With all the fuss about code signatures in Leopard, I expected that the system would verify signed applications when they're launched, and prompt the user if the signature is incorrect. It doesn't.
To test this, first verify that TextEdit's signature is valid:
codesign -v /Applications/TextEdit.app/(It should print nothing). Then edit /Applications/TextEdit.app/Contents/Info.plist. Make sure the edit is simple enough that you can undo it — changing the version number is an easy option. Now verify the signature again:
codesign -v /Applications/TextEdit.app/
/Applications/TextEdit.app/: code or signature modifiedNow open TextEdit. It opens without warning. We could have replaced the executable with malicious code, and we wouldn't have been warned.
Make sure you revert your change to Info.plist and re-verify the application.
Since Tiger doesn't have any safeguards of this kind, obviously the situation is no worse than Tiger, but I don't understand what the point of code signing is if the OS doesn't make use of it to make the user's experience that little bit safer.
3 comments:
The point is that it will check the app’s signature if it tries to get a key from the Keychain.
More generally, the application's identity will no longer be valid. Anything that checks the identity status of the application will fail.
The dialog that appears when you first launch a new application is something different (it's the quarantine API that's part of Launch Services).
Checking on keychain access is all well and good, but my keychain data is not the only important data on my system. Why not verify at launch to provide the extra security?
I'm not thinking of the quarantine dialog, I'd want the signature to be checked at each launch to be sure the app I'm running is the app I think I am.
Post a Comment