Add a checksum file to my macOS notarised app bundle

I would like to detect whether my macOS app executable file has been altered by someone. I wouldn't rely on the Codesign because, as I have seen on the web, many apps have been cracked, even if notarised by Apple, even the Apple apps. I know my method will not guarantee the top security, but I would add this custom protection anyway.

A) If I manually add a checksum file within the Resources folder in the bundle after the app has been Archived (so within the xcarchive package), it's too late. The app won't launch on macOS 10.15.6 because of the manipulation. I get a crash with "Termination Reason: Namespace CODESIGNING, Code 0x2".

B) If I manually add or modify the checksum file after the app has been notarised, the same, it won't launch.

C) If I modify the checksum resource file with a shell script during the build phase, before the "Run Copy Bundle Resources" phase, the checksum is wrong since the executable at that moment has a different file size and file modification date.

D) Even the Terminal commands
codesign --remove-signature Foo.app
codesign -s "MyIdentity" Foo.app
modify the executable file (file size and modification date, therefore even the checksum), so I can't use my checksum file created before the latest Terminal command…

So, what's the best way to add my own checksum file to my app bundle? I run macOS 10.15.6 and XCode 11.5 and compile my 64 bits app for macOS 10.3/10.5.
Answered by DTS Engineer in 629626022

So, what's the best way to add my own checksum file to my app bundle?

There isn’t. The code signature seals over all the important resources in your app. The checksum resource is, by definition, an important resource. This puts you in a clear dependency loop.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Accepted Answer

So, what's the best way to add my own checksum file to my app bundle?

There isn’t. The code signature seals over all the important resources in your app. The checksum resource is, by definition, an important resource. This puts you in a clear dependency loop.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Thank you. So, as I understand:
1) we developers are obliged to codesign the bundle.
2) the codesign don't let us add our protection (as an additional checksum file).
3) the codesign can be easily violated (as I have seen my own macOS app and even the Apple apps, codesigned and notarised, cracked on some web torrent web sites).

As you know, is a way to make my macOS app hacker-proof ?

1) we developers are obliged to codesign the bundle.

Yes

2) the codesign don't let us add our protection (as an additional checksum file).

You can add any files you want. You shouldn't add a separate checksum file because the code signature itself does this.

3) the codesign can be easily violated (as I have seen my own macOS app and even the Apple apps, codesigned and notarised, cracked on some web torrent web sites).

No, it can't. What you are seeing is that you, and other apps, aren't verifying your code signatures. Apple doesn't really care, because it has SIP and normally doesn't sell apps.

What you have to do is verify your own code signature. I've posted instructions on how to do that here: https://developer.apple.com/forums/thread/128586

Your code can still be hacked, of course. But this makes it much more difficult.

As you know, is a way to make my macOS app hacker-proof ?

Thank You Etresoft!
In the meantime it's exactly what I have done. I don't know how much this will make the hackers' life harder, but at least it's a deterrent. I have also told the ptrace to deny any attach. I hope everything will work. Thank you again.

Incidentally I have discovered your answer by chance. Is a way to get an email or notification when someone replies here?

Is a way to get an email or notification when someone replies here?

Not at this time.


Thank you Etresoft. I have to say that, after I added to my objective-c code a check on the code signatures (as you suggested here above), at present time, one month after I released my macOS app, nobody cracked it yet. Usually the crack was available in 24 hours… So it seems to work well! This is what I like!
Add a checksum file to my macOS notarised app bundle
 
 
Q