Suggestion: md5/sha-1/256 checksums for binary download (+ maybe PGP sign?)

[gbb]

You've done superb work on this project, also, thank you for publishing the source.

My suggestion:

If you generate public checksums for the binary download, people can know that the download is fully intact and not corrupt.

If you use PGP people can confirm that the binary was produced by you.

eg. https://www.openoffice.org/download/index.html
Signatures and hashes: KEYS , ASC , SHA256 , SHA512

[rugarciap]

Hi!

Cool, didn't think about this..., will take into account in the future :)

[ideologysec]

I think this is probably unnecessary, since the Application is code signed, and Gatekeeper checks signatures on first launch and complains if something is wrong. If the package is modified, the codesigning will be broken. If the code is signed by someone else, it won't be the same signatures (and would have to go through a lot of extra steps to get a kernel-extension signing certificate from Apple).

user@machine$ codesign -vvvv --display --entitlements - /Applications/Turbo\ Boost\ Switcher\ Pro.app
Executable=/Applications/Turbo Boost Switcher Pro.app/Contents/MacOS/Turbo Boost Switcher Pro
Identifier=rugarciap.com.Turbo-Boost-Switcher-Pro-Pro
Format=app bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=2102 flags=0x10000(runtime) hashes=58+3 location=embedded
VersionPlatform=1
VersionMin=656896
VersionSDK=658944
Hash type=sha256 size=32
CandidateCDHash sha1=61bfffc7552b691a283851c3319dbc5071abd558
CandidateCDHashFull sha1=61bfffc7552b691a283851c3319dbc5071abd558
CandidateCDHash sha256=2706dfeb199775206e8ed235f14d1b7ac4d26462
CandidateCDHashFull sha256=2706dfeb199775206e8ed235f14d1b7ac4d26462b7160dec1f8e1b62f31da4c4
Hash choices=sha1,sha256
CMSDigest=aaed1ed8664d1bb914836a9113f14a4a0ecb3263b7a26134ed0515f52ba79ab7
CMSDigestType=2
Page size=4096
CDHash=2706dfeb199775206e8ed235f14d1b7ac4d26462
Signature size=9016
Authority=Developer ID Application: Ruben Garcia Perez (A7JE7SS8Z7)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=Sep 27, 2019 at 15:48:21
Info.plist entries=28
TeamIdentifier=A7JE7SS8Z7
Runtime Version=10.14.0
Sealed Resources version=2 rules=13 files=51
Internal requirements count=1 size=236

[gbb]

The threat model is not 'someone altering a gatekeeper signed binary' or providing 'an alternative gatekeeper signed binary'. The threat model is that anyone who hacks the website server simply replaces the file with an unsigned alternative. Most people are used to the idea that small developers often provide unsigned downloads that you allow to run; many apple users have been doing things this way for decades. An advantage of listing checksums for downloadables is that these can be logged to secondary sites, (including automatically to search engine caches). The effort to hack multiple websites is far greater. Another key advantage is that not only can users tell there is something odd with the executable, website admins can run a daily script from an external IP to verify the downloads match the approved checksums. A nice way of knowing that no one has hacked the site and altered the downloads. A safety system built entirely into the executable is entirely valueless when that executable is the first thing that will be replaced by any adversary. Anyway; your project, up to you. Gatekeeper is useful but it is not a catch-all, most particularly for small projects. Graeme

…

On Fri, Nov 8, 2019 at 6:49 AM Eric ***@***.***> wrote: I think this is probably unnecessary, since the Application is code signed, and Gatekeeper checks signatures on first launch and complains if something is wrong. If the package is modified, the codesigning will be broken. If the code is signed by someone else, it won't be the same signatures (and would have to go through a lot of extra steps to get a kernel-extension signing certificate from Apple). ***@***.***$ codesign -vvvv --display --entitlements - /Applications/Turbo\ Boost\ Switcher\ Pro.app Executable=/Applications/Turbo Boost Switcher Pro.app/Contents/MacOS/Turbo Boost Switcher Pro Identifier=rugarciap.com.Turbo-Boost-Switcher-Pro-Pro Format=app bundle with Mach-O thin (x86_64) CodeDirectory v=20500 size=2102 flags=0x10000(runtime) hashes=58+3 location=embedded VersionPlatform=1 VersionMin=656896 VersionSDK=658944 Hash type=sha256 size=32 CandidateCDHash sha1=61bfffc7552b691a283851c3319dbc5071abd558 CandidateCDHashFull sha1=61bfffc7552b691a283851c3319dbc5071abd558 CandidateCDHash sha256=2706dfeb199775206e8ed235f14d1b7ac4d26462 CandidateCDHashFull sha256=2706dfeb199775206e8ed235f14d1b7ac4d26462b7160dec1f8e1b62f31da4c4 Hash choices=sha1,sha256 CMSDigest=aaed1ed8664d1bb914836a9113f14a4a0ecb3263b7a26134ed0515f52ba79ab7 CMSDigestType=2 Page size=4096 CDHash=2706dfeb199775206e8ed235f14d1b7ac4d26462 Signature size=9016 Authority=Developer ID Application: Ruben Garcia Perez (A7JE7SS8Z7) Authority=Developer ID Certification Authority Authority=Apple Root CA Timestamp=Sep 27, 2019 at 15:48:21 Info.plist entries=28 TeamIdentifier=A7JE7SS8Z7 Runtime Version=10.14.0 Sealed Resources version=2 rules=13 files=51 Internal requirements count=1 size=236 — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#83?email_source=notifications&email_token=AA74KGFCURIRCCKSBFQKVITQSUDWFA5CNFSM4GJF4V7KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEDO5AJA#issuecomment-551407652>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA74KGBPUQT4FVGWCLV4VETQSUDWFANCNFSM4GJF4V7A> .

[cbkihong]

I looked at the binary from the Free version and it didn't appear like the 2 32-/64-bit kexts inside are even signed. Correct me if I am wrong though.