One potential route by which an attacker can compromise your Mac is to modify a legitimate software package to contain malware. While this is difficult to do through official software distribution channels (e.g., the Mac App Store), it can be done through popular alternative approaches like peer-to-peer networking and third-party software distribution Web sites.

Such was the case with some of Apple’s software, where hackers installed malware in past versions of iWork and XCode that were distributed by means other than Apple’s servers. In addition to modified distributions of software, malware in the past has accessed and compromised built-in programs like Safari. Such modifications often cause instability to the program and spur investigation, but sometimes can go completely unnoticed.

Luckily, with the advent of Apple’s developer program, most popular apps for OS X that are maintained and supported by their developers undergo digital signing. This is where a calculation is run on the finalized app that uses metrics such as the number of files in the app package, their sizes, checksums, and other details, and generates a signature code that is accepted by the developer and Apple.

You can use digital signing to both automatically and manually determine if an app has been compromised, and then further investigate whether to trust the app.

Automatic signature detection

When an app is run on your Mac, OS X’s GateKeeper feature will validate the signature, allowing properly signed packages to run, but requiring explicit execution for others. As such, provided you have GateKeeper at its maximum protection settings you should be able to detect potential problems with new software that you download.

Do note that while GateKeeper will detect signature issues with programs you are running for the first time, it will not assess changes to those that have previously run. As such, to check your current installations, manual assessment may be needed to check your current apps.

Manual signature detection

If you wish to manually inspect the status of your apps’ signatures, then you can do so using the OS X Terminal:

1. Open the Terminal
2. Type the following command, followed by a single space:

   codesign --verify --verbose

3. Drag your desired app to the Terminal window, to enter a full path to it, so it looks like the following (leaving the trailing slash is optional):

   codesign --verify --verbose /Applications/AppName.app

4. Press Enter to run the verification.

When run, you will see output such as the following for Safari that indicates if the app is valid and whether or not its signing requirements have been satisfied:

$ codesign --verify --verbose /Applications/Safari.app
/Applications/Safari.app: valid on disk
/Applications/Safari.app: satisfies its Designated Requirement

If the app’s contents have been modified (altered files, or unrecognized components added to the app package), then you will see another output, such as the following that indicates a file “nefariousfile.sh” that was added to the program:

$ codesign --verify --verbose /Applications/Safari.app
/Applications/Safari.app: a sealed resource is missing or invalid
file added: /Applications/Safari.app/Contents/ASDF/nefariousfile.sh

Note that for any app where the output of this command claims a file was added or modified (such as the above), be very skeptical of the app and consider immediately removing it and replacing it with one obtained directly from the developer.

In addition to checking the code signature, you can use OS X’s system policy routines for assessing the validity of apps and their signatures. This approach is similar to using the “codesign” tool, but gives a reason why the signature was accepted or rejected:

$ spctl --assess --verbose /Applications/Safari.app
/Applications/Safari.app: accepted
source=Apple System

In this case the sources of acceptance are the following:

Apple/Apple System -- Built-in program in OS X
Developer ID -- Properly signed by a Developer ID account
Mac App Store -- Properly signed by the Mac App Store

Beyond this, rejections may happen for a variety of reasons, including no usable signature, obsolete resources, missing or invalid resources, among others.

Note that if you have explicitly run your app and confirmed to bypass GateKeeper’s warnings, then it may still run even if not properly signed, so if manual assessment of your app shows it as being rejected, then consider investigating it. Often such problems happen because apps are simply old, or it may be that the developer is legitimate but just has not signed the app (though most are getting onboard with Apple’s signing process), but if it is a current and updated app that should be signed, then do look into replacing it with the most recent version.

For ease, you can run these verifications and assessments commands on all of your apps by combining them with the following uses of the “find” command. This will locate all app packages in your Applications folder, and then execute the above assessment commands on them (copy and paste the following commands into the Terminal to run them):

For codesign verification:

find /Applications -d 1 -name "*.app" -exec codesign --verify --verbose {} \;

For system policy assessment:

find /Applications -d 1 -name "*.app" -exec spctl --assess --verbose {} \;

When these commands are run, the output for each app found will be listed in the Terminal. Resize the Terminal to accommodate the output, and then scroll up and down to review the status of your apps.