How to verify app signatures

Andrew Perfiliev
Sep 18, 2018 · 4 min read

One potential route by which an attacker can compromise your Mac is to modify a legitimate software package to contain malware. While this is difficult to do through official software distribution channels (e.g., the Mac App Store), it can be done through popular alternative approaches like peer-to-peer networking and third-party software distribution Web sites.

You can use digital signing to both automatically and manually determine if an app has been compromised, and then further investigate whether to trust the app.

Automatic signature detection

When an app is run on your Mac, OS X’s GateKeeper feature will validate the signature, allowing properly signed packages to run, but requiring explicit execution for others. As such, provided you have GateKeeper at its maximum protection settings you should be able to detect potential problems with new software that you download.

Do note that while GateKeeper will detect signature issues with programs you are running for the first time, it will not assess changes to those that have previously run. As such, to check your current installations, manual assessment may be needed to check your current apps.

Manual signature detection

If you wish to manually inspect the status of your apps’ signatures, then you can do so using the OS X Terminal:

  1. Open the Terminal
  2. Type the following command, followed by a single space:

codesign — verify — verbose

3. Drag your desired app to the Terminal window, to enter a full path to it, so it looks like the following :

codesign — verify — verbose /Applications/AppName.app

4.Press Enter to run the verification.

When run, you will see output such as the following for Safari that indicates if the app is valid and whether or not its signing requirements have been satisfied:

$ codesign — verify — verbose /Applications/Safari.app
/Applications/Safari.app: valid on disk
/Applications/Safari.app: satisfies its Designated Requirement

If the app’s contents have been modified (altered files, or unrecognized components added to the app package), then you will see another output, such as the following that indicates a file “nefariousfile.sh” that was added to the program:

$ codesign — verify — verbose /Applications/Safari.app
/Applications/Safari.app: a sealed resource is missing or invalid
file added: /Applications/Safari.app/Contents/ASDF/nefariousfile.sh

Note that for any app where the output of this command claims a file was added or modified (such as the above), be very skeptical of the app and consider immediately removing it and replacing it with one obtained directly from the developer.

In addition to checking the code signature, you can use OS X’s system policy routines for assessing the validity of apps and their signatures. This approach is similar to using the “codesign” tool, but gives a reason why the signature was accepted or rejected:

$ spctl — assess — verbose /Applications/Safari.app
/Applications/Safari.app: accepted
source=Apple System

In this case the sources of acceptance are the following:

Apple/Apple System — Built-in program in OS X
Developer ID — Properly signed by a Developer ID account
Mac App Store — Properly signed by the Mac App Store

Beyond this, rejections may happen for a variety of reasons, including no usable signature, obsolete resources, missing or invalid resources, among others.

Note that if you have explicitly run your app and confirmed to bypass GateKeeper’s warnings, then it may still run even if not properly signed, so if manual assessment of your app shows it as being rejected, then consider investigating it. Often such problems happen because apps are simply old, or it may be that the developer is legitimate but just has not signed the app (though most are getting onboard with Apple’s signing process), but if it is a current and updated app that should be signed, then do look into replacing it with the most recent version.

For ease, you can run these verifications and assessments commands on all of your apps by combining them with the following uses of the “find” command. This will locate all app packages in your Applications folder, and then execute the above assessment commands on them (copy and paste the following commands into the Terminal to run them):

For codesign verification:

find /Applications -d 1 -name “*.app” -exec codesign — verify — verbose {} \;

For system policy assessment:

find /Applications -d 1 -name “*.app” -exec spctl — assess — verbose {} \;

When these commands are run, the output for each app found will be listed in the Terminal. Resize the Terminal to accommodate the output, and then scroll up and down to review the status of your apps.

Image for post
Image for postImage for post

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store