New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Suggestion: md5/sha-1/256 checksums for binary download (+ maybe PGP sign?) #83
Comments
Hi! Cool, didn't think about this..., will take into account in the future :) |
I think this is probably unnecessary, since the Application is code signed, and Gatekeeper checks signatures on first launch and complains if something is wrong. If the package is modified, the codesigning will be broken. If the code is signed by someone else, it won't be the same signatures (and would have to go through a lot of extra steps to get a kernel-extension signing certificate from Apple). user@machine$ codesign -vvvv --display --entitlements - /Applications/Turbo\ Boost\ Switcher\ Pro.app
Executable=/Applications/Turbo Boost Switcher Pro.app/Contents/MacOS/Turbo Boost Switcher Pro
Identifier=rugarciap.com.Turbo-Boost-Switcher-Pro-Pro
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=2102 flags=0x10000(runtime) hashes=58+3 location=embedded
VersionPlatform=1
VersionMin=656896
VersionSDK=658944
Hash type=sha256 size=32
CandidateCDHash sha1=61bfffc7552b691a283851c3319dbc5071abd558
CandidateCDHashFull sha1=61bfffc7552b691a283851c3319dbc5071abd558
CandidateCDHash sha256=2706dfeb199775206e8ed235f14d1b7ac4d26462
CandidateCDHashFull sha256=2706dfeb199775206e8ed235f14d1b7ac4d26462b7160dec1f8e1b62f31da4c4
Hash choices=sha1,sha256
CMSDigest=aaed1ed8664d1bb914836a9113f14a4a0ecb3263b7a26134ed0515f52ba79ab7
CMSDigestType=2
Page size=4096
CDHash=2706dfeb199775206e8ed235f14d1b7ac4d26462
Signature size=9016
Authority=Developer ID Application: Ruben Garcia Perez (A7JE7SS8Z7)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Sep 27, 2019 at 15:48:21
Info.plist entries=28
TeamIdentifier=A7JE7SS8Z7
Runtime Version=10.14.0
Sealed Resources version=2 rules=13 files=51
Internal requirements count=1 size=236 |
The threat model is not 'someone altering a gatekeeper signed binary' or
providing 'an alternative gatekeeper signed binary'.
The threat model is that anyone who hacks the website server simply
replaces the file with an unsigned alternative.
Most people are used to the idea that small developers often provide
unsigned downloads that you allow to run; many apple users have been doing
things this way for decades.
An advantage of listing checksums for downloadables is that these can be
logged to secondary sites, (including automatically to search engine
caches). The effort to hack multiple websites is far greater.
Another key advantage is that not only can users tell there is something
odd with the executable, website admins can run a daily script from an
external IP to verify the downloads match the approved checksums. A nice
way of knowing that no one has hacked the site and altered the downloads.
A safety system built entirely into the executable is entirely valueless
when that executable is the first thing that will be replaced by any
adversary.
Anyway; your project, up to you.
Gatekeeper is useful but it is not a catch-all, most particularly for small
projects.
Graeme
…On Fri, Nov 8, 2019 at 6:49 AM Eric ***@***.***> wrote:
I think this is probably unnecessary, since the Application is code
signed, and Gatekeeper checks signatures on first launch and complains if
something is wrong. If the package is modified, the codesigning will be
broken. If the code is signed by someone else, it won't be the same
signatures (and would have to go through a lot of extra steps to get a
kernel-extension signing certificate from Apple).
***@***.***$ codesign -vvvv --display --entitlements - /Applications/Turbo\ Boost\ Switcher\ Pro.app
Executable=/Applications/Turbo Boost Switcher Pro.app/Contents/MacOS/Turbo Boost Switcher Pro
Identifier=rugarciap.com.Turbo-Boost-Switcher-Pro-Pro
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=2102 flags=0x10000(runtime) hashes=58+3 location=embedded
VersionPlatform=1
VersionMin=656896
VersionSDK=658944
Hash type=sha256 size=32
CandidateCDHash sha1=61bfffc7552b691a283851c3319dbc5071abd558
CandidateCDHashFull sha1=61bfffc7552b691a283851c3319dbc5071abd558
CandidateCDHash sha256=2706dfeb199775206e8ed235f14d1b7ac4d26462
CandidateCDHashFull sha256=2706dfeb199775206e8ed235f14d1b7ac4d26462b7160dec1f8e1b62f31da4c4
Hash choices=sha1,sha256
CMSDigest=aaed1ed8664d1bb914836a9113f14a4a0ecb3263b7a26134ed0515f52ba79ab7
CMSDigestType=2
Page size=4096
CDHash=2706dfeb199775206e8ed235f14d1b7ac4d26462
Signature size=9016
Authority=Developer ID Application: Ruben Garcia Perez (A7JE7SS8Z7)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Sep 27, 2019 at 15:48:21
Info.plist entries=28
TeamIdentifier=A7JE7SS8Z7
Runtime Version=10.14.0
Sealed Resources version=2 rules=13 files=51
Internal requirements count=1 size=236
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#83?email_source=notifications&email_token=AA74KGFCURIRCCKSBFQKVITQSUDWFA5CNFSM4GJF4V7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDO5AJA#issuecomment-551407652>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AA74KGBPUQT4FVGWCLV4VETQSUDWFANCNFSM4GJF4V7A>
.
|
I looked at the binary from the Free version and it didn't appear like the 2 32-/64-bit kexts inside are even signed. Correct me if I am wrong though. |
You've done superb work on this project, also, thank you for publishing the source.
My suggestion:
If you generate public checksums for the binary download, people can know that the download is fully intact and not corrupt.
If you use PGP people can confirm that the binary was produced by you.
eg. https://www.openoffice.org/download/index.html
Signatures and hashes: KEYS , ASC , SHA256 , SHA512
The text was updated successfully, but these errors were encountered: