I would like to detect whether my macOS app executable file has been altered by someone. I wouldn't rely on the Codesign because, as I have seen on the web, many apps have been cracked, even if notarised by Apple, even the Apple apps. I know my method will not guarantee the top security, but I would add this custom protection anyway.
A) If I manually add a checksum file within the Resources folder in the bundle after the app has been Archived (so within the xcarchive package), it's too late. The app won't launch on macOS 10.15.6 because of the manipulation. I get a crash with "Termination Reason: Namespace CODESIGNING, Code 0x2".
B) If I manually add or modify the checksum file after the app has been notarised, the same, it won't launch.
C) If I modify the checksum resource file with a shell script during the build phase, before the "Run Copy Bundle Resources" phase, the checksum is wrong since the executable at that moment has a different file size and file modification date.
D) Even the Terminal commands
codesign --remove-signature Foo.app
codesign -s "MyIdentity" Foo.app
modify the executable file (file size and modification date, therefore even the checksum), so I can't use my checksum file created before the latest Terminal command…
So, what's the best way to add my own checksum file to my app bundle? I run macOS 10.15.6 and XCode 11.5 and compile my 64 bits app for macOS 10.3/10.5.
A) If I manually add a checksum file within the Resources folder in the bundle after the app has been Archived (so within the xcarchive package), it's too late. The app won't launch on macOS 10.15.6 because of the manipulation. I get a crash with "Termination Reason: Namespace CODESIGNING, Code 0x2".
B) If I manually add or modify the checksum file after the app has been notarised, the same, it won't launch.
C) If I modify the checksum resource file with a shell script during the build phase, before the "Run Copy Bundle Resources" phase, the checksum is wrong since the executable at that moment has a different file size and file modification date.
D) Even the Terminal commands
codesign --remove-signature Foo.app
codesign -s "MyIdentity" Foo.app
modify the executable file (file size and modification date, therefore even the checksum), so I can't use my checksum file created before the latest Terminal command…
So, what's the best way to add my own checksum file to my app bundle? I run macOS 10.15.6 and XCode 11.5 and compile my 64 bits app for macOS 10.3/10.5.
There isn’t. The code signature seals over all the important resources in your app. The checksum resource is, by definition, an important resource. This puts you in a clear dependency loop.So, what's the best way to add my own checksum file to my app bundle?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"