Heres how to restore all of Gatekeepers.A week ago, largely as the result of a server problem on 12 November, there was a storm of concern over the use by macOS of Apple’s OCSP service to check certificates, and resulting leakage of private data. There is an Anywhere option in the system preference tab that allows the user to execute software programs without getting permission to run the same.Gatekeeper is an important security feature in macOS, but Apple made some changes to how it works in macOS Sierra. The Mac OS Sierra has a major upgrade in the Gatekeeper user interface by adding two new security features that make the usage of your system much safer and save you from data theft.Gatekeeper has changed over the years. Gatekeeper is designed for first launch. Code signatures are designed for Gatekeeper.
Gatekeeper High Sierra Code On LoadingAs I pointed out here, that ‘Gatekeeper’ database is now disused.Instead, Catalina and Big Sur now check all executable code on loading, and, when that code is signed with a developer certificate, perform an online check with Apple’s OCSP service, which has suddenly become so controversial.Since the introduction of Gatekeeper in 2012, Apple has apparently revoked many compromised developer certificates. Apple hasn’t released an update to it since 26 August 2019, and anyone with a fresh installation of Big Sur will have a truly ancient version installed. But those Macs which have kept pace with the latest release of macOS stopped accessing that database in September 2019, with the release of macOS 10.15 Catalina. This included log extracts which again showed clearly what happened.Until 2018-19, it appears that macOS stored information about certificate revocations locally, in the ‘Gatekeeper’ database at /private/var/db/gkopaque.bundle, which at one time Apple updated every couple of weeks. At the time, no one raised any concerns about these connections or their use of plain HTTP.In July 2019, I explained here how different types of signature checks worked, and how developers could add their own code integrity checks which include a CRL check with Apple’s OCSP service.That would probably place the start of such limited checks to around 2014, but not that much earlier, as others have pointed out that in 2009 many apps still had broken signatures.With the release of High Sierra in 2017, code signing certificate checks remained confined to Gatekeeper and quarantine, and that appears to have been the case with the first release of Mojave in 2018. I think there’s reasonable consensus that, when code signatures were first introduced, by “Perry the Cynic”, signing certificates passed unchecked, and if Apple did revoke certificates it seems to have had little if any effect until the introduction of Gatekeeper and the quarantine system from 2012.As that system developed, well before High Sierra and probably before El Capitan too, Gatekeeper started to perform OCSP queries to check code signing certificate validity, but only for quarantined apps undergoing their first run. They should also explain how, having enjoyed their benefits for a couple of years, they’ve suddenly decided they were such a bad idea after all, and what should replace them.This article has generated a lot of discussion, and I’m very grateful to Jeff Johnson in particular who has run more tests on older versions of macOS. Without a rapid and effective means of checking the validity of a signing certificate with Apple’s OCSP server, there is little point in using signatures as a means of distinguishing benign from malicious code.Those who consider that Apple’s current online certificate checks are unnecessary, invasive or controlling should familiarise themselves with how they have come about, and their importance to macOS security. That has already occurred with several malware products which were also notarized, including Shlayer and MacOffers. Is there an app for netflix on macHere’s a public comment by Perry: “I do work for Apple, and I designed and implemented Code Signing in Leopard. I actually met him one year at the Macworld San Francisco trade show. Perry the Cynic must be over the moon.“the origin of code signing in macOS has become lost in the mists of time”Code signing in macOS was created by an Apple engineer known as Perry the Cynic. As far as we can tell those included the systematic checks of both signature and cdhashes which Jeff has described and I’ve summarised here.So Apple only seems to have been performing such extensive checks over the last 16, and no more than 23, months, although they have been applied to quarantined apps for around six years. One phenomenon which certainly confused me at that time was that moving an unquarantined app and launching it from a previously unknown path triggered more thorough signature checks, although I don’t know whether those might have included certificate checks using OCSP.By the release of Catalina in October 2019, code signing certificates were being checked on loading all executable code when no quarantine flag was set. Whether that was taking place around the time that I ran my tests late in 2018 (on 10.14.2) we’ll probably never know.
0 Comments
Leave a Reply. |
AuthorManuel ArchivesCategories |