hoakley March 16, 2021 Macs, Technology

How to slip ‘unsigned’ apps past Gatekeeper in Big Sur

Consistency in security, particularly in the GUI, is very important. This article is a demonstration of features in Big Sur which you might have thought would protect you, but because of their inconsistent behaviour could catch you out. This shows how you can download, install and run executable code, such as an app, which isn’t signed with a Developer ID, only an ad-hoc signature, without macOS warning you that the code is potentially dangerous.

What happens

Installer packages are one of the two means of installing third-party software which Apple officially recommends (the other being disk images). In Big Sur, developers are required to sign them, and notarize the apps they distribute within them. Normally, if you try to open a package which isn’t signed, and has been downloaded from the internet so has been put in quarantine, macOS informs you that the package is from an unidentified developer, so can’t be opened.

package01

That behaviour applies when you double-click the package. Use the Finder’s Open command and, much like when trying to open a new app which hasn’t been notarized, you’re warned but given the choice of “overriding system security” and the risks that exposes you to.

package02

If you first open the Installer app and use its open file dialog to choose an unsigned package, there are no warnings given at all. Instead, you’re taken straight into the first of the sequence of windows which lead you through the installation process.

Of course, the information is there if you look for it: when the package has been correctly signed, a small padlock icon is shown at the top right of the window. That’s not true of Apple’s installer packages, though, and it requires you to notice something by its absence, which invites human error.

package03

package04

My example installer package has another surprise for you. When you open it, if you check what it installs using the Show Files command in the File menu, it admits only to installing a command tool, cintch, which is put in the main Applications folder. As with many packages, it actually does a bit more, but even browsing its log you won’t know that it has also downloaded another app (in fact, a properly signed and notarized command tool, blowhole) from a remote website. This is performed using curl in its pre-install script, but as Installer doesn’t let you browse the scripts in a package, the only way you’ll know is by discovering that Zip archive in your Applications folder too.

If you have a software firewall active, you will at least be warned that the package is trying to perform “preinstall via curl” from the target site, but Little Snitch doesn’t worry about the fact that the package isn’t signed, of course.

Neither the command tool installed by this package nor the Zip archive downloaded by its pre-install script are put into quarantine, therefore neither will be subjected to Gatekeeper’s first run checks when you do try to open them. So by using the Open command in Installer, Gatekeeper hasn’t taken a proper look at either, and nothing has warned you of that fact.

With no more than a couple of ad-hoc signatures, and using the GUI alone, this package has managed to slip two payloads past Big Sur’s Gatekeeper checks. To the user, the only indication that this has happened is the absence of a padlock in Installer’s window.

Why does this happen?

It’s easy to assume that opening any quarantined file will somehow magically invoke Gatekeeper, but that isn’t the case. This mechanism relies on the open request being handled by LaunchServices. When you double-click on an app or document, or use the Finder’s Open command, that’s exactly what happens, and triggers one of the warnings shown above.

Opening a document such as an Installer package from within the app doesn’t pass through LaunchServices, though, so doesn’t trigger the quarantine and Gatekeeper check. macOS leaves it to the app to perform any security checks which it deems necessary, and in the case of the Installer app that appears to be little if any.

In ordinary use, Apple expects users not to open Installer direct, in which case this problem wouldn’t arise. Indeed, when you’ve just used Installer, it isn’t left in the Dock for further access. However, Apple hasn’t considered that some users add apps from CoreServices to the Dock to make them easier to run, nor the fact that the Installer app still ends up in the Finder’s Recent Items menu, from where it’s easy to run and trigger this problem.

Pre-install scripts are a greater concern. According to Apple’s documentation, they’re primarily intended to support checks that everything’s good to install the package, with post-install scripts to perform any cleaning up that’s needed. In practice, though, many commercial developers supply users with a stub Installer package which then downloads the bulk of an app using curl, which evades quarantine and Gatekeeper completely. Unfortunately this is a technique used to deploy malicious software too. Any suggestion of limiting the power or scope of these scripts is thus likely to be strongly opposed by all parties, however much it might improve security.

Demonstration

If you want to test this out yourself, I’m providing the demonstration for download from here: installTest1

It behaves as described above. The package itself installs a copy of my command tool cintch, which in this case isn’t signed with a Developer ID or notarized, but a special build which is just ad-hoc signed. To make it easy to remove, cintch is installed into the main Applications folder.

The pre-install script downloads a Zip archive of my command tool blowhole, which is both signed and notarized, and the same as that available on its product page. This also ends up in your Applications folder.

The package itself is unsigned, and when downloaded from here using a browser should have a quarantine flag added, to make it easy for you to reproduce my tests.

Bonus

When you’re trying to check quarantined unsigned packages using my utilities such as xattred (which shows its extended attributes), ArchiChect and Taccy, you’ll encounter the same problems with LaunchServices: if the package has a quarantine flag set, dragging and dropping it onto one of those apps elicits the same refusal as double-clicking the package. This is because LaunchServices engages Gatekeeper, as described above. If you want to check the package, use the app’s Open command instead, and you won’t be blocked by Gatekeeper.

Lessons

There’s an important difference in how packages and apps are treated when you double-click or open them in the Finder, and when you open them from within the app. If you’ve got a download which you want Gatekeeper to check, Finder double-click is best.

Subtle indicators, such as the padlock in the top right of Installer’s window, can be very important. There’s scope for Installer’s design to be improved to help the user more given the modern threat landscape.

Don’t be surprised when an Installer package installs more than you expect, and don’t expect such downloads to pass through Gatekeeper’s checks. If you’re unsure about the safety of any download, don’t install it until you’re confident that it’s safe.

Acknowledgements

This investigation and article were inspired by what seemed to be a simple question from Nick, and subsequent discussion to which Thomas Reed and others contributed. I don’t think that I’ve answered anything useful, but hopefully have made us all more aware and cautious about Installer packages. I’m very grateful to Milo (see comment below) who pointed out my scripting error in the original version of the demo: this has now been corrected, and the demo should now work as described above.

28Comments

Add yours

1

David B. on March 16, 2021 at 11:41 am

Hello Howard

Please provide a link to where a “..subsequent discussion to which Thomas Reed contributed”.

I’d like to ask if anyone there has checked that the ClamXav installer passed the tests with flying colours. I’ve no doubt that SOMEBODY has checked!

It would put my mind at rest.

David

LikeLiked by 1 person
- 2
  
  hoakley on March 16, 2021 at 1:06 pm
  
  Thank you. The discussion was a rather diffuse and weakly threaded exchange of tweets, so there’s no useful link to provide. However, Thomas works for Malwarebytes. I very much doubt whether they would pass comment on a competing product, though you can always try in their support forums.
  I’m not sure why you refer to the installer here, or passing tests. As I have written above, it’s extremely common for Installer packages to download additional software, and there’s nothing sinister about that being done. You can check for yourself using a software firewall such as Little Snitch.
  Howard.
  
  LikeLike
- 3
  
  James J. O'Shea on March 18, 2021 at 1:14 pm
  
  What problems are you having with ClamXAV? It is quite reliable here. The installer does not appear to install anything other than the ClamXAV package itself, the app, the anti-malware database, and support files. Certainly Sophos, also present on machines in the same network, does not detect anything. A check with MalwareBytes also shows no problems. What problems have you detected? When? Where? Which malware package was involved? Why do you think that ClamXAV needs to be tested? Have you contacted Apple? If so, what was their response? If not, why not?
  
  LikeLiked by 2 people
  - 4
    
    David B. on March 18, 2021 at 6:17 pm
    
    Hello James
    
    This thread might help you to understand my concerns:- https://answers.microsoft.com/en-us/protect/forum/all/ramnit-trojan-on-imac-aol-disk-from-2008-false/e18cc0a4-5895-412e-9306-e565d2571849
    
    I had bought and paid for the ClamXav software because I was suspicious of its method of marketing. I was generally unhappy with answers provided by Mark Allan on the ‘help’ desk and his unwillingness to use his ClamXav Facebook page in what I consider a satisfactory manner. Even now there are only 373 people who ‘like’ the product!
    
    Mark Allan will not discuss my concerns with me directly or on the product support page https://www.clamxav.com/support/ and has also blocked me from Facebook and LinkedIn. He took such action only when I told him that, partially in memory of my deceased son (a guru at ICL) I was hunting for ‘bad guys’ on the Internet. What I’m after, here, is evidence. I’d like someone to check and prove my fears groundless!
    
    David
    https://www.linkedin.com/in/boaterdave/
    
    LikeLike
    - 5
      
      hoakley on March 18, 2021 at 11:50 pm
      
      I think this thread is straying well away from the article above.
      I have suggested how you might examine the Installer package, an issue which is relevant.
      I’d be grateful if you would either continue discussing matters relevant to this article, or bring it to a quick conclusion.
      Thank you,
      Howard.
      
      LikeLike
  - 6
    
    James J. O'Shea on March 18, 2021 at 8:00 pm
    
    For some reason I cannot reply to David Brooks’ reply.
    
    I note that he has failed to answer my questions. He has not said what problems he has with the product. He has not said when he had the problem. He has not said which malware was involved. He has not said why he thinks that the product needs to be tested; saying that he was ‘suspicious’ of it is not stating a reason. Why was he suspicious? He doesn’t say.He doesn’t say if he contacted Apple. He certainly doesn’t say if Apple had anything to say on the matter. And he fails to say why he didn’t contact Apple, if he didn’t. He does say utterly irrelevant things about Facebook. Having under 200 people on a Facebook page indicates merely that the developer doesn’t use Facebook to market his product, or that many who use the product don’t use Facebook. I use the product. I don’t use Facebook. He also says that he has some kind of an ‘investigation’ for ‘bad guys’, and the developer cut off contact with him. I would do exactly the same thing.
    
    Mr. Brooks, please provide something to show that there is a problem with ClamXAV. Please state whether or not you contacted Apple; surely that would have been the logical first move if you had actual evidence of wrong-doing on the part of the developer. If Apple looked at the evidence and agreed, then Apple would revoke the developer’s various certifications and so on. As the developer is still in good standing, something a look at the installer would reveal, then either you have failed to contact Apple or Apple does not see a problem. The fact that you decline to state the nature of the problem agrees strongly in favor of my current suspicion that there is no problem.
    
    In short, put up or shut up.
    
    LikeLiked by 2 people
    - 7
      
      hoakley on March 18, 2021 at 11:47 pm
      
      I’m sorry: that’s because WordPress limits the depth of threading. That results from the problems that would cause with column width.
      Howard.
      
      LikeLike
8

Milo on March 16, 2021 at 2:51 pm

Interesting findings. If I’m suspicious about a package I will inspect it with the Suspicious Package App by Mothers Ruin. It gives you the opportunity to check the files that will be copied as well as the included scripts. It also has some heuristics to warn you about possible problems. It didn’t complain about the curl statement though, which should possible be regarded as a yellow/red flag. Consistently with your description, you will be warned by macOS about the missing singnature if you drag the package on the Suspicious Package App. There is no warning when you use the Open dialogue.

There is an error in your package by the way. I believe the follwoing curl command won’t work on most Macs. You have the username hard-coded in the ouput path.

curl https://eclecticlightdotcom.files.wordpress.com/2020/08/blowhole10.zip -o “/Users/hoakley/blowhole10.zip”

LikeLiked by 1 person
- 9
  
  hoakley on March 16, 2021 at 3:55 pm
  
  Thank you – and thank you very much for drawing attention to the script error. I’ve now corrected that, and the package should work as advertised, although to ensure simplicity I’ve changed that download path so that it also uses the Applications folder.
  Yes, I have and use Suspicious Package, which I strongly recommend. But surely Installer should be doing things like that, particularly as packages are one of the two methods of delivering apps, according to Apple. If it’s an official method, then Apple should provide good security protection for its own bundled utility.
  Howard.
  
  LikeLike
- 10
  
  David B. on March 16, 2021 at 5:32 pm
  
  Well spotted, Milo! 😃
  
  As you appear to be a bit of an expert, do you have the time to check the ClamXav installer package? Hopefully you’ll find nothing amiss, but it would put my mind at rest. Thanks if you will.
  
  David,
  Devon, England
  
  LikeLike
  - 11
    
    Milo on March 17, 2021 at 11:45 am
    
    I’m sorry, but I’m not really an expert in antiv-virus software on mac. It would be very difficult for me to give you any advice on this topic. I have never used such a product on my mac.
    
    LikeLiked by 1 person
12

Rick on March 16, 2021 at 8:15 pm

Another vote for suspicious package which is invaluable for checking out any packages before installation. I’ve never been a fan of just letting installers do what they want, especially as many will ask for elevated privileges.

I agree with Howard though that macOS should be doing these sort of checks. Relying on just the package being signed seems a little lacking and I’d prefer the installer app to do some more thorough analysis.

As you also note, this is a good example of why Little Snitch is so useful, at least we get to know that the installer is trying to download from somewhere and raises flags.

Did you really update the script to change the hardcoded path? The one I just downloaded still has /Users/hoakley in it. That actually causes curl to fail with exit code 23 but the script the forces an exit with code 0 so the installer believes is was successful. Maybe using just exit, or exit $? or even omitting the exit altogether would be a better approach?

Thanks again for a very insightful blog post.

LikeLiked by 1 person
- 13
  
  hoakley on March 16, 2021 at 8:26 pm
  
  Thank you.
  Yes, I just downloaded and checked it, and it definitely has the corrected script, which downloads the blowhole Zip archive to /Applications, and not my Home folder.
  The rule with pre-install scripts is that, if they don’t return 0, then the install will be cancelled. It’s as well that my incorrect first attempt did return 0, or there would have been no demo at all.
  Howard.
  
  LikeLike
14

Rick on March 16, 2021 at 8:37 pm

I’m guessing that it must be a result of WordPress cacheing as this version definitely has /Users/hoakley in it:

xattr -px com.apple.metadata:kMDItemDownloadedDate installtest1.zip | xxd -r -p | plutil -p –
[
0 => 2021-03-16 19:57:56 +0000
]

And the one I just downloaded has /Applications:

xattr -px com.apple.metadata:kMDItemDownloadedDate installtest1-1.zip | xxd -r -p | plutil -p –
[
0 => 2021-03-16 20:28:13 +0000
]

Very true about the script returning 0. I assume if it was a real installer script and not a demo that failing the install would be the right thing to do.

LikeLiked by 1 person
- 15
  
  hoakley on March 16, 2021 at 11:47 pm
  
  I’m sorry about that – something was caching there, although this afternoon when I corrected my error, I was able to get the revised page and the new file.
  Howard.
  
  LikeLike
  - 16
    
    Rick on March 17, 2021 at 12:06 am
    
    No need for an apology, I guess it took its time to get to this end of the world.
    
    LikeLiked by 1 person
17

David B. on March 17, 2021 at 3:25 pm

FAO Milo

Thank you for your response. I was not seeking your advice with regard to the efficacy of any specific anti-malware product, but rather to determine if there is anything untoward within the ClamXav installer PACKAGE itself.

Is ANYONE reading here willing to check?

David

LikeLiked by 1 person
- 18
  
  hoakley on March 17, 2021 at 3:38 pm
  
  It’s not hard. To examine a package, use Suspicious Package, which is free. If you want to check what it connects to for downloading external software, then you can use a free software firewall or Little Snitch.
  Of course that begs the question as to how anyone decides “if there is anything untoward” there. But none of us is any the wiser as to what you might consider that to be.
  I wish you success.
  Howard.
  
  LikeLike
  - 19
    
    David B. on March 27, 2021 at 4:27 pm
    
    Thank you, Howard
    
    Did you watch the recent TV programme called ‘The Terror’?
    I thought of you! 😅
    https://en.wikipedia.org/wiki/The_Terror_(TV_series)
    
    LikeLiked by 1 person
    - 20
      
      hoakley on March 27, 2021 at 10:01 pm
      
      Thankfully I went (mainly) south rather than north. There are only the remains of old whaling stations down in the Antarctic – though they can be pretty terrifying if you think about them too much.
      Howard.
      [I have edited your comment to remove references to external content which isn’t appropriate here, I’m afraid.]
      
      LikeLike
21

James J. O'Shea on March 18, 2021 at 1:06 pm

“Opening a document such as an Installer package from within the app doesn’t pass through LaunchServices, though, so doesn’t trigger the quarantine and Gatekeeper check. macOS leaves it to the app to perform any security checks which it deems necessary, and in the case of the Installer app that appears to be little if any.”

The above appears to be a fairly serious security hole. If Gatekeeper won’t stop, or even detect, such possible problems, will 3rd-part anti-malware pick up the slack? Because of management requirements, all Macs in the building have anti-malware installed, usually ClamXAV or Sophos. We will probably be going all-in with one of the Sophos packages. ClamXAV works well, but is slow.

LikeLiked by 1 person
22

David B. on March 28, 2021 at 1:26 am

Howard – yet again you didn’t answer my question! (Did you watch The Terror?)

I’m fairly certain I once read that you had ‘walked’ to the South Pole. If possible, please provide a link to a suitable reference to that adventure. Thanks.

Are you aware of this website? [link removed by hoakley]

David

LikeLiked by 1 person
- 23
  
  hoakley on March 28, 2021 at 8:16 am
  
  Thank you.
  I don’t watch any TV, so the answer is no, I didn’t.
  I don’t know where you read that, but that isn’t true. As I was in the Antarctic in the mid-80s before the Internet happened, there’s no web page that I know of which details the expedition.
  Thank you for drawing my attention to a copycat website. I’m afraid that some sad people do that sort of thing. At least they’ve made it unbearable by filling it with ads, so I expect few will suffer them to read what they can access here without them.
  Howard.
  
  LikeLiked by 1 person
24

Howard on April 27, 2021 at 8:46 pm

what do you mean by opening an installer package from within the app? I dont understand.
Thanks.

LikeLiked by 1 person
- 25
  
  hoakley on April 27, 2021 at 9:13 pm
  
  I mean the app running code, such as a script, which opens a .pkg file in the Installer app so that the contents of that package will be installed.
  Howard.
  
  LikeLike
  - 26
    
    Howard on April 28, 2021 at 1:38 am
    
    Thanks for the reply!
    I get it, an alredy installed app opening an installer
    was this patched in the last os update?
    
    LikeLiked by 1 person
    - 27
      
      hoakley on April 28, 2021 at 8:00 am
      
      No. Apparently it’s a feature and not a vulnerability.
      Howard.
      
      LikeLike
28

Michael Tsai - Blog - Distributing Mac Apps Without Notarization on July 2, 2021 at 6:25 pm

[…] Update (2021-07-02): Howard Oakley: […]

LikeLike

·Comments are closed.

Share this:

Related