This is a straightforward question that I was not able to determine with a bit of research.
In macOS, are binaries signed or are applications (e.g. *.app) signed? I have found evidence of the latter (and a tool called codesign that can check signatures and even show which files were modified), but am unsure of the former.
For example, are base user utilities (e.g. cp, grep, ls, etc) all signed? Or are they somehow bundled in with the Terminal.app that is itself signed? What about utilities that are not part of an .app bundle? Can they be individually signed? Where does this signature live?
In general, how does signing work in macOS and how is it enforced? Does the loader check and validate the signature, or does the kernel? It would seem the loader would also need a signature.
RTFM
Code Signing Guide
https://developer.apple.com/library/content/documentation/Security/Conceptual/CodeSigningGuide/Introduction/Introduction.html
Technical Note TN2206 / macOS Code Signing In Depth
https://developer.apple.com/library/content/technotes/tn2206/_index.html
Related
I was wondering if it's possible to build a Mach-O file, or modify an existing one and then re-sign it so that the code sections will be encrypted.
I know that there's a flag called cryptid that represent the encryption type (by values `EncryptionInfo32/64 for load commands LC_ENCRYPTION_INFO_32/64 respectively)
However, I couldn't find anywhere in Xcode for how it's done.
EDIT : I'm well aware that it can be done in iOS, but my question relate to macOS, does the platform support this encryption feature in Mach-O file ?
EDIT2: So after reading the other question I understood that the whole encryption thing can only be done by appStore which is after the Mach-O file is already left the developer side. So in this case, Apple actually controlled the encryption/decryption algo+key and it's completely outside the developer hand, right ?
Also, since the Mach-O is being changed during the encryption, so who's in charge to re-sign the application ?
Thanks
No, you cannot do this.
The only "supported" way of getting LC_ENCRYPTION_INFO added to your binary is by distributing through the iOS App Store. It is Apple who checks your binary for compliance with their rules, then encrypts the binary and re-signs it.
This is all backed by "FairPlay", Apple's proprietary DRM stack. Not much is known about it since the code is heavily obfuscated, but it is widely believed that it's built on features of Apple's custom hardware AES engine. Given this, it may or may not be possible to create an encryptor yourself, but it would require immense reverse engineering efforts to even find out.
Further, the entire FairPlay stack is only present on Apple's own chips. It is indeed available on M1 Macs, as you can install iOS apps off the shelf (so long as you leave SIP enabled), but it is not available at all on Intel Macs (the relevant kexts are IOTextEncryptionFamily.kext and FairPlayIOKit.kext, the latter of which is obfuscated).
I am developing some freeware applications. Mostly they are written in Java to make them run on multiple systems. Meanwhile I have some thousand users and so it makes a lot of fun.
To make the Java apps easier to run under Windows, I also create executable wrappers using launch4j and installer applications using inno setup.
Now I have problem, because of Windows 8. In former Windows versions the OS just showed up a message by trying to start such an executable which was saying that the exe file comes from an "unknown" vendor. In Windows 8 they made it even harder. There is something like "Windows protected you from this dangerous application!".
So I am highly interested in signing my apps. But I am not willing to pay anything for this as I offer my software for free. Using Google I found the "CAcert" project that allows people to create free certificates. But I haven't found detailed information about the following questions:
can I create certificates to sign executables?
can I create certificates using my company name?
Is there anyone familiar with CAcert?
Or has anyone another hint to solve my problem?
thanks a lot...
Well, you can use use a CAcert certificate to sign your code, but it won't help you. That's because the OS doesn't install the CAcert root certificate.
If you want to stop your users seeing these messages you'll need to obtain a commercial certificate.
I work on a vertical-market Mac application that uses a USB dongle to make sure users have paid for it. It's expensive enough, and in enough demand, that "black hats" have tried to crack the dongle scheme, so the app checks the executable and key resource files at runtime, and if something has been tampered with, the program won't run.
With PKI (Public Key Infrastructure) based code signing becoming more commonplace in the Mac world, I'm considering switching to using it to do this runtime verification, which would have the nice side effect of making Gatekeeper happy.
However, Apple's interest is very different from mine. Their focus is on making the user happy, so if an app has an incorrect signature, Mac OS X will simply ask the user if they want to run it anyway. My focus is on thwarting crackers, so if my app has an incorrect signature, I simply don't want it to do anything that's useful to an end-user.
So I want my app to be able to validate its own executable and resources, using Apple's signatures, at runtime.
Also, from what I've read of the libraries offered Mac OS X for doing validation, they simply give a "yes" or "no" answer to requests to validate an executable. It strikes me that this is susceptible to "black hat" attack in a number of ways - for instance, one could simply replace Apple's tools with ones that always say, "yes, this is valid", either in the system directories or by changing the search path for those tools. So I think it might be a good idea to build the complete set of signature validation code into my app.
So I have a few questions:
What PKI libraries/APIs are available to let an app validate its own executable and resources which have been signed using Apple's codesign system?
Do these libraries have source code available?
Are my security concerns about using the PKI libraries Apple ships with Mac OS X valid, or are they safer to use than I think?
Does anybody have experience with this kind of thing they'd be willing to share? Are there other gotchas or tips?
Thanks in advance for any help with this.
To answer #1 and #2 above, Apple has open-sourced its code for creating and verifying digital signatures as libsecurity_codesigning. So a developer could build that into their app to let it validate its own signature.
Alternatively, MacOS's version of this library can be used by an app - but the API is private, so that's a gotcha. There's a brief discussion at this link.
I've been asked to redesign our build/sign/release processes. I'm pretty happy with Windows stuff and I've identified several networked-HSM products that will do what we need. They basically integrate directly with CryptoAPI so the people doing the signing can just use signtool.exe as normal.
We currently have a separate Mac team who do their own build/sign/release. This is all working fine on a couple of Mac Minis in one of our DCs. I'd like to protect our Mac software keys as well and so I'm trying to find out how to integrate a networked-HSM into our Mac signing process.
I can't find any good information about this anywhere! So I'm hoping someone in here has done this already and can lessen my pain.
The actual questions are;
1) Can I use a HSM with the standard Mac code-signing tools?
2) Can anyone recommend a vendor/product for the above?
3) Can anyone point me towards some good documentation on Mac code signing and the inner-workings of the Mac crypto infrastructure?
Cheers
BHB
I don't believe any of the major HSM vendors (nCipher, SafeNet, etc.) have any hooks into the Mac code signing tools, nor do I believe Apple exposes any. Your best bet would be to try and determine what the code signing mechanism looks like when performed by the Mac tools and then try and duplicate it yourself manually. However, off the top of my head, I don't recall seeing that the major vendors support OSX-based HSM clients out of the box. I know that SafeNet supports Java via a custom JCE provider. If there's a PKCS#11 interface you can hook into, then you may be able to leverage OpenSSL or another similar toolkit, but it will result in some work for you.
I develop a desktop application for use on Windows, and was wondering how I can get my executables signed so they stop showing those horrible looking warning messages about being from an unknown publisher. I am somewhat familiar with signing binaries before releasing them. I have a Linux port of the same program which is distributed though it's own signed repository (apt-get).
The process for signing windows executables seems extremely complicated and I can't find a simple tutorial on what to do, rather thousands of webpages describing only parts of the process, or which go into way too much depth.
I just need a quick list of steps which are necessary to sign executables under windows. I believe it's called "authenticode".
Tools see MSFT Introduction to Code Signing
edit: you buy a certificate from a provider - most web registrars sell them.
Then simply sign the executable using the msft tools
see http://www.instantssl.com/code-signing/code-signing-process.html