signature.

If this is the first time that code with that hash has been run, the hash is added to the local security database, and that hash is sent to Apple via a connection to api.apple-cloudkit.com. This has been thought to relate to notarization, but I don’t think has anything to do with that. At the least, Apple collects hashes as they’re encountered, and appears to look them up in a database of known malware (see below).

Is it signed using a developer certificate?

Code which hasn’t been signed using a developer certificate now can’t be checked any further, except by routine checks in XProtect to see if it is known malware and should be blocked. Otherwise, it is now loaded and run.

Where a developer certificate has been used to sign that code, the second question to be answered is whether that certificate is still valid. Before macOS 10.14, this appears to have been handled locally by lookup in the ‘Gatekeeper’ database. However, that was only updated periodically, so revoked signatures could still be accepted for a couple of weeks after they were known to have been compromised. Apple appears to have changed this system over a year ago, and at least in Catalina and later, now checks the validity of certificates online with its own servers at ocsp.apple.com.

This process uses the well-known OCSP protocol, in which the Mac queries the status of the developer certificate through that certificate’s ID. To prepare for the check, macOS therefore extracts that ID. Because online checking takes time, this isn’t performed on signatures which have been checked recently: before Apple’s server problems last week, results were cached for a period of 5 minutes; this appears to have been extended to 12 hours now, so should only occur the first time that you run an app each day.

If the local OCSP cache doesn’t contain a sufficiently recent result for that certificate ID, macOS sends an OCSP query to establish the status of that certificate. If that reports the certificate should be accepted, the executable code is given a clean bill of health, loaded and run. If the OCSP service reports that certificate has been revoked, then the code is blocked.

I have drafted a first proposal of how these processes integrate, shown here:

SignatureCheck1015a

You can download this as a PDF from here: SignatureCheck1015a

How can you block transfer of information?

Checking whether executable code can be run is a fundamental part of your Mac’s security. Apple can and does revoke certificates because they’re being abused by malicious software. If you were to prevent OCSP checks on signatures, you could end up running known malware whose certificate has already been revoked. Interfering with these checks thus has serious consequences, and shouldn’t be considered unless you have a really compelling reason, and have assessed the security risk of the consequences.

For a very few Mac users, such as journalists who work in hostile environments where state security services may be monitoring them, the OCSP exchange and transmission of new hashes could conceivably be used against them. There are solutions which should be able to mitigate against that. For instance, provided that an app has already been run and its cdhashes entered into the local security database, no repeated copies of those hashes should be sent to api.apple-cloudkit.com.

Muting the OCSP query is just as simple. It can’t occur when the code isn’t signed, so stripping an app’s signature will ensure that no query can be sent. However, unsigned code can’t be run on Apple Silicon Macs, and on both architectures its integrity can’t be checked either. For specific apps whose use might be sensitive, one approach is to strip any developer signature and replace it with an ad hoc signature. That isn’t technically difficult at all using codesign, and used only on specific apps shouldn’t increase security risk significantly.

How is it changing?

Exceptionally, Apple has responded strongly to recent concerns about online checks being made on executable code (see link below). This confirms that the hash lookup performed with api.apple-cloudkit.com does involve verifying “if an app contains known malware”, and certificate revocation checks with ocsp.apple.com as described above.

For those concerned with protecting their privacy, Apple makes it clear that “these security checks have never included the user’s Apple ID or the identity of their device”, and that it has stopped logging IP addresses. Furthermore, it states that certificate revocation checks will change in the next year to feature:

“a new encrypted protocol”;
“strong protections against” [OCSP] “server failure”;
“a new preference for users to opt out of these security protections”, which presumably means both hash lookup and certificate revocation checks.

I will report on those changes as and when they occur.

Key external sources:

Apple’s updated account of ‘Gatekeeper’ checks, including details of intended changes,
Jeff Johnson on OCSP checks,
Jeff Johnson on hash reporting,
Jacopo Jannone has an excellent account of the OCSP checks.

31Comments

Add yours

1

Christian on November 16, 2020 at 9:31 am

Dear Howard, just for my better understanding: When executable code is *not* signed with a developer certificate, macOS will accept this executable code? (I refer to the lowest line on the left side of your graphic) I also might need a better understanding if there is any difference in definition of “executable code” you are referring twice in your graphic. Many thanks for your help and apologies for raisng these dumb questions.

LikeLiked by 1 person
- 2
  
  hoakley on November 16, 2020 at 9:40 am
  
  Thank you.
  When executable code isn’t signed with a developer certificate and has Intel architecture, then its hash is still checked, as at the top of the chart. If it passes that, then there’s no certificate revocation which can be checked, so it will be run. That’s slightly different for ARM code running on an Apple Silicon Mac, where although a developer certificate isn’t required, the code must still be signed, for example using an ad hoc certificate. If the code isn’t signed at all, then on Apple Silicon Macs ARM code will be blocked and not run.
  Yes, “executable code” means all executable code, including dylibs, command tools, etc.
  I hope that is clearer.
  Howard.
  
  LikeLike
3

Joss on November 16, 2020 at 10:30 am

I wonder what this “new encrypted protocol” will be. The only thing that I didn’t know (and immediately didn’t like) about the OCSP connections was that they were on port 80, though I accept that this is the standard for the OCSP protocol, and that we are not really in any position to complain about Apple using a global standard. I then mused whether it might be “possible for macOS to create a permanent tunnel to Apple’s servers during boot, and then route traffic for OCSP and CRL updates through that tunnel (and only use open port 80 requests as a fallback).” I guess this could be similar to iCloud tunnels etc. I got a reply saying that “connections would have to be reestablished regularly, not to mention the burden for Apple servers holding open connections”, and that “TLS sessions use ephemeral keys, so they should close regularly regardless”. I have read elsewhere that encrypting OCSP requests on-the-fly could lead to “loops”, because another certificate (TLS) would need to be verified first, before checking the actual code-signing certificate’s serial number and receiving a signed response from the OCSP server. In a different tweet I read that we should “realize that OCSP is a relatively straightforward protocol and the ‘easy’ solution with privacy tradeoffs that most users would accept, but I would prefer k-anonymity rather than sending plaintext developer certificate hash on application start.” K-anonymity is what haveibeenpwned are using for their datasets. This might be an interesting approach, but if I understand this correctly, it would need at least one additional local step, namely (after reading a certificate’s serial number) k-anonymizing it before verifying it with Apple’s remote database.

LikeLiked by 1 person
- 4
  
  hoakley on November 16, 2020 at 6:20 pm
  
  Thank you.
  I don’t know, and I suspect that Apple is still working out its best course of action. That was an extremely rapid response, over a weekend.
  Howard.
  
  LikeLike
5

antbee on November 16, 2020 at 8:00 pm

Thank you for this information, Howard.
One other thing I wanted to ask about is, what is going on with Permissions? I do have your PermScan18, which I used on 6th November, and everything seemed to be great. The changes have happened sometime within the past few days since I had run the software.
When checking Get Information for Apps from Apple or a 3rd-Party Vendor, I am setting some very strange/new permissions monikers, which do not allow me to change accessibility for myself or the others, going so far as to change my Apple ID/Admin to “System.” The other changes include changing “admin,” which I believe to have been called something else, to “wheel,” but Get Info has kept the moniker, “everyone.” I can click on the locks, input my password, try to make a change to the permission for one of the monikers, but then get a message telling me, “The operation can’t be completed because you don’t have the necessary permission.”
The weirdest thing, to me anyway, is that I have not yet done the update to Big Sur.
Should I run PermScan18 again? Is this something to expect until I do the update? I do not understand what has happened at all.
I am sorry to have hijacked this thread for this issue, but I did not know what else to do, and I am desperate!
Thank you, Howard.

LikeLiked by 1 person
- 6
  
  hoakley on November 16, 2020 at 8:26 pm
  
  I’m sorry to hear of your problems, but what you’re trying to do isn’t what that app is intended for. As its documentation explains, this is for checking and correcting incorrect permissions primarily in your Home folder Library file. Apps – particularly bundled apps and those supplied through App Store – have very different permissions settings which you shouldn’t alter, as the app may well malfunction as a result.
  What’s the problem you’re trying to solve, please?
  Howard.
  
  LikeLiked by 1 person
7

antbee on November 16, 2020 at 8:31 pm

I am just wanting to know how and why the admin/Apple ID and “staff” monikers were changed in Get Info, and why clicking the lock, putting in the admin password and trying to make a change will not work. I am also wanting to know what, “wheel,” in that same situation means.
Thank you, Howard.

LikeLiked by 1 person
- 8
  
  hoakley on November 16, 2020 at 8:47 pm
  
  You may find this article helpful. wheel is one of the standard groups, and often appears as the second ‘Group’ item in permissions. If you try changing permissions for any of the bundled apps, you’ll hit the problem that they’re protected by System Integrity Protection (SIP), which stops you from doing that.
  Howard.
  
  LikeLiked by 1 person
9

Michael Tsai - Blog - Apple Server Outage Makes Mac Apps Hang on Launch on November 16, 2020 at 8:32 pm

[…] Howard Oakley: […]

LikeLike
10

antbee on November 16, 2020 at 8:33 pm

BTW, I did use your PermScan18 as intended the other day, but also thank you for letting me know it will not do anything for this particular situation.
Thank you, Howard.

LikeLiked by 1 person
11

Martin on November 16, 2020 at 11:33 pm

Why was Apple logging our IP addresses in the first place and why were the connections unencrypted? For a company who loves to go on and on about privacy and security in their PR, why hadn’t they implement the most basic privacy and security protocols? Sometimes it seems like it’s “amateur hour” over at Apple.

LikeLiked by 1 person
- 12
  
  hoakley on November 17, 2020 at 12:27 am
  
  Thank you.
  I’m not the right person to ask why Apple was logging IP addresses. I suspect, though, that it was unthinking rather than deliberate.
  OCSP is normally run in the clear. The information exchanged is non-private, and consists essentially of the certificate ID and little more, returning the status of that certificate in terms of correct, revoked, or unknown. There are problems with using HTTPS: that in itself requires certificate checks, which could fail in similar circumstances as the query, locking the whole thing in a loop. Hopefully Apple will come up with a better solution which protects that minimal info.
  If you’ve looked into sending your own OCSP revocation query, you’ll realise that there’s nothing amateur involved.
  Howard.
  
  LikeLike
13

antbee on November 17, 2020 at 3:09 am

I am sorry Howard, but I don’t believe the article in what directed you sent me, has the answers for what I am asking. Perhaps it does, but I am not technical enough to get the point. I was using the Finder, not Terminal, was not aware that Terminal could be used to change permissions. I rarely use Terminal, as I find it to be far out of my league.
I have asked questions in the Apple Support Communities, perhaps it will be there that I can find what is needed.
Thank you, Howard.

LikeLiked by 1 person
- 14
  
  hoakley on November 17, 2020 at 1:51 pm
  
  I’m sorry, I don’t know what question you’re trying to answer. If you can explain that, perhaps I can help?
  Howard.
  
  LikeLike
15

Gregor on November 17, 2020 at 1:35 pm

Hello,

I wonder if macOS on Apple Silicon requires just a valid code signature or also notarization on top of that?

Background: We’d like to distribute some command line tools internally and the linker ad-hoc signature is most likely not sufficient for that. But for internal tools I’d like to avoid notarization completely and just sign with an Apple developer account. Do you know if that is sufficient?

Thanks,
Gregor

LikeLiked by 1 person
- 16
  
  hoakley on November 17, 2020 at 2:07 pm
  
  No, notarization isn’t required on Intel or Apple Silicon Macs. As I have explained, both species will run unsigned code just fine, but ARM native code must be signed, even if it’s only with an ad hoc signature.
  Notarization comes into play when the executable code has a quarantine flag set. If you deliver your command tools without that, or strip it, then that bypasses the full first run checks which would otherwise check for notarization. So, provided any ARM binaries are signed, they will be run perfectly well on Apple Silicon Macs.
  I regularly run unnotarized apps on Apple Silicon, even with the quarantine flag set. You then have to Open them twice before macOS will clear the quarantine flag. That isn’t so easy with a command tool, though.
  Howard.
  
  LikeLike
17

Ben on December 14, 2020 at 10:26 am

Has the “new preference to opt out” been identified yet?

LikeLiked by 1 person
- 18
  
  hoakley on December 14, 2020 at 12:52 pm
  
  Not as far as I know. I suspect it will take an update to macOS 11 to introduce that, so any time from 11.2 onwards.
  Howard.
  
  LikeLike
19

Pinegrove on December 16, 2020 at 7:00 pm

Thank you for your excellent write ups.
So on M1 Macs the hash is always precalculated and included in the bundle in addition to the signature and not calculated locally before first launch, am I getting that right?

What eludes me is: How does the system know, that the hash is correct without calculating it by itself?

LikeLiked by 1 person
- 20
  
  hoakley on December 16, 2020 at 8:01 pm
  
  Thank you.
  When any code is loaded, there is (almost? always?) now a concurrent signature check, which does check that the cdhashes are correct. You can easily test for that by changing a single byte in part of an app, such as the Mach-O executable, which is covered by a cdhash. That will normally result in that app being crashed on launch. In the past, that check often didn’t happen, for instance when running known code from a known path. In more recent versions of macOS, those checks have become more frequent, and in Big Sur I think are now inevitable.
  Howard.
  
  LikeLike
21

tarambling on January 12, 2021 at 12:18 pm

Hi Howard, a very interesting article, and I think it provides some insight into behaviour I’m experiencing – and quite contrasting behaviour between a 2020 Intel i7 iMac, and my new M1 MacBook Air. On the Intel based iMac – BUT NOT the M1 MacBook Air – I’m getting regular – not consistent – but regular crashes, the *first* time I run various non-apple applications. At first it appeared as though it was limited to the Microsoft Office applications, but it has since also afflicted Google Chrome, and the Microsoft Edge Browser. The key message that seems to match with what you are describing is that the “TERMINATION REASON” is “Namespace CODESIGNING, Code 0x1” … The other notable thing about these failures is that they only happen the first time the application is run, and then the application can be launched successfully during the same login session / machine uptime. This is I believe consistent with what you’ve described above, although I’m not 100% sure whether the delay before the crash is reported is because a request has been sent to check the signature against the Malware register, and that hasn’t returned in a timely manner, or what. But there is certainly a very long delay at that point in time? But certainly, subsequent invocations of the application work almost immediately. The Mac OS “crash dialog” prompting to send information Apple, is accompanied by a “standard” dialog box with only an [OK] button on it, stating “You do not have permission to open the application [Application name]. Contact you computer or network administrator for assistance.” It would be diabolically frustrating this is happening, if it wasn’t for the certainty that I now know the application will launch flawlessly the next time I open it. As I said, the other thing of note – but which now makes more sense, now I’ve read your article, is that this does not occur, on the M1 Macbook Air. Once again, thank you for the illuminating article. Trevor

LikeLiked by 1 person
- 22
  
  hoakley on January 12, 2021 at 11:29 pm
  
  Thank you.
  You shouldn’t be experiencing crashes like those. Are you using any software which could be affecting the validation of app signatures? If not, I’d reinstall macOS and see if that helps.
  Howard.
  
  LikeLike
  - 23
    
    tarambling on January 13, 2021 at 12:31 am
    
    Hi Howard, yes, and there’s quite a number of threads floating around that highlight people suffering the same or similar issues, I believe all on Intel Macs under Big Sur. Originally, it appeared to related to Microsoft Office apps, as they were the most commonly observed apps failing in this way, but now as mentioned I see it with many non App Store installed universal apps, running on Intel. My Intel iMac, was built using Migration Assistant, from my old Mac Book Pro, and I am wondering whether I should do what you suggest and do a “clean install” using Big Sur? Not sure, it is such a big undertaking with a significant array of applications to re-install, and a large volume of cloud based data to synch locally. But, if it avoids this tedious situation, might be worth it. Your comment about using any software that could be affecting the validation made me think. I am using a Virus / Malware suite from Intego, which has been unpdated to be “Big Sur Compatible”, BUT, I wonder whether one of the tools in the suite could be affecting the validation of app signatures. I might try the judicious disabling of individual components of the suite, and see how that goes. Thanks for your feedback. Trevor
    
    LikeLiked by 1 person
    - 24
      
      hoakley on January 13, 2021 at 4:52 pm
      
      Thank you.
      Ah – anti malware software. I’d definitely uninstall that completely, and see if the problem goes away. Only then would I consider reinstalling macOS.
      Howard.
      
      LikeLike
    - 25
      
      tarambling on January 18, 2021 at 8:44 am
      
      Hi Howard, I took your advice, although uninstalling the anti-virust / anti-malware / firewall suite concerned was “no trivial undertaking”! It’s been 4-5 days now, and guess what? Not a single crash, so I think that your suggestion / suspicions were spot on – that the anti-virus / anti-malware / firewall suite I was using was in fact interfering with the signature checking of Big Sur. I will observe the behaviour for a little longer, and once confirmed, contribute my findings back to some of the other threads I am aware of where others – as I said I believe almost exclusively with Intel Macs – appear to be suffering similar issues to what I was experiencing. Once again, thank you for a very useful and enlightening post. Trevor.
      
      LikeLiked by 1 person
    - 26
      
      hoakley on January 18, 2021 at 6:36 pm
      
      Thank you.
      I’m delighted that it solved the problem.
      Howard.
      
      LikeLike
27

Chris Cleeland on April 5, 2021 at 6:41 pm

Any idea how network access is affected by all this, specifically, UDP access? I’m trying to work out the details on why `mosh` installed via brew doesn’t work on Big Sur, but does work on Mojave. The failure is an inability to communicate via UDP port 60001. I’ve confirmed that I can use `nc` (supplied by apple) on my Big Sur machine to open and communicate via that same port between the same two hosts, so I know it’s not a network, and firewall is turned OFF so it can’t be firewall issue. I’m left pondering if this is a code execution issue and whether I can somehow bless (not “bless”) an executable installed in /usr/local/Cellar…

LikeLiked by 1 person
- 28
  
  Chris Cleeland on April 5, 2021 at 6:42 pm
  
  important detail…Intel macs in both cases.
  
  LikeLiked by 1 person
- 29
  
  hoakley on April 5, 2021 at 11:33 pm
  
  Thank you.
  None of this has anything to do with network or UDP access. Mach-O files aren’t ‘blessed’ – they simply have to have the right structure to be loaded and run. On Intel systems, they don’t need to be signed at all either. It sounds more like a bug to me.
  Howard.
  
  LikeLike
30

Chris Cleeland on April 6, 2021 at 4:58 pm

Thanks for the reply. Further investigation concurs with you–at least in regard to it not being related to restrictions put in place by Apple. I was able to verify that this issue only occurs when I try to use the mosh binary across a Pulse Secure VPN. It does not happen when connecting to machines on my local network.

LikeLiked by 1 person
- 31
  
  hoakley on April 6, 2021 at 10:55 pm
  
  I wish you success with that.
  Howard.
  
  LikeLike