Code signing and macOS security - MacADUK 2017

Transcript

1. Code signing and macOS security Hannes Juu)lainen University of Jyväskylä

   and mcare pro Oy @hjuu)lainen everywhere

2. @hjuu%lainen • I live in Jyväskylä1, Finland • Sysadmin at

   University of Jyväskylä for the past 15 years. • Service developer at mcare pro Oy, Finland's leading Apple ICT consultancy. • Recovering musician... • I ❤ my wife and son (and Munki and AutoPkg)! 1 Transla)on for those who don't know Finnish: jyvä = grain, kylä = village. Yes, it's a small town...

3. Code signing Code signing is an integral part of macOS

   security used to: • Iden&fy the source/origin (a developer or signer) of the code. • Guarantee that code has not been altered since it was signed. • Allow access to certain resources on the local computer without promp&ng the user.

4. Code signing Used by a number of macOS subsystems: •

   App Sandbox • Gatekeeper • Applica4on Firewall • Parental Controls • Keychain Access Controls

5. Code signatures are a lot like passports • Passports are

   issued by an authority who "vouches" for the holder. • They include informa;on about how to iden;fy the holder. • They cer;fy the iden;ty and na;onality of their holder.

6. Code signing • Required on iOS where every running process

   needs to be signed and valid. • Op;onal on macOS, unsigned code runs just fine. 2 2 Don't be surprised if this changes in some future macOS release...

7. Iden%ty, validity and trust Many parts of macOS do not

   care about the iden6ty of the signer. (Gatekeeper is a notable excep6on.) They care only whether the program is validly signed and stable. — Technical Note TN2206: macOS Code Signing in Depth

8. Iden%ty, validity and trust • Code signatures can be valid

   and not trusted. • Code signatures created with self-signed cer8ficates work fine.

9. Signed apps are secure to run...? Code signing does not

   make any promises about the contents or quality of the code. It might s:ll be insecure and full of vulnerabili:es.

10. Code signing does not hide or obscure the content of

    the signed code.

11. What changes when an app is signed?

12. None

13. Three pieces of code signature From Apple's Code Signing Guide

14. Three pieces of code signature 1) Seal. Collec*on of hashes

    of the various parts of the code, created by the code signing so;ware. • Hash of hashes. • Individual checksums of executables, resources, Info.plist file, requirements, etc.

15. Three pieces of code signature 2) Digital signature. The code

    signing so/ware encrypts the seal using the signer's iden9ty to create a digital signature. This guarantees the seal's integrity.

16. Three pieces of code signature 3) Code requirements. These are

    the rules governing verifica5on of the code signature. Some are inherent to the verifier (depending on its goals). Others are specified by the signer and sealed with the rest of the code.

17. Designated requirement (DR) anchor apple generic and identifier "com.hjuutilainen.MunkiAdmin" and

    (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field. 1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "8XXWJ76X9Y")

18. anchor apple generic The root cer)ficate (or authority) in the

    cer)ficate chain. • anchor apple generic • Code signed by Apple, including code signed using a signing cer5ficate issued by Apple to other developers. • anchor apple • Apple's own code, signed by Apple. • anchor = <hash> • A specific cer5ficate hash.

19. identifier "com.hjuutilainen.MunkiAdmin" Iden%fier string embedded in the code signature. •

    Must match exactly. • No wildcard matches. • No tes6ng for inequality.

20. certificate leaf[field.1.2.840.113635.100.6.1.13] Checks the existance of certain fields in cer3ficates

21. certificate leaf[subject.OU] = "8XXWJ76X9Y" Check the actual iden.ty of the

    signer.

22. Don't worry! Xcode usually creates suitable code requirements automa3cally when

    signing. Here's what the process looks like:

23. Expor&ng from Xcode3 3 Since you're now viewing a PDF

    version, here's a descrip9on: This was a video showing an "Archive" and then export as a Developer ID signed app.

24. Expor&ng from Xcode Results of the automa-c signing: $ codesign

    --display --verbose=2 -r- "MacADUK Signed.app" Executable=MacADUK Signed.app/Contents/MacOS/MacADUK Signed Identifier=com.hjuutilainen.MacADUK-Signed Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20200 size=383 flags=0x0(none) hashes=4+5 location=embedded Signature size=8860 Authority=Developer ID Application: Hannes Juutilainen Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=1.2.2017 klo 15.15.20 Info.plist entries=21 TeamIdentifier=8XXWJ76X9Y Sealed Resources version=2 rules=13 files=4 designated => anchor apple generic and identifier "com.hjuutilainen.MacADUK-Signed" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "8XXWJ76X9Y")

25. This is all fine and good, but... You promised to

    talk about Gatekeeper!

26. Going back to the passport analogy, imagine your computer is

    a country...

27. ...and downloading an app is someone travelling to your country...

28. ...and the code signature is their passport...

29. ...and Gatekeeper is of course the customs and border protec5on.

30. Also • Every country in the world can pay for

    apply for an Apple program to be able to issue passports which Apple vouches for. • CBP in every country especially likes these passports, they're easy to use and very secure. • There are some countries that have trouble issuing passports in the proper format. However, they are so important that CBP has received special instrucCons to allow them through. • Where a country does not recognise another, it may prohibit the use of their passport for travel to that other country.

31. Customs and border protec0on will • Check the passport and

    make sure it is valid. • Check that the passport is for the person entering the country. • Check the passport against a list of known criminals.

32. Gatekeeper does its best, but... • It will let anyone

    from Apple VIP countries with a valid passport enter. Even if they're saying they are Adobe Flash Player but are not using a passport issued by Adobestan. • Once you get through the passport checks, CBP won't care about your passport. • You could always cross the border somewhere where CBP is not guarding.

33. Quaran&ne • Applica(ons that download a file from the internet

    should add a com.apple.quarantine extended a7ribute to the file. • Presence of this a7ribute will trigger a Gatekeeper check. • Think of it as a feature of the downloading app, system will not force the a7ribute on downloaded files.4 4 Download something with curl and see if Gatekeeper cares (it doesn't).

34. Quaran&ne on the command line Lis$ng extended a-ributes: $ xattr

    -l <path> or ls -l@ <path> Clearing the com.apple.quarantine a,ribute: $ xattr -d com.apple.quarantine <path> Clearing all a*ributes: $ xattr -c <path>

35. Tools for working with signatures

36. Tools • codesign - Create, verify or display code signatures.

    • pkgutil - Verify installer package signatures. • productsign - Sign installer packages. • (spctl - Manage the security assessment policy subsystem.)

37. $ codesign [ -d,--display | -v,--verify | -s,--sign ]

38. Displaying code signatures

39. $ codesign --display --verbose=2 -r- <path> or $ codesign -dvvr-

    <path>

40. -d, --display Display informa.on about the code at the path(s)

    given. -v, --verbose Set the verbosity, add more v's to get more details. -r, --requirements During display, indicates where to write the code's internal requirements. Use -r- to write them to standard output.

41. $ codesign --display --verbose=2 -r- /Volumes/MunkiAdmin-1.4.3/MunkiAdmin.app Executable=/Volumes/MunkiAdmin-1.4.3/MunkiAdmin.app/Contents/MacOS/MunkiAdmin Identifier=com.hjuutilainen.MunkiAdmin Format=app bundle

    with Mach-O thin (x86_64) CodeDirectory v=20200 size=12475 flags=0x0(none) hashes=382+5 location=embedded Signature size=8910 Authority=Developer ID Application: Hannes Juutilainen Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=20.6.2016 klo 20.40.55 Info.plist entries=23 TeamIdentifier=8XXWJ76X9Y Sealed Resources version=2 rules=12 files=61 designated => anchor apple generic and identifier "com.hjuutilainen.MunkiAdmin" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "8XXWJ76X9Y")

42. $ codesign --display --verbose=6 -r- /Volumes/MunkiAdmin-1.4.3/MunkiAdmin.app Executable=/Volumes/MunkiAdmin-1.4.3/MunkiAdmin.app/Contents/MacOS/MunkiAdmin Identifier=com.hjuutilainen.MunkiAdmin Format=app bundle

    with Mach-O thin (x86_64) CodeDirectory v=20200 size=12475 flags=0x0(none) hashes=382+5 location=embedded OSPlatform=36 OSSDKVersion=658176 OSVersionMin=657408 Hash type=sha256 size=32 CandidateCDHash sha1=5947463dced15997b175f41aaf392e20a78e7467 CandidateCDHash sha256=efd19a9f1349941b09bab5c8a9c0c6e2b2a756b8 Hash choices=sha1,sha256 Page size=4096 -5=eda0e349a903d27ba3b4d17ddb7364e137bc8292a2457384a8dfa9a663f78802 -4=0000000000000000000000000000000000000000000000000000000000000000 -3=6120954e7ad58a2505d9a33783cdd3b188986ae975c007bb7f00f838a23a9807 -2=09ff1b3fdf2c6478febd57e8f8c21aadcfff2ad564070b5e02001d50236a84b6 -1=411a9833ef968375020a846dff78d121d0260410fe150f9b0e67952ac7e6f7c1 0=2d11902ae12041a352c5e3e7839809461d46683401ef6507d089a9cf4dcea09f 1=2cb832eab1a75eb60fa3afbc9ed63619f4fb9b5e3e9495857c38f1f8654c0c6b 2=d5ba1cad676975a9fe196e8f233f700cfabe0c011f2c08bc36d3d480c05a24e1 --- snip --- 381=0207ea3bf0120ad32c6e7091c2938eb1e2aaa5c17788ed367c3e1d4bc47ede5b CDHash=efd19a9f1349941b09bab5c8a9c0c6e2b2a756b8 Signature size=8910 Authority=Developer ID Application: Hannes Juutilainen Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=20.6.2016 klo 20.40.55 Info.plist entries=23 TeamIdentifier=8XXWJ76X9Y Sealed Resources version=2 rules=12 files=61 designated => anchor apple generic and identifier "com.hjuutilainen.MunkiAdmin" and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "8XXWJ76X9Y")

43. Verifying code signatures

44. $ codesign --verify --deep --strict --verbose <path>5 5 Mimics what

    Gatekeeper does to check an app

45. -v, --verify Requests verifica.on of code signatures. --deep When verifying

    a bundle, specifies that any nested code content will be recursively verified. --strict When valida+ng code, apply addi+onal restric+ons: • Check that symbolic links inside the code bundle point to sealed files inside its bundle. • Check that no resource forks, Finder a;ributes, or similar sideband data is present in the signed code.

46. Usually it's just: $ codesign --verify --deep --strict --verbose MunkiAdmin.app

    MunkiAdmin.app: valid on disk MunkiAdmin.app: satisfies its Designated Requirement

47. But some)mes: $ codesign --verify --deep --strict --verbose *Chrome.app Google

    Chrome.app: resource envelope is obsolete (custom omit rules) $ codesign --verify --deep --no-strict --verbose *Chrome.app Google Chrome.app: valid on disk Google Chrome.app: satisfies its Designated Requirement

48. Verifying installer package signatures

49. $ pkgutil --check-signature <pkg>

50. $ pkgutil --check-signature ~/Downloads/MGBContentCompatibility.pkg Package "MGBContentCompatibility.pkg": Status: signed Apple Software

    Certificate Chain: 1. Software Update SHA1 fingerprint: 1E 34 E3 91 C6 44 37 DD 24 BE 57 B1 66 7B 2F DA 09 76 E1 FD ----------------------------------------------------------------------------- 2. Apple Software Update Certification Authority SHA1 fingerprint: FA 02 79 0F CE 9D 93 00 89 C8 C2 51 0B BC 50 B4 85 8E 6F BF ----------------------------------------------------------------------------- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

51. $ pkgutil --check-signature ~/Downloads/munkitools-2.8.3.3014.pkg Package "munkitools-2.8.3.3014.pkg": Status: no signature

52. Signing installer packages

53. $ productsign --sign <identity> <input-pkg> <output-pkg>

54. $ productsign --sign "Developer ID Installer: Hannes Juutilainen" munkitools{,_signed}.pkg productsign:

    using timestamp authority for signature productsign: signing product with identity "Developer ID Installer: Hannes Juutilainen" from keychain login.keychain-db productsign: adding certificate "Developer ID Certification Authority" productsign: adding certificate "Apple Root CA" productsign: Wrote signed product archive to munkitools_signed.pkg $ pkgutil --check-signature munkitools_signed.pkg Package "munkitools_signed.pkg": Status: signed by a certificate trusted by Mac OS X Certificate Chain: 1. Developer ID Installer: Hannes Juutilainen SHA1 fingerprint: E0 F3 42 86 16 1B 79 B3 CC 84 DB BB 8F 1E 03 1A F1 8F 67 21 ----------------------------------------------------------------------------- 2. Developer ID Certification Authority SHA1 fingerprint: 3B 16 6C 3B 7D C4 B7 51 C9 FE 2A FA B9 13 56 41 E3 88 E1 86 ----------------------------------------------------------------------------- 3. Apple Root CA SHA1 fingerprint: 61 1E 5B 66 2C 59 3A 08 FF 58 D1 4A E2 24 52 D1 98 DF 6C 60

55. Demo

56. Hey, I heard AutoPkg can verify code signatures?

57. AutoPkg and CodeSignatureVerifier • AutoPkg core processor which can check

    the signature of a downloaded file. • Main idea is that we already know the designated requirement (DR) of an app from its previous version and use it to verify newly downloaded files. • The processor can also verify installer packages with pkgutil.

58. Verifying applica.ons/bundles <dict> <key>Processor</key> <string>CodeSignatureVerifier</string> <key>Arguments</key> <dict> <key>input_path</key> <string>%pathname%/LibreOffice.app</string> <key>requirement</key>

    <string> identifier "org.libreoffice.script.LibreOffice" and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = "7P5S3ZLCN7" </string> </dict> </dict>

59. Verifying installer packages <dict> <key>Processor</key> <string>CodeSignatureVerifier</string> <key>Arguments</key> <dict> <key>input_path</key> <string>%pathname%/Install

    Citrix Receiver.pkg</string> <key>expected_authority_names</key> <array> <string>Developer ID Installer: Citrix Systems, Inc.</string> <string>Developer ID Certification Authority</string> <string>Apple Root CA</string> </array> </dict> </dict>

60. Code signing and Gatekeeper reading list • Code Signing Guide

    (Apple) • macOS Code Signing In Depth (Apple) • Gatekeeper Exposed (Patrick Wardle) • Code Signing – Hashed Out (Jonathan Levin) These will be clickable once you download the PDF slides...

61. QA & Thank you!