Reading the developer docu about Code Signing, it says in section Digital Signatures and Signed Code
:
To create a digital signature, the signing software computes a special
type of checksum called a hash (or digest) based on a piece of data or
code and encrypts that hash with the signer’s private key. This
encrypted hash is called a signature.To verify that signature, the verifying software computes a hash of
the data or code. It then uses the signer’s public key to decrypt the
signature, thus obtaining the original hash as computed by the signer.
If the two hashes match, the data has not been modified since it was
signed by someone in possession of the signer’s private key.Signed code contains several digital signatures:
- If the code is universal, the object code for each slice
(architecture) is signed separately. This signature is stored within
the binary file itself.- Various components of the application bundle
(such as the Info.plist file, if there is one) are also signed. These
signatures are stored in a file called _CodeSignature/CodeResources
within the bundle.
After some fiddling, I know the following:
- Inside the binary, I got the
CodeDirectory
(0xfade0c02
) containing all SHA-1 hashes or checksums of the Bundle, e.g.Info.plist
etc. - Inside the bundle, I got the
_CodeSignature
directory with theCodeResources
file, which – as the cited paragraph above mentions – should contain all signatures. However, theCodeResources
only contains base64 encoded SHA-1 hashes of several files. - Inside the binary, I've got some certificates, which I can extract using
codesign -d --extract-certificates <binary>
– generatingcodesign0
,codesign1
etc. These certificates actually areCMS Signatures
(0xfade0b01
) that do contain certificate signatures. Looking upCMS
I get Cryptographic Message Syntax, which is used to sign data.
Now the paragraph tells me that some hash has to be stored as a signature (encrypted hash) in the binary or in the CodeResources
file.
I suspect that codesign
uses one of the certificates/CMS Signatures
to extract the public key, then decrypts a signature (encrypted hash) and compares the output to the original hash of a given file, e.g. Info.plist
.
So my question is: Where is this signature (encrypted hash)? Is it the signature inside a certificate/CMS Signature
? Or is it somewhere else?
Best Answer
Here is the basic test I made.
I have OS X 10.10 installed on a external disk under volume name "Steelhead3". I entered the following commands.
I then made a copy of the folder "Boot Camp Assistant.app". Next, I edited the "/Volumes/Steelhead3/Applications/Utilities/Boot Camp Assistant.app/Contents/Info.plist" and made a small change regarding the model Macs that can make the Windows USB installer.
At this point I reran the following commands.
From here I booted to Windows and used the Windiff.exe application to compare the files. I expected to see the change made to the "Info.plist" files, which I did. Also, the "/Volumes/Steelhead3/Applications/Utilities/Boot Camp Assistant.app/Contents/MacOs/Boot Camp Assistant" files appeared to have changed. Since this is a binary file, I first converted the before and after versions to hex characters, then Windiff.exe was used to find the differences. Below is the only differences.
It appears the only difference is a 20 byte change in the the executable binary file. I assume this is where the hash is stored. All other files were unchanged.