Skip to main content

How to extract signing certificates from macOS binary files

Code signing is a macOS security technology that you use to certify that an app was created by you. Once an app is signed, the system can detect any change to the app—whether the change is introduced accidentally or by malicious code. As Apple Developer site says ( click here for more details on code signing) :



code signing allows the operating system to:
  • Ensure that a piece of code has not been altered since it was signed. The system can detect even the smallest change, whether it was intentional (by a malicious attacker, for example) or accidental (as when a file gets corrupted). When a code signature is intact, the system can be sure the code is as the signer intended.
  • Identify code as coming from a specific source (a developer or signer). The code signature includes cryptographic information that unambiguously points to a particular author.
  • Determine whether code is trustworthy for a specific purpose. Among other things, a developer can use a code signature to state that an updated version of an app should be considered by the 
    system to be the same app as the previous version.

We can extract the signing certificates from the macOS binary files using codesign tool.  Run the following command on any macOS binary , dylib or .app to extract the signing certificate from the file.

Steps :

1. Change to tmp directory.
    $ cd  /tmp

2. Run codesign command on the binary or .app to extract signing certificate.
    $codesign -dvvvv --extract-certificates /Applications/Mail.app

    This extracts all the signing certificates from the file and creates 3 files named codesign0, codesign1 and codesign2.  Codesign0 is usually the leaf (signing) certificate, and as many files are written as there are certificates in the signature. The files are in ASN.1 (DER) form. 

To view the contents of the certificates:

To see the details of the certificates which were extracted in DER form, we have use openssl tool. Run the following command to view the contents of certificate


$ openssl x509 -inform DER -in codesign0 -text

The output looks like below:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            2a:da:71:ba:a7:bd:17:9f
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Code Signing Certification Authority
        Validity
            Not Before: Apr 12 22:34:35 2013 GMT
            Not After : Apr 12 22:34:35 2021 GMT
        Subject: C=US, O=Apple Inc., OU=Apple Software, CN=Software Signing
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

uP6a2wO7jWLyGW13k+N1zzZZMV4IbV0BHGVTUpN2eJwXCxAelLw2kFZLRC6Y2aYx
ofAcZpSZVHMTtVE4vCSioDA7emWHrMC8FfReMMedoyoE38TPR4Rtn/3/RcOgGaw8
u62PlPm5x8hxNhHt6AG6tHVIgqQqUxoFBZudxkcb9eggcqAbS+W+ZPw4DZr/Q0E=
-----END CERTIFICATE-----





Comments

Popular posts from this blog

How to find firmware or boot ROM version in Mac OS X

Firmware and boot ROM version of your mac can be found in two ways.
Way 1 :
1. From "Apple" menu , choose "About This Mac" menu item. 2. Click " More Info " to open "System Profiler" application. 3. Under Contents -> Select Hardware Tree item.
On the right side panel Under hardware overview section, we can see Boot ROM Version and SMC (Firmware) Version.








Way 2 :
Run the below command in terminal to get boot ROM version and SMC(firmware) version :
$ system_profiler SPHardwareDataType | grep -i "Version" | awk -F ':' '{print $1 $2}'

How to disable USB ports on Mac OS X Mavericks, Yosemite or El Capitan ?

We might wonder how to disable the USB ports on Mac to prevent data copy to external USB mass storage devices. The USB kext on os x is loaded at the time of start of the system, this can be loaded / unloaded using kextload or kextunload command. To disable USB port on Mac , follow below steps:
On Macs running Mountain Lion, Mavericks  and Yosemite:
Unmount any connected USB devices to the system by running below command                  $diskutil unmount /Volumes/USBDISK.Now unload the USB related kernel extensions in the following order using kextunload command.sudo kextunload -b com.apple.driver.AppleUSBCardReader
sudo kextunload -b com.apple.driver.AppleUSBODD
sudo kextunload -b com.apple.iokit.IOUSBMassStorageClass

       This will unload the USB kext and disable the USB ports for storage devices on Mountain Lion, Mavericks  and Yosemite.
On Mac running El Capitan:
Unmount any connected USB devices to the system by running below command                  $diskutil unmount /Volumes/USBDI…