Open openradar-mirror opened 8 years ago
The following illustrates the problem. Try to validate security policy for an executable provided and signed by Apple itself, say /usr/bin/perl:
$ spctl -a -vvvv -t exec /usr/bin/perl /usr/bin/perl: rejected source=obsolete resource envelope origin=Software Signing $ spctl -a --raw /usr/bin/perl /usr/bin/perl: rejected <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
$ codesign -vvvv /usr/bin/perl /usr/bin/perl: valid on disk /usr/bin/perl: satisfies its Designated Requirement $ codesign -display --requirements - --verbose=4 /usr/bin/perl Executable=/usr/bin/perl Identifier=com.apple.perl Format=Mach-O universal (i386 x86_64) CodeDirectory v=20100 size=223 flags=0x0(none) hashes=6+2 location=embedded Platform identifier=1 Hash type=sha1 size=20 CandidateCDHash sha1=9300c0e021f7b525002e4b83f9c1cdb4201da168 Hash choices=sha1 CDHash=9300c0e021f7b525002e4b83f9c1cdb4201da168 Signature size=4105 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Info.plist=not bound TeamIdentifier=not set Sealed Resources=none
Here's what syslog entries say:
4/8/16 00:18:34.674 syspolicyd[905]: assessment denied for perl com.apple.message.domain: com.apple.security.assessment.outcome2 com.apple.message.signature2: bundle:UNBUNDLED com.apple.message.signature3: perl com.apple.message.signature5: UNKNOWN com.apple.message.signature4: 1 com.apple.message.signature: denied:obsolete resource envelope SenderMachUUID: 1AE9CFA9-82E6-.......
4/8/16 00:18:34.674 syspolicyd[905]: com.apple.message.domain: com.apple.security.assessment.whitelist2 com.apple.message.signature: perl-55554944f0661fba7f9c37c98f8302dcb246618d com.apple.message.signature2: 9300c0e021f7b525002e4b83f9c1cdb4201da168 com.apple.message.result: fail com.apple.message.signature3: f112f9a3fcbce80855d1f43b0d5d230f48fae84c com.apple.message.reason: -67002 SenderMachUUID: 1AE9CFA9-82E6-.......
Apple responded:
Please know that our engineering team has determined that this issue behaves as intended based on the information provided.
Gatekeeper (as of 10.11.4) rejects anything that isn’t an app (or “like” an app, such a widget). This is part of a general hardening effort.
Product Version: 10.11.4 Created: 2016-04-11T01:54:55.215590 Originated: 2016-04-08T00:00:00 Open Radar Link: http://www.openradar.me/25618668
Modified: 2016-04-14T00:09:09.601760
Description
The following illustrates the problem. Try to validate security policy for an executable provided and signed by Apple itself, say /usr/bin/perl:
$ spctl -a -vvvv -t exec /usr/bin/perl /usr/bin/perl: rejected source=obsolete resource envelope origin=Software Signing $ spctl -a --raw /usr/bin/perl /usr/bin/perl: rejected <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
$ codesign -vvvv /usr/bin/perl /usr/bin/perl: valid on disk /usr/bin/perl: satisfies its Designated Requirement $ codesign -display --requirements - --verbose=4 /usr/bin/perl Executable=/usr/bin/perl Identifier=com.apple.perl Format=Mach-O universal (i386 x86_64) CodeDirectory v=20100 size=223 flags=0x0(none) hashes=6+2 location=embedded Platform identifier=1 Hash type=sha1 size=20 CandidateCDHash sha1=9300c0e021f7b525002e4b83f9c1cdb4201da168 Hash choices=sha1 CDHash=9300c0e021f7b525002e4b83f9c1cdb4201da168 Signature size=4105 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Info.plist=not bound TeamIdentifier=not set Sealed Resources=none
Here's what syslog entries say:
4/8/16 00:18:34.674 syspolicyd[905]: assessment denied for perl com.apple.message.domain: com.apple.security.assessment.outcome2 com.apple.message.signature2: bundle:UNBUNDLED com.apple.message.signature3: perl com.apple.message.signature5: UNKNOWN com.apple.message.signature4: 1 com.apple.message.signature: denied:obsolete resource envelope SenderMachUUID: 1AE9CFA9-82E6-.......
4/8/16 00:18:34.674 syspolicyd[905]: com.apple.message.domain: com.apple.security.assessment.whitelist2 com.apple.message.signature: perl-55554944f0661fba7f9c37c98f8302dcb246618d com.apple.message.signature2: 9300c0e021f7b525002e4b83f9c1cdb4201da168 com.apple.message.result: fail com.apple.message.signature3: f112f9a3fcbce80855d1f43b0d5d230f48fae84c com.apple.message.reason: -67002 SenderMachUUID: 1AE9CFA9-82E6-.......
Apple responded:
Please know that our engineering team has determined that this issue behaves as intended based on the information provided.
Gatekeeper (as of 10.11.4) rejects anything that isn’t an app (or “like” an app, such a widget). This is part of a general hardening effort.
Product Version: 10.11.4 Created: 2016-04-11T01:54:55.215590 Originated: 2016-04-08T00:00:00 Open Radar Link: http://www.openradar.me/25618668