search

lionheart / openradar-mirror

A mirror of radars pulled from http://openradar.me/.
245 stars 17 forks source link

25618668: spctl always rejects signed executables (not bundles) #8249

Open openradar-mirror opened 8 years ago

openradar-mirror commented 8 years ago

Description

The following illustrates the problem. Try to validate security policy for an executable provided and signed by Apple itself, say /usr/bin/perl:

$ spctl -a -vvvv -t exec /usr/bin/perl /usr/bin/perl: rejected source=obsolete resource envelope origin=Software Signing $ spctl -a --raw /usr/bin/perl /usr/bin/perl: rejected <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

assessment:authority assessment:authority:source obsolete resource envelope assessment:authority:weak assessment:cserror -67002 assessment:remote assessment:verdict

$ codesign -vvvv /usr/bin/perl /usr/bin/perl: valid on disk /usr/bin/perl: satisfies its Designated Requirement $ codesign -display --requirements - --verbose=4 /usr/bin/perl Executable=/usr/bin/perl Identifier=com.apple.perl Format=Mach-O universal (i386 x86_64) CodeDirectory v=20100 size=223 flags=0x0(none) hashes=6+2 location=embedded Platform identifier=1 Hash type=sha1 size=20 CandidateCDHash sha1=9300c0e021f7b525002e4b83f9c1cdb4201da168 Hash choices=sha1 CDHash=9300c0e021f7b525002e4b83f9c1cdb4201da168 Signature size=4105 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Info.plist=not bound TeamIdentifier=not set Sealed Resources=none

Here's what syslog entries say:

4/8/16 00:18:34.674 syspolicyd[905]: assessment denied for perl com.apple.message.domain: com.apple.security.assessment.outcome2 com.apple.message.signature2: bundle:UNBUNDLED com.apple.message.signature3: perl com.apple.message.signature5: UNKNOWN com.apple.message.signature4: 1 com.apple.message.signature: denied:obsolete resource envelope SenderMachUUID: 1AE9CFA9-82E6-.......

4/8/16 00:18:34.674 syspolicyd[905]: com.apple.message.domain: com.apple.security.assessment.whitelist2 com.apple.message.signature: perl-55554944f0661fba7f9c37c98f8302dcb246618d com.apple.message.signature2: 9300c0e021f7b525002e4b83f9c1cdb4201da168 com.apple.message.result: fail com.apple.message.signature3: f112f9a3fcbce80855d1f43b0d5d230f48fae84c com.apple.message.reason: -67002 SenderMachUUID: 1AE9CFA9-82E6-.......

Apple responded:

Please know that our engineering team has determined that this issue behaves as intended based on the information provided.

Gatekeeper (as of 10.11.4) rejects anything that isn’t an app (or “like” an app, such a widget). This is part of a general hardening effort.

Product Version: 10.11.4 Created: 2016-04-11T01:54:55.215590 Originated: 2016-04-08T00:00:00 Open Radar Link: http://www.openradar.me/25618668

openradar-mirror commented 8 years ago

Modified: 2016-04-14T00:09:09.601760

openradar-mirror commented 8 years ago

Modified: 2016-04-14T00:09:09.601760

openradar-mirror commented 8 years ago

Modified: 2016-04-14T00:09:09.601760

openradar-mirror commented 8 years ago

Modified: 2016-04-14T00:09:09.601760

openradar-mirror commented 8 years ago

Modified: 2016-04-14T00:09:09.601760