entitlement for checking on code signature

The following piece of code works all fine if I disable the sandbox, but it fails if I enable the sandbox:


       // Get a code reference.
        var codeOpt: SecCode? = nil
        var err = SecCodeCopyGuestWithAttributes(nil, [kSecGuestAttributeAudit : sourceAppAuditToken] as NSDictionary, [], &codeOpt)
        guard err == errSecSuccess, let code = codeOpt else {
            return nil
        }
       
        // Check the validity of the signature
        var errorDescription : Unmanaged? = nil
        err = SecCodeCheckValidityWithErrors(code, [], nil, &errorDescription)
        guard err == errSecSuccess else {
            return nil
        }



What entitlement do I need on the sandbox to allow this ?

it fails if I enable the sandbox

What function fails? What error does it return?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I get these errors printed in the log :


MacOS error: -25337
CSSM Exception: 3 unknown error 3=3
CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR

What are you trying to do? I check the signatures on excutables from the sandbox all the time. But I don't use those functions. Are you doing something very specific?

Hi John,


specifically, I have an NEFilterDataProvider class that controls the network flow. To decide whether to allow the flow or not, I need to check securely what application is trying to connect to the internet. So I use this function to check signature.


I am open to other ways of doing it though, can you share how you do it?

I posted a detailed reply in your other thread. However, I should warn you, this is not easy. And at a fundamental level, Apple doesn't support third party security products, and especially not from the sandbox.


I'm not familiar with network filters. I don't know if that is even possible from the sandbox. I can tell you that signature checking is neither accurate nor deterministic. For example, my app has special code just in case Xcode is running. I can't risk doing a signature check on Xcode. Even with a fast Apple SSD, that can take 5 minutes. An older machine with a mechanical hard drive can take up to 15 minutes. Granted, Xcode is an extreme case, but I think in a network context, you don't have very long before you trigger a timeout. There are various levels of "failure" in terms of signature checking.


And finally, although my app does a lot of signature checking, I also have an extensive database of legitimate apps that don't have signatures. It has about 5000 entries in it. There are a lot of legitimate, unsigned apps out there.


It sounds like you are trying to do something like Little Snitch in the sandbox. I would not recommend a project like that. Apple is moving towards more of an iOS security model. You have a lot of work ahead of you and Apple is just going to slam the door in your face before you even get done. I'm well-aware that my own work is dead-app-walking. People find it useful right now, I so am still supporting it. But I'm also actively working on products designed for a different domain, much further removed from the OS, and more iOS-friendly. I strongly recommend that all Mac developers do likewise.

I missed your reply. Thanks a lot for that, it’s very interesting. You are exactly right in understanding what I am trying to do. I also arrived to the conclusion that I could not really run my network extension in a sandbox. It’s a bit frustrating as I think sandbox are excellent for security. But it’s good to hear it confirmed, I won’t spend more time trying to make it work. Your project seems very interesting. I didn’t move to support unsigned app yet. How do you do this ? Do you take a sha256 hash of the staticCode, and compare it to your stored value ? Something like that ? Thanks again

I didn't "confirm" anything. I said I don't know anything about network filters. I know a fair bit about the sandbox. It is not as limiting as some people say, but it also is not appropriate for any system-level service. If you have a standard game or app, then it will be fine for that. But anything that attempts to cleverly hook into the system is going to be painful. I don't want to discourage anyone, but I do want to push them towards projects that are more likely to be successful and financially rewarding. A few years ago, I tried something really clever in the sandbox. My code worked, but due to an Apple system-level bug, the app wasn't viable. I think most developers think too much about coding up neat things and not enough about economics.


As for my project, I'm not doing anything with hashes. I check the signatures of apps. If the app isn't signed, I flag it as such. If the app uses a file name that is known to be used by a well-known, but unsigned app, then I identify it as such.

Hi devfunshark,

did you manage to fix this problem?

I see the same thing when enabling Sandbox for System Extension target. SecCodeCopyGuestWithAttributes with kSecGuestAttributeAudit flag is failing with error code 100001 and I can see errors like MacOS error: -25337 and 67061 in console.

If I try the same thing on App target which is also Sanboxed, it works. It's only the System Extension that's failing.

I was thinking about creating a daemon which would run in the background and it would serve as a service for code signing verfication. System Extension would send audit token through XPC and daemon would do the app signature check and respond with result. Although it's probably another 0.1ms delay (well, maybe less) when comparing to doing that in System Extension with Sandbox disabled.

Please let me know, if you found a better solution.
Thanks,
Robert

This is a known bug. See this post for details and a workaround.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
entitlement for checking on code signature
 
 
Q