Wednesday, August 6, 2014

Code Signing Signature v2

Twitter and IRC have been ablaze this morning with chatter about OS X signed apps in Yosemite DP5. First to reach my eye was the twitter post from Graham Pugh
Apple explains...

"Beginning with OS X version 10.9.5, there will be changes in how OS X recognizes signed apps. Version 1 signatures created with OS X versions prior to Mavericks will no longer be recognized by Gatekeeper and are considered obsolete.

For your apps to run on updated versions of OS X they must be signed on OS X version 10.9 or later and thus have a version 2 signature."

Not being a developer by trade, I wasn't concerned with the implications of version 2 signatures for signing apps as much as I was curious as to how many of the current apps we deploy could fail. I'm unsure, and won't bother to confirm until Yosemite GM is released, wether or not Apple will block our unsigned or version 1 signed applications from launching. My guess is no, but we will see.

Until we have a Yosemite GM to test against, I wanted to get a cursory look at the signature version of all our applications. To do this, I adapted the shell one-liner of dirkg from the IRC ##osx-server channel. The one-liner provides a number of applications that are signed with version 1, version 2, or none:

find /Applications /Applications/Utilities/ -maxdepth 1 -name "*.app" | while read a ; do codesign -vd "${a}" 2>&1 | awk '/version/ {print $3}' ; done | sort | uniq -c

While this command helped me determine we have over a hundred applications signed with version 1 signatures, it didn't tell me which applications.

Introducing "", my adaptation that prints out both the application path and the signature version. 

Apple's documentation also references the spctl command for testing applications signatures. According to Apple's documentation spctl will "check if Gatekeeper will accept your app's signature".  Test your applications on the latest Yosemite developer preview with the following command:

spctl -a -t exec -vv

1 comment:

mungo2k said...

Cool. I used spctl like this:


find /Applications /Applications/Utilities -maxdepth 1 -name "*.app" | while read a ; do
spctl -a -t exec -vv "${a}" 2>&1
echo " "

exit 0

Interesting to see which apps are rejected. Also interesting is how many get the error "a sealed resource is missing or invalid", which suggests apps that were altered after signing.