Code_Signing - heldersrvio/PureDarwin GitHub Wiki

Code Signing

This page is about binary signature.

Background

As of Mac OS X and Darwin, a Mach-O code signature system (similar in concept to Microsoft AuthentiCode for PE binaries on Windows, and Solaris ELF signing) has been implemented. At least on Darwin, this system is not "formally" used, and no binaries are signed.

On Mac OS X, the code signature system forms part of the basis of the "Seatbelt" GPC (Granular Process Control)/RBAC (Role Based Access Control) mechanism (an implementation detail of the Parental Control feature), and most binaries shipped are signed.

I've got a binary, is it signed?

There are probably many ways of checking if a binary is signed on Darwin (although some techniques could also be possible on other operating systems), and Mac OS X ships with tools for checking code signatures.

The otool Way

On Darwin, you can quickly check for the presence of a code signature with otool -l /YourBinaryOfChoice | grep LC_CODE_SIGNATURE. You're looking for the "cmd LC_CODE_SIGNATURE" line (regardless of whether or not you decided to grep). Without grepping, output similar to the following is produced:

Load command 13 cmd LC_CODE_SIGNATURE cmdsize 16 dataoff 574704 datasize 7968 The binary used in the example above was (naturally) otool from Mac OS X Leopard.

Other ways

strings YourBinaryOfChoice | grep "Apple Code Signing Certification Authority" or

grep -b "Apple Code Signing Certification Authority" YourBinaryOfChoice ### Examples on Mac OS X On Mac OS X, the `codesign' binary "is used to create, check, and display code signatures, as well as inquire into the dynamic status of signed code in the system." according to the man description. #### Inspecting otool codesign -dvvvv /usr/bin/otool  Executable=/usr/bin/otool Identifier=com.apple.otool Format=Mach-O universal (i386 ppc7400) CodeDirectory v=20001 size=2920 flags=0x0(none) hashes=141+2 location=embedded CDHash=ea392676d34975966fcc4471c3d85dee70978255 Signature size=4064 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Info.plist=not bound Sealed Resources=none Internal requirements count=0 size=12

The Apple object file utility shipped with Mac OS X is signed, in the contrary of the one built from DarwinBuild.

codesign -dvvvv /Volumes/Builds/9F33/BuildRoot/usr/bin/otool  /Volumes/Builds/9F33/BuildRoot/usr/bin/otool: code object is not signed

Note: No "impurity" detected at codesign' inspection with otool', so perhaps it could be build with the DarwinBuild project and be available in PureDarwin.

Verifying the dynamic validity of a process

In this example, we will take launchd' process, which also run as an init' replacement.

ps ux -p1 USER   PID %CPU %MEM      VSZ    RSS   TT  STAT STARTED      TIME COMMAND root     1   0.0  0.0   600820    552   ??  Ss    9:46PM   0:00.42 /sbin/launchd

codesign -vvvv 1 1: dynamically valid 1: satisfies its Designated Requirement

Note: The "-h" options seems not (yet) documented but remains functional:

codesign -h 1 /sbin/launchd /mach_kernel

Miscellaneous

Related fields found in Xcode:

Resources

Apple Technical Note TN2206: Mac OS X Code Signing In Depth The Apple Mac OS X 10.5 codesign Manual Page is attached to this page (PDF) Sun Solaris 10 elfsign(1) Manual Page

man codesign man csreq

The goal of this project is to make Darwin more usable by providing an installation ISO, documentation, and add-on software. You are welcome to join #puredarwin on irc.freenode.net or the Gitter chat if you would like to join PureDarwin development and to add to this site.

Join the chat at https://gitter.im/PureDarwin/

The Wiki pages were recently moved from Google Sites and in the conversion process some formatting was lost. Please help fixing the markdown of this page by editing it. But please delete nothing, especially not (broken) images; fix them instead (see the main page of the Wiki for an example).

⚠️ **GitHub.com Fallback** ⚠️