Andrew Lentvorski wrote:
It turns out that the new code signing feature in OS X is breaking
programs. Apparently quite a few new programs.
http://securosis.com/2007/11/01/leopard-firewall-code-signing-breaks-skype-and-other-applications
http://www.heise-security.co.uk/news/98492
I *approve*. And I hope Apple sticks to its guns.
In a nutshell, OS X can sign an application for you the first time that
the application runs. From that point forward, it checks the signature
every time that application runs.
Basically, whole bunches of programs are doing self-modification for
lots of different reasons--none of them beneficial to me, the user. And
Leopard busts them for it.
You seem to have read this backward. According to the articles that you
referenced, the modifications to the programs are being done BY OS X,
NOT the program itself.
The failures occur due to the program checking itself, finding out that
it has been modified and then refusing (rightly) to run. From the article:
<quote>
Code signing becomes a problem when an application performs its own
self-integrity check and determines that the file on the hard disk has
been changed. The firewall's code signature changes the checksum of
Skype's binary on the disc:
MD5 (Skype) = 9d7fa7f77b8dc2a3c2ae61737a373c11
MD5 (Skype-org) = 4245cb201a94c76ddcb54b1cc1e58cfa
after which, if the user attempts to start Skype from the command line
it displays the following message:
Main starting
Check 1 failed. Can't run Skype
</quote>
The failure message is coming from Skype, not from Mac OS X.
My only complaint is that Apple did not bring up a gigantic "DO NOT USE
THIS PROGRAM! NOW QUARANTINING!" warning box replete with klaxons and
red warning signs when the code check fails.
At this point, if you write an application on OS X, you either put your
user data where the user tells you, or you don't get to play at all.
Beautiful. Just beautiful.
I see this as an absolutely shitty way of doing security. The security
mechanism should NOT modify any of your code.
If I wanted to do something like this in Linux, I would use the md5 sums
stored in my RPM database (Redhat derived systems) or equivalent in
Debian derived and use that to compare before launching the app. Seems
like the loader could be modified to use pam to institute the checks.
And it wouldn't just be applications, it could be all the shared objects
as well.
If the app wasn't installed with rpm or dpkg or equivalents then provide
a signer program that will check the files and create the checksums and
stuff them in a database. If the database crashes, just regenerate.
Gus
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
