How to verify app signatures in OS X

ApplicationIconXOne potential route by which an attacker can compromise your Mac is to modify a legitimate software package to contain malware. While this is difficult to do through official software distribution channels (e.g., the Mac App Store), it can be done through popular alternative approaches like peer-to-peer networking and third-party software distribution Web sites.

Such was the case with some of Apple’s software, where hackers installed malware in past versions of iWork and XCode that were distributed by means other than Apple’s servers. In addition to modified distributions of software, malware in the past has accessed and compromised built-in programs like Safari. Such modifications often cause instability to the program and spur investigation, but sometimes can go completely unnoticed.

Luckily, with the advent of Apple’s developer program, most popular apps for OS X that are maintained and supported by their developers undergo digital signing. This is where a calculation is run on the finalized app that uses metrics such as the number of files in the app package, their sizes, checksums, and other details, and generates a signature code that is accepted by the developer and Apple.

You can use digital signing to both automatically and manually determine if an app has been compromised, and then further investigate whether to trust the app.

Automatic signature detection

When an app is run on your Mac, OS X’s GateKeeper feature will validate the signature, allowing properly signed packages to run, but requiring explicit execution for others. As such, provided you have GateKeeper at its maximum protection settings you should be able to detect potential problems with new software that you download.

Do note that while GateKeeper will detect signature issues with programs you are running for the first time, it will not assess changes to those that have previously run. As such, to check your current installations, manual assessment may be needed to check your current apps.

Manual signature detection

If you wish to manually inspect the status of your apps’ signatures, then you can do so using the OS X Terminal:

  1. Open the Terminal
  2. Type the following command, followed by a single space:
    codesign --verify --verbose
  3. Drag your desired app to the Terminal window, to enter a full path to it, so it looks like the following (leaving the trailing slash is optional):
    codesign --verify --verbose /Applications/AppName.app
  4. Press Enter to run the verification.

When run, you will see output such as the following for Safari that indicates if the app is valid and whether or not its signing requirements have been satisfied:

$ codesign --verify --verbose /Applications/Safari.app
/Applications/Safari.app: valid on disk
/Applications/Safari.app: satisfies its Designated Requirement

If the app’s contents have been modified (altered files, or unrecognized components added to the app package), then you will see another output, such as the following that indicates a file “nefariousfile.sh” that was added to the program:

$ codesign --verify --verbose /Applications/Safari.app
/Applications/Safari.app: a sealed resource is missing or invalid
file added: /Applications/Safari.app/Contents/ASDF/nefariousfile.sh

Note that for any app where the output of this command claims a file was added or modified (such as the above), be very skeptical of the app and consider immediately removing it and replacing it with one obtained directly from the developer.

In addition to checking the code signature, you can use OS X’s system policy routines for assessing the validity of apps and their signatures. This approach is similar to using the “codesign” tool, but gives a reason why the signature was accepted or rejected:

$ spctl --assess --verbose /Applications/Safari.app
/Applications/Safari.app: accepted
source=Apple System

In this case the sources of acceptance are the following:

Apple/Apple System -- Built-in program in OS X
Developer ID -- Properly signed by a Developer ID account
Mac App Store -- Properly signed by the Mac App Store

Beyond this, rejections may happen for a variety of reasons, including no usable signature, obsolete resources, missing or invalid resources, among others.

Note that if you have explicitly run your app and confirmed to bypass GateKeeper’s warnings, then it may still run even if not properly signed, so if manual assessment of your app shows it as being rejected, then consider investigating it. Often such problems happen because apps are simply old, or it may be that the developer is legitimate but just has not signed the app (though most are getting onboard with Apple’s signing process), but if it is a current and updated app that should be signed, then do look into replacing it with the most recent version.

For ease, you can run these verifications and assessments commands on all of your apps by combining them with the following uses of the “find” command. This will locate all app packages in your Applications folder, and then execute the above assessment commands on them (copy and paste the following commands into the Terminal to run them):

For codesign verification:

find /Applications -d 1 -name "*.app" -exec codesign --verify --verbose {} \;

For system policy assessment:

find /Applications -d 1 -name "*.app" -exec spctl --assess --verbose {} \;

When these commands are run, the output for each app found will be listed in the Terminal. Resize the Terminal to accommodate the output, and then scroll up and down to review the status of your apps.

Terminal showing app signature assessment

The “find” commands above will give output such as the following, where apps will be sequentially assessed and their results displayed in the Terminal. Here you can see a number of apps are “rejected” for a variety of reasons (obsolete, insufficient, or missing signature information).

4 thoughts on “How to verify app signatures in OS X

  1. xAirbusdriver

    The ‘assessment’ command is still running, but it certainly looks like there are more Apple apps showing “rejected” than the third-party apps! Really? I’m still using Yosemite, but the MAS seems to be unaware of any updates for Contacts, Dictionary, FaceTime, Font Book, Game Center, iBooks, Image Capture, Photo Booth, Photos, Preview, Reminders, etc., etc.! I think all of them are showing “obsolete resource envelope”. Basically the same thing running the “codesign” script. Sounds like running Preferences Repair and getting multiple and unnecessary problem reports/warnings.

    1. keldommage2014

      I’ve tried all the same apps you mention on my El Capitan (10.11.1) system and they all return fine:

      codesign –verify –verbose /Applications/Dictionary.app
      /Applications/Dictionary.app: valid on disk
      /Applications/Dictionary.app: satisfies its Designated Requirement

      1. Mouse

        El Capitan 10.11.4. Signatures verify just fine. But the *policies* fail for the Apple’s own binaries:

        $ codesign -vvv /usr/bin/uname
        /usr/bin/uname: valid on disk
        /usr/bin/uname: satisfies its Designated Requirement
        $ spctl -a -t exec -vvv /usr/bin/uname
        /usr/bin/uname: rejected
        source=obsolete resource envelope
        origin=Software Signing
        $

  2. alvarnell

    RB App Checker Lite by Rainer Brockerhoff http://brockerhoff.net/RB/AppCheckerLite/ is another convenient way to do a detailed signature check.

Comments are closed.