hoakley March 7, 2023 Macs, Technology

Do Ventura’s signature checks work?

Gatekeeper has been generous to a fault in the past. Once an app had passed its first-run checks, in most circumstances it was left well alone, and didn’t undergo further thorough checks. For apps that updated themselves, this was a great help, as the updater could change them extensively without having to sign them again. However, it also allowed malicious modifications, and the strange situation that XProtect malware signature updates weren’t applied to existing apps. This all changes as of macOS Ventura, as this article explains.

Gatekeeper checks

When a quarantined app is run for the first time, in addition to it being translocated to a distant folder, five sets of checks are run:

The app’s signing certificate is checked, to ensure its validity, and its chain of trust to Apple’s root certificate. If it’s not signed by Apple or a Developer ID Application certificate, then an ad hoc certificate is expected on Apple silicon systems.
The app’s integrity is checked against its secure hashes (cdhashes) to ensure that protected parts of the app haven’t been altered since signing.
The app is scanned for malware signatures, according to the current list provided by XProtect.
Notarization is checked, preferably in a ticket stapled to the app, but if that’s not available (as with command tools), it’s checked with Apple’s records.
App sandbox, entitlements and hardening are also checked, as they determine the runtime environment to be provided.

For some years, once an app had cleared those initial checks, they wouldn’t be repeated unless it was moved, or something set its quarantine flag. This allowed many apps with broken signatures or failed cdhashes to continue to run normally.

Ventura checks

Every time you run an app or other executable code, such as a command tool, those first run checks are now repeated, although not quite in the same depth, and with slightly greater tolerance for minor errors, it appears. This is easy to demonstrate.

Create a folder in a convenient location such as ~/Documents, and copy to that an existing signed app. Because older macOS is sensitive to changing the location of apps, open the app from that folder and verify that it runs correctly. Quit it, then modify one byte within it. For example, using a text editor change a character in the copyright information in the app’s Info.plist, or using a binary editor alter a character of text within the app binary in Contents/MacOS.

If you’re lucky, you might see a rejection alert when you try run the app.

In some cases, you may be allowed to try Command-Click and the Open command to try bypassing this refusal, and that may even give you a second chance.

If you try to open the app from there, it should be crashed immediately because of its signature error.

Check the signature

Although I have some utilities that will check signatures, by far the best is Apparency from Mothers Ruin. Once fully installed, this adds QuickLook preview information about app signatures, and a button to view that item in Apparency.

This shows how Apparency reports an app I crafted to check whether macOS had fixed a longstanding vulnerability in signature checking. Code signatures apply to different architectures, including Intel and Apple silicon. For some time, Gatekeeper checks didn’t cover all architectures correctly, a failure which could have been exploited. This crafted version of my app Cormorant contains two conflicting signatures, as recognised by Apparency.

It can also give more detailed information about errors and certificates.

Check logs

When an app has been crashed by macOS, the next place to turn to is the crash log, one of the few valuable features of Console.

In this case, Cormorant was being run in translocation, as shown in the Path given at the top. The Exception Type and Termination Reason given make it clear the app was crashed by macOS because of its code signature error.

At one time, this type of event was recorded in great detail in the Unified log. Now all you’ll see there is a single entry from the kernel starting
CODE SIGNING: process 85820[Cormorant]: rejecting invalid page at address 0x10ed37000 from offset 0xa000 …
then launchd reporting
exited with exit reason (namespace: 3 code: 0x2) - OS_REASON_CODESIGNING

Quirks

Certificate expiry dates are a little more complicated than you might expect, and depend on the type and purpose of certificate. For ordinary app and other executable signing, a Developer ID Application certificate is used, and remains valid for Gatekeeper even though the certificate has long expired. The crucial date in this case is when the app was signed: so long as the Developer ID Application certificate was valid at that time, then Gatekeeper will accept the certificate many years later.

That isn’t true of certificates used to sign Installer packages, which are a different type, Developer ID Installer. Those are required to be valid when you try to install that package, so old packages will have expired certificates that can no longer be used.

If you read my article about adding custom icons to apps, you may now be wondering why they don’t break the code signing of those apps when they place a file named Icon? inside the app bundle. Custom icons escape code signatures on two counts:

the Icon? file is installed at the top level in the app bundle, which isn’t included in its signature coverage,
the Icon? file contains no data at all, just two extended attributes, which aren’t included in cdhashes, something that also applies to quarantine flags, which would break signatures otherwise.

Relevance

Does any of this have any relevance to the real world of malware, though?

Of the three anti-malware protection measures introduced recently in XProtect and XProtect Remediator, two struggle with Ventura’s new behaviours. Honkbox has been distributed inside pirated copies of apps like Final Cut Pro, normally obtained using apps that don’t set a quarantine flag. As Ventura now checks those signatures thoroughly, it will detect the app’s broken signature and refuse to run it, even though the quarantine flag isn’t set. KeySteal’s installer’s revoked signature should be detected by older versions of macOS, but will certainly be detected by Ventura even if run with SIP disabled and Gatekeeper/XProtect turned off.

This all makes it harder for malware to get past the protections in macOS.

19Comments

Add yours

1

OLd Coot on March 7, 2023 at 12:46 pm
Reply

If you depreciate your secuity settings on Ventura where there are extensions that ask you to do so, two come to mind, on for macFuse and the other for a extension for DriveDX for a Samsung T7, will this effect the whole sequence of events that you decribed in your article?

LikeLiked by 1 person
- 2
  
  hoakley on March 7, 2023 at 1:40 pm
  Reply
  
  Thankfully they shouldn’t affect them at all.
  The Reduced Security setting I think you’re referring to concerns only Secure Boot, and that only allows it to load third-party extensions. While that could make your Mac slightly more vulnerable to some malicious software, there are other layers of security that still come into play to protect you.
  XProtect and signature checks that are part of Gatekeeper don’t depend on Secure Boot, but on a separate setting that is checked routinely by SilentKnight. Provided that you haven’t disabled them (and SilentKnight will tell you if you have), your Mac should still enjoy the full protection of Gatekeeper.
  I also run tests on a VM on which I have removed boot security, turned off SIP and disabled XProtect/Gatekeeper, and was surprised to discover that even then it still checks for the validity of signing certificates, and blocks them when they’ve been revoked.
  Howard.
  
  LikeLike
- 3
  
  John Gilbert on March 8, 2023 at 1:14 am
  Reply
  
  Based on my experience: 1) macFUSE no longer uses a kernel extension, 2) the SATSMARTDriver kext (used by DriveDX) does not support a Samsung T7 because the T7 is not a SATA SSD.
  
  LikeLiked by 1 person
  - 4
    
    Old Coot on March 8, 2023 at 1:18 am
    Reply
    
    Thanks for the information. Good to know, now that I have been pulling what little hair I have left, out over these two dilemma’s.
    
    LikeLiked by 1 person
  - 5
    
    hoakley on March 8, 2023 at 7:26 am
    Reply
    
    Thank you.
    “macFUSE no longer uses a kernel extension”
    Well, macFUSE begs to differ. Not only does its front page state “The macFUSE software consists of a kernel extension and various user space libraries and tools” but the current version 4.4.2 does indeed install a KEXT.
    The T7 is, in SMART terms, a nightmare, as are all those faster SSDs that deliver better performance over USB 3.x. To do that, they use NVMe, which has no SMART support when accessed over USB – Apple only supports SMART over Thunderbolt, and SATSMART only supports SATA drives. Yet another glaring gap in the Mac’s support for USB storage.
    Howard.
    
    LikeLike
    - 6
      
      John Gilbert on March 8, 2023 at 9:25 am
      
      You are, of course, correct that macFUSE uses a kext. My lame excuse is that it does not get loaded at boot, rather only when used – I was led astray.
      
      Here is what Apparency says for the kext:
      
      “macfuse. kext was signed by “Developer ID Application: Benjamin Fleischer (3T5GSNBU6W).” Apple issued this certificate to a third-party developer, for signing macOS software to be distributed outside of the App Store.
      Because macOS enforces special restrictions for kernel extensions, Apparency didn’t evaluate this code against the default Gatekeeper policies.
      The verified signing time is 18 February 2023 at 11:14 am.
      This developer has been distributing software under the Developer ID program since at least 13 July 2018. Gatekeeper uses this date to determine if notarization is required.
      Apple has authorized this developer to distribute kernel extensions.”
      
      The last line is interesting as it discloses that the developer has been explicitly authorised to distribute a kext. So Apple trusts macFUSE.
      
      LikeLiked by 1 person
    - 7
      
      hoakley on March 8, 2023 at 11:28 am
      
      I think you’re perhaps over-reading the implications of the last sentence.
      For some years now, all kexts have had to be signed, and Apple has to specifically authorise that signature for use in signing kexts. AFAIK there’s no technical review of those kexts, it’s just something that a developer has to apply for. There’s no special trust associated with kext signatures. They were also the first class of software for which notarization was made mandatory, when it was first introduced. Each kext is therefore scanned by Apple, but only under the normal notarization scheme, just as all notarized apps are.
      Apple has authorised signatures for kexts that have been highly unstable and caused many kernel panics, in the past.
      Howard.
      
      LikeLike
8

Old Coot on March 7, 2023 at 1:50 pm
Reply

Thanks for you quick explanation on the matter. One thing I have run into lately and I am not sure if it’s a bug, is that if I let the MBP run for a few days with out rebooting and something requires me to warnboot ( Restart) Ventura I am finding it is not loading all the background apps that either populate Full Disk Access and Login Items and then have to coldboot. I don’t frecall BigSur eveer doing this and I skipped Montery.

LikeLiked by 1 person
- 9
  
  hoakley on March 7, 2023 at 1:56 pm
  Reply
  
  That seems strange, although I have long advised that not shutting down notebooks every few days can sometimes have strange effects. I don’t know whether this has anything to do with those kernel extensions, though.
  Howard.
  
  LikeLike
  - 10
    
    Old Coot on March 7, 2023 at 2:03 pm
    Reply
    
    I guess I’ll just keep plugging along and see if the next release of Ventura might fix it once it is out of beta, which got me in trouble on Apple Communities last week when I used the word “beta”. I guess you are not suppose to use that word at all on the Ventura forum. Thanks again for you insights.
    
    LikeLiked by 1 person
    - 11
      
      hoakley on March 7, 2023 at 4:30 pm
      
      You’re always welcome to say ‘beta’ as much as you like here.
      Howard.
      
      LikeLike
12

Old Coot on March 7, 2023 at 5:52 pm
Reply

as to my earlier comment about macFUSe and Reduced Security setting in Ventura, it seems that one developer has a workaround “FUSE-T is a kext-less implementation of FUSE for macOS”. https://www.fuse-t.org/#h.q9gr8r80cw4z . Not sure if other developers can use this strategy with there apps. “getting harder and harder to load kernel extensions. Apple strongly discourages it.

Details: https://www.fuse-t.org/

LikeLiked by 1 person
- 13
  
  hoakley on March 7, 2023 at 9:48 pm
  Reply
  
  Thank you. I note that they report the kernel extension is unstable, which could account for your problems, perhaps.
  Howard.
  
  LikeLike
14

dominikushoffmann on March 7, 2023 at 10:31 pm
Reply

What’s a “Bin?”

😜

LikeLiked by 1 person
- 15
  
  hoakley on March 7, 2023 at 10:59 pm
  Reply
  
  It’s where we put the trash, of course.
  Howard.
  
  LikeLike
  - 16
    
    dominikushoffmann on March 7, 2023 at 11:04 pm
    Reply
    
    Bins are where Americans put trash they can’t quite bring themselves to throw out, which they then put in their basements (uh, cellars) or attics (well, lofts).
    
    LikeLiked by 1 person
17

Old Coot on March 8, 2023 at 1:24 am
Reply

I thought Americans and Canadians used their garages for that sort of thing rather than putting it in their “basements (uh, cellars) or attics (well, lofts)”. Isn’t the reason the vehicles are always parked out side of the garages.

LikeLiked by 1 person
18

John Gilbert on March 8, 2023 at 1:41 am
Reply

Great article which inspired me to get Apparency. I strongly recommend the FAQ https://mothersruin.com/software/Apparency/faq.html to anyone wanting to follow this further.
One little gem: Many apps (including Pages, etc.) have an expired “Apple Mac OS Application Signing” certificate. I sort of understand (from Quirks in your article and Apparency’s FAQ) why this is not a problem – nevertheless it does highlight the confusions in the application certificate scheme.

LikeLiked by 1 person
- 19
  
  hoakley on March 8, 2023 at 7:31 am
  Reply
  
  Thank you.
  The good thing with signing and certificates is that those you should be most concerned about, those not signed by Apple, should now all be notarized, which does at last impose stricter requirements.
  Howard.
  
  LikeLike