Reputation: 12095
How to check if two macOS apps, one code signed and notarized, are otherwise identical?
Imagine following scenario:
- Person A without a Mac developer account, e.g. someone building an open source app, wants to have this app properly code signing (and notarized, with stapling).
- Person B offers to code sign and notarize the app for person A.
The challenge:
How can Person A make sure that the signed code from B is not otherwise modified?
For instance, can A remove code signature and notarization information from the app again, and then use diff to verify that the original app's contents are identical to B's? If so, which commands accomplish this?
Please also consider the possibility that the app is simply a standalone executable (or, alternatively, the app may contain such executables as helpers), meaning the executable includes the signature instead of having it attached to the bundle in Contents/_CodeSignature.
Upvotes: 0
Views: 636
Answers (1)
Reputation: 155433
(Disclaimer: I haven't built anything for macOS or iOS since 2016, so I'm a bit behind - please edit my post for me if I'm half-right - but if this answer is incorrect please let me know in a comment and I'll delete it right-away)
Based on these articles:
- https://blog.fleetsmith.com/macos-mojave-app-notarization/
- https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution
- https://scriptingosx.com/2019/09/notarize-a-command-line-tool/
- https://www.publicspace.net/blog/mac/2019/07/26/some-things-i-wish-i-had-know-before-starting-to-automate-mac-developer-id-notarization/
My understanding of the process is that your redistributable executable/app package is not actually modified at all - instead Apple records a hash of the files in the package on their servers. Whenever a macOS user runs your program, macOS sends the hash of the application's files to Apple and Apple responds with the notarization information.
However, you can "staple" a notarization receipt to an redistributable executable - which does modify the package - and this allows other macOS users' computers to quickly verify the notarization without needing to contact Apple's servers (though they may still check for notarization revocation in cases where a signing-certificate was compromised).
How can Person A make sure that the signed code from B is not otherwise modified?
If the receipt isn't stapled to the application package, the hash of both package files should be identical.
For instance, can A remove code signature and notarization information from the app again, and then use diff to verify that the original app's contents are identical to B's? If so, which commands accomplish this?
Not diff, but shasum: http://osxdaily.com/2012/02/05/check-sha1-checksum-in-mac-os-x/
shasum ~/Desktop/DownloadedFile.dmg
Upvotes: 1
Related Questions
- How can I tell who code signed an OS X app?
- How to codesign and notarize an Os X app?
- How do I verify that a macOS pkg is notarized
- OSX Notarize for executables (not an app)
- Verifying that two apk files are signed with the same signature
- How do I compare signatures of two application packages in Android?
- How does one verify that the app store version of an open source app is running the same code?
- Reliable verification of codesigned app in OSX
- How to find if two apks are signed with same keys?
- How to check whether an app or dmg is signed or not?