Code Signing: Where is the “encrypted hash” of a signed blob

code-signing

Reading the developer docu about Code Signing, it says in section Digital Signatures and Signed Code:

To create a digital signature, the signing software computes a special
type of checksum called a hash (or digest) based on a piece of data or
code and encrypts that hash with the signer’s private key. This
encrypted hash is called a signature.

To verify that signature, the verifying software computes a hash of
the data or code. It then uses the signer’s public key to decrypt the
signature, thus obtaining the original hash as computed by the signer.
If the two hashes match, the data has not been modified since it was
signed by someone in possession of the signer’s private key.

Signed code contains several digital signatures:

If the code is universal, the object code for each slice
(architecture) is signed separately. This signature is stored within
the binary file itself.

Various components of the application bundle
(such as the Info.plist file, if there is one) are also signed. These
signatures are stored in a file called _CodeSignature/CodeResources
within the bundle.

After some fiddling, I know the following:

Inside the binary, I got the CodeDirectory (0xfade0c02) containing all SHA-1 hashes or checksums of the Bundle, e.g. Info.plist etc.
Inside the bundle, I got the _CodeSignature directory with the CodeResources file, which – as the cited paragraph above mentions – should contain all signatures. However, the CodeResources only contains base64 encoded SHA-1 hashes of several files.
Inside the binary, I've got some certificates, which I can extract using codesign -d --extract-certificates <binary> – generating codesign0, codesign1 etc. These certificates actually are CMS Signatures (0xfade0b01) that do contain certificate signatures. Looking up CMS I get Cryptographic Message Syntax, which is used to sign data.

Now the paragraph tells me that some hash has to be stored as a signature (encrypted hash) in the binary or in the CodeResources file.

I suspect that codesign uses one of the certificates/CMS Signatures to extract the public key, then decrypts a signature (encrypted hash) and compares the output to the original hash of a given file, e.g. Info.plist.

So my question is: Where is this signature (encrypted hash)? Is it the signature inside a certificate/CMS Signature? Or is it somewhere else?

Best Answer

Here is the basic test I made.

I have OS X 10.10 installed on a external disk under volume name "Steelhead3". I entered the following commands.

cd "/Volumes/Steelhead3/Applications/Utilities"
sudo codesign -fs - "Boot Camp Assistant.app"

I then made a copy of the folder "Boot Camp Assistant.app". Next, I edited the "/Volumes/Steelhead3/Applications/Utilities/Boot Camp Assistant.app/Contents/Info.plist" and made a small change regarding the model Macs that can make the Windows USB installer.

At this point I reran the following commands.

cd "/Volumes/Steelhead3/Applications/Utilities"
sudo codesign -fs - "Boot Camp Assistant.app"

From here I booted to Windows and used the Windiff.exe application to compare the files. I expected to see the change made to the "Info.plist" files, which I did. Also, the "/Volumes/Steelhead3/Applications/Utilities/Boot Camp Assistant.app/Contents/MacOs/Boot Camp Assistant" files appeared to have changed. Since this is a binary file, I first converted the before and after versions to hex characters, then Windiff.exe was used to find the differences. Below is the only differences.

It appears the only difference is a 20 byte change in the the executable binary file. I assume this is where the hash is stored. All other files were unchanged.

Related Solutions

MacOS – When applications are code-signed, what parts of the .app bundle does the signature cover

TL;DR It's up to the developer to pick which pieces of the app are signed and whether or not tampering with those pieces results in any actions when the app is launched. You have to use trial and error to figure it out on an app-by-app basis.

It is largely up to the developer to decide which components in their application bundle are represented in the seal that gets signed before they deliver their application. Anything in the seal is effectively tamper-proof as it's mostly impossible to modify these things without changing their hash signatures. But that's doesn't actually mean you can't tamper with them.

The Apple Developer guide has this to say about what you should sign:

You should sign every executable in your product, including applications, tools, hidden helper tools, utilities and so forth. Signing an application bundle covers its resources, but not its subcomponents such as tools and sub-bundles. Each of these must be signed independently.

If your application consists of a big UI part with one or more little helper tools that try to present a single face to the user, you can make them indistinguishable to code signing by giving them all the exact same code signing identifier. (You can do that by making sure that they all have the same CFBundleIdentifier value in their Info.plist, or by using the -i option in the codesign command, to assign the same identifier.) In that case, all your program components have access to the same keychain items and validate as the same program. Do this only if the programs involved are truly meant to form a single entity, with no distinctions made.

A universal binary (bundle or tool) automatically has individual signatures applied to each architecture component. These are independent, and usually only the native architecture on the end user's system is verified.

In the case of installer packages (.pkg and .mpkg bundles), everything is implicitly signed: The CPIO archive containing the payload, the CPIO archive containing install scripts, and the bill of materials (BOM) each have a hash recorded in the XAR header, and that header in turn is signed. Therefore, if you modify an install script (for example) after the package has been signed, the signature will be invalid.

You may also want to sign your plug-ins and libraries. Although this is not currently required, it will be in the future, and there is no disadvantage to having signatures on these components.

Depending on the situation, codesign may add to your Mach-O executable file, add extended attributes to it, or create new files in your bundle's Contents directory. None of your other files is modified.

Also from here it's not necessarily true that having an invalid signature for an application means it will fail to launch. The page says:

It is up to the system or program that is launching or loading signed code to decide whether to verify the signature and, if it does, to determine how to evaluate the results of that verification.

An application may choose to allow modifications.

Your best bet is a trial-and-error approach with any application you're trying to modify. It may work, it may not. There's no always-true answer that can be given.

If an app has been signed you can look for a Contents/CodeResources file or a Contents/_CodeSignature/CodeResources file in the bundle. This file lists all the signed components and their expected hash values in the bundle. It's a good place to start understanding what pieces of the application a developer deems critical enough to watch for changes.

MacOS – Anyone with experience in hacking the codesigning on OS X

Before OS X 10.10, you can run sudo codesign -fs - /Applications/Utilities/Boot\ Camp\ Assistant.app to re-sign the app with an ad-hoc signature.

In order to re-sign it in 10.10, you need to additionally specify the --deep command to re-sign bootcamp:

sudo codesign -fs - /Applications/Utilities/Boot\ Camp\ Assistant.app --deep

'--deep' When signing a bundle, specifies that nested code content such as helpers, frameworks, and plug-ins, should be recursively signed in turn. Beware that all signing options you specify will apply, in turn, to such nested content. When verifying a bundle, specifies that any nested code content will be recursively verified as to its full content. By default, verification of nested content is limited to a shallow investigation that may not detect changes to the nested code. When displaying a signature, specifies that a list of directly nested code should be written to the display output. This lists only code directly nested within the subject; anything nested indirectly will require recursive application of the codesign command.

Best Answer

Related Solutions

MacOS – When applications are code-signed, what parts of the .app bundle does the signature cover

MacOS – Anyone with experience in hacking the codesigning on OS X

Related Question