hoakley August 29, 2022 Macs, Technology

Are command tools getting out of their depth?

Mach object file format, Mach-O for short, is one of the oldest and most fundamental file formats in macOS, as used in all native executable code, libraries, and more. Although users most often launch Mach-O files wrapped into an app bundle, when you open Terminal to run command tools there you’re usually interacting directly with Mach-O binaries.

Over the years Mach-O files have evolved considerably. Architectural transitions, first from PowerPC to Intel, and most recently to ARM, have brought universal or fat binaries containing two complete executables. More recent security requirements have made this even more complex. As Alexandre Colucci has documented from bitter experience, the thoroughly modern Mach-O file can now require:

signing, mandatory for ARM executables to run at all;
embedded Info.plist, to accompany the signature and for other requirements;
notarization, required by all third-party developers to run on recent versions of macOS;
hardened runtime, required for notarization;
App Sandbox enablement, for distribution through the App Store, and for certain entitlements;
entitlements, for the App Sandbox and to gain access to certain macOS frameworks and features.

There are some benefits, though. With an embedded Info.plist, it’s now possible for the version and other details of a command tool to be discovered without running the command. This is a big step forward, as knowing which option to pass to obtain a version number isn’t simple. Many tools are happy with -v, but for others that merely makes responses verbose, or might do something quite different.

Sure enough, look at a command tool with an embedded Info.plist in the Finder, and its version number should be displayed. But, as it’s a command tool, the important question is how you get that information at the command line, as I was asked about one of my command tools, silnite. It turns out that a good answer isn’t easy to come by.

Historically, the most popular answer has been to use mdls to query the kMDItemVersion metadata, but that doesn’t seem able to access version numbers set against the CFBundleShortVersionString key in an embedded Info.plist. That’s a pity, because
mdls -name kMDItemVersion /usr/local/bin/silnite
seems relatively logical and straightforward, but just returns (null).

Flushed with that unsuccess, I dug a little deeper and came across a tool almost as old as Mach-O files, otool, which might appear as otool-classic, described in its man page as being “the preferred tool for inspecting Mach-O binaries, especially for binaries that are bad, corrupted, or fuzzed.” Indeed, using a command like
otool -P /usr/local/bin/silnite
dumps the whole Info.plist, where it’s easy to find the version as the value for the key CFBundleShortVersionString.

However, my answer wasn’t ideal, as more recently some have reported that otool is only installed by the Xcode command tools, and may not be available to all users. It also isn’t the fastest of commands to run, suggesting that something else is going on. So my best answer is to use launchctl, which definitely is present. A command like
launchctl plist /usr/local/bin/silnite
returns the whole of the embedded Info.plist as JSON-ised XML, within which you’ll find
"CFBundleShortVersionString" = "7";

I’m grateful to @josh_avraham for pointing out another alternative in plutil, as in
plutil -p /usr/local/bin/silnite
which returns the whole Info.plist too.

If you need to do this in code, there’s a good alternative in CFBundleCopyInfoDictionaryForURL(_:). Although its name might suggest it only works with bundles, Apple explains “For a plain file URL representing an unbundled application, this function will attempt to read an information dictionary either from the (__TEXT, __info_plist) section of the file (for a Mach-O file) or from a plst resource.”

Information about signatures, hardening, notarization and entitlements is revealed by two commands:
spctl -a -vv -t install /usr/local/bin/silnite
and
codesign -dvvv /usr/local/bin/silnite
then there’s always lipo for working with universal binaries.

These are an interesting trip down memory lane, but doing modern things with Mach-O files is messy and unnecessarily difficult. As they continue to become more complicated, it would be really helpful if these tools and procedures were overhauled and updated. Creating and inspecting a single file shouldn’t be more complex than doing so for a complete app bundle.

Thanks to Harald for pointing out that, as Mach-O came from NeXT, it wasn’t around for the first transition from 68K to PowerPC.

11Comments

Add yours

1

Andrew Reillyndrew Reilly on August 29, 2022 at 7:16 am

Your architecture list is a couple short, as both “Intel” and “Arm” have encompassed two distinct architectures each: their 32-bit and 64-bit versions. MacOS has only seen 64-bit Arm, but iOS saw a transition there, around iPhone5-era. I was a bit surprised that Apple went with that first 32-bit intel series: the chips could do 64-bit by then, and they had 64-bit PowerPC under their belt, and it gave them a whole headache of on-going compatibility problems.

There seems to still be some magic that allows self-compiled executables to run without being notarized. I think that only becomes a problem when you try to distribute code. On my new Arm mac I see that the codesign command you mentioned does show some sort of hash and Signature=adhoc. On intel it just says “code object is not signed at all”. No info.plist on the intel executable, “not bound” on the Arm one. I suppose the “linker-signed” code is a protection against post-compilation modification by, say, malware, which is probably a good and helpful thing.

LikeLiked by 1 person
- 2
  
  hoakley on August 29, 2022 at 3:27 pm
  
  Thank you – you’re perfectly correct, of course, about 32- and 64-bit, another fat binary phase. Thankfully I’ve never knowingly built a 32-bit app, and when I returned to compiled languages went straight to 64-bit.
  All the build tools for Mac now automatically add ad hoc signatures to unsigned ARM executables – which is why you don’t have to worry about the requirement for them to be signed. Notarization is only a ‘requirement’ that Apple tells its developers to adhere to. It’s the signing that’s required to run on ARM, and even then it’s not the signature, but the cdhashes which are used. I have some articles about this, including how the cdhashes are used.
  When Intel code is run translated by Rosetta 2, it has to sign all the code it translates anyway, so Apple silicon Macs can run unsigned x86 without problems.
  Howard.
  
  LikeLike
3
Ed on August 29, 2022 at 1:28 pm
Part of why otool is slow, at least on first run, might be that it goes through a Bash file in /opt/local/bin which in turn invokes xcrun, which then finds and runs the appropriate otool binary. Well, this is how it works on my M1 mini with Xcode and MacPorts. After caching, subsequent runs of “otool –version” are much faster. The batch file:
```
#!/bin/bash
if [[ -x /usr/bin/xcrun ]] ; then
  exec /usr/bin/xcrun otool "${@}"
elif [[ -x /usr/bin/otool ]] ; then
  exec /usr/bin/otool "${@}"
else
  exec otool "${@}"
fi
```
LikeLiked by 1 person
- 4
  
  hoakley on August 29, 2022 at 3:31 pm
  
  Thank you. That’s a dreadful kludge!
  Howard.
  
  LikeLiked by 1 person
5

Harald Striepe on August 29, 2022 at 4:04 pm

Looks like an opportunity for you!
BTW, I do not think 68K was ever a part of MACH-O, since Darwin started with PPC.

On the subject of command line, there are a few gems on Eric Sadun’s github page: https://github.com/erica?tab=repositories

LikeLiked by 1 person
- 6
  
  tim1724 on August 29, 2022 at 7:47 pm
  
  Mach-O predates Darwin. As its name suggests, it was developed as part of the Mach microkernel project at CMU. It was used by all versions of NeXTSTEP/OpenSTEP, including on the original NeXT computers that used the 68030 or 68040. So yes, there is Motorola 68k support in Mach-O. ☺️
  
  If you check /usr/include/mach/machine.h (which is buried somewhere inside Xcode.app on modern versions of macOS) you’ll see that the cpu_type_t value for 68k is 6:
  
  #define CPU_TYPE_MC680x0 ((cpu_type_t) 6)
  
  LikeLiked by 1 person
  - 7
    
    hoakley on August 29, 2022 at 7:49 pm
    
    Thank you. Yes, I was forgetting that, although that wasn’t a transition that Apple went through.
    Howard
    
    LikeLike
    - 8
      
      Harald Striepe on August 29, 2022 at 7:55 pm
      
      I was the birth of 68k to PPC was the birth of the universal library concept. On the older MacOS it was made possible by the true forked filesystem. The current approach of bundles was borne by trying to integrate with foreign file systems.
      
      LikeLiked by 1 person
    - 9
      
      hoakley on August 29, 2022 at 8:43 pm
      
      Thanks, yes, the bundle wasn’t so much about foreign file systems, though, as I recall. It was dictated by the NeXT influence wanting to do away with resource forks altogether, hence the only possible structure was a specialised directory, hence the app bundle.
      I tried to look up what happened with Mac OS executables for that transition, and as code was kept in resources in Classic Mac OS, there was nothing like the glued-together fat binary of Mach-O, and the joys of lipo. Those were to come with Intel Macs, of course.
      Howard.
      
      LikeLike
    - 10
      
      Harald Striepe on August 29, 2022 at 10:08 pm
      
      Yes, you are correct. NeXT introduced bundles. I think they introduced it for UFS used with Nextstep
      
      It is actually surprising how long it took for Apple to add lipo/universal functionality to Xcode. I remember refactoring some SDK projects a couple of years ago that were using build scripts to create universal dylibs.
      
      LikeLiked by 1 person
    - 11
      
      Harald Striepe on August 29, 2022 at 7:56 pm
      
      Man, typos!
      
      LikeLiked by 1 person

·Comments are closed.

Share this:

Like this:

Related