Check revocation of certificates

I have created signed some binaries with Apple development certificates and then revoked the certificate from developer account. After revocation of certificate, gatekeeper is not blocking the execution of binaries. Even evaluating these revoked certificates in keychain is showing valid certification and successful evaluation . Same applies for Installer certificate.

I tried checking revocation status of binary using method "SecPolicyCreateRevocation(kSecRevocationUseAnyAvailableMethod)" but we are getting trust result as 'kSecTrustResultUnspecified'.

Please tell me how to check if certificate is revoked using any utility. Also let me know if I am missing anything in revocation check call.

I don’t understand your logic here. Gatekeeper is only relevant for Developer ID signed code, and you can’t revoke a Developer ID certificate without involving Apple Product Security (per the information on Developer > Support > Articles > Certificates.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo, I have replied with answer for your query. Your inputs are appreciated .

I have replied with answer for your query.

Yeah, sorry about that. If you reply in the comments, I don’t get notified.

So I think as per your comment, we have involved 'Apple Product Security' in revocation process.

No. As documented on that page, Developer ID certificates can only be revoked by email Apple Product Security. If you did this via the Developer website, you weren’t operating on Developer ID certificate from the Developer website.

I think you’re confused about the certificate types in play here. For a list of all the certificate types we support, see Developer Account Help > Reference > Certificate types.

Developer ID certificates have a common name of Developer ID Application: TTT and Developer ID Installer: TTT, where TTT identifies your team. What’s the common name of the certificate that you’re checking for revocation?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

code sign tool gives below as type of certificate we used for app, executable. Authority=Apple Development:XXXXX Authority=Apple Worldwide Developer Relations Certification Authority Authority=Apple Root CA

pkgutil tool gives below as type of certificate we used for pkg. Status: signed by a developer certificate issued by Apple (Development)   Certificate Chain:   1. 3rd Party Mac Developer Installer:XXXXX

I think we have used 'Apple Development' certificate for signing process which can be revoked from developer account

Question:

  1. Does revocation check API (SecPolicyCreateRevocation) need app/pkg/executable signed with 'Developer ID Application' certificates only ?

Actually my application is trying to validate files on basis of certificate revocation status.

To what end? It’s hard to offer guidance here without a better understanding of your overall goal.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

@eskimo I want to do below actions:

  1. I extract certificate chain of app file.
  2. I create revocation policy using API SecPolicyCreateRevocation(….)
  3. I create trust object with above policy and certificate chain.
  4. Then Evaluate certificate chain from step 1 using trust object created in step 3 using API SecTrustEvaluate(…)

To test above process, I have created binaries and signed them by ‘Apple Development’ certificate created via apple developer site. I revoked the certificate and expecting SecTrustEvaluate to give failure result but I am getting ‘kSecTrustResultUnspecified’.

So want your help in case I am missing anything and what should be proper way of checking revocation of certificates.

I want to do below actions

Understood, but to what purpose? Why are you trying to do this? What sort of product are you building? What action will it take based on this result?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It is Endpoint Security Product where admin controls end user systems. One control is "Reporting files whose certificates are revoked by owner". Steps I am trying to achieve above mentioned objective is given in the before reply. So please help me to understand how should I test the revoked binaries using SecTrustEvaluate API.

Thanks for the explanation.

There are four kinds of signed third-party code you might encounter:

  • Development signed code, signed with Apple Development: TTT [1], where TTT is a team

  • Distribution signed code, signed with Apple Distribution: TTT

  • Developer ID signed code, signed with Developer ID Application: TTT

  • Mac App Store signed code, signed with Apple Mac OS Application Signing

Which of these do you want to detect? And is that feasible?

IMO it’s pointless trying to run this check on development signed code. Such code is already so restricted that it doesn’t represent a meaningful threat.

I also think it’s kinda pointless doing this for distribution signed code. Remember that users are not supposed to run that code, and in many cases running it won’t work. See Don’t Run App Store Distribution-Signed Code for more on this.

You can’t run this check for Mac App Store signed code because all such code is signed by Apple with the same signing identity. Consider this:

% codesign -d -vvv "/Applications/PCalc.app"
…
Authority=Apple Mac OS Application Signing
…
% codesign -d -vvv "/Applications/Tap Forms 5.app"
…
Authority=Apple Mac OS Application Signing
…

Both of these Mac App Store apps are signed with the same certificate so, when Apple wants to block them from running, it has to use some mechanics other than certificate revocation.

And that leaves Developer ID. The problem with creating this check for Developer ID signed code is that it’s hard to test because you can’t easily create a revoked Developer ID certificate.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] There are also older, platform-specific development and distribution certificates.

Thanks for detailed explanation.

It is correct that, Development signed code [signed with Apple Development: TTT] is already restricted, but as a developer, I have access to only 'Apple Development' certificate available at Apple Developer account.

So to just validate/test my application, is there any way to check revocation status of file signed by 'Apple Development' certificate.

It is correct that, Development signed code [signed with Apple Development: TTT] is already restricted

Yes. The restrictions depend on the platform:

  • On iOS and friends, development-signed code must be authorised by a provisioning profile, which is limit to a specific set of devices. For more on this, see TN3125 Inside Code Signing: Provisioning Profiles

  • On macOS, development-signed code that uses restricted entitlements needs a profile to authorise those requirements, and thus it follows the same rules as iOS. TN3125 goes into the details.

  • macOS development signed code with doesn’t use restricted entitlements can run on any machine. However, such code is always blocked by Gatekeeper.

but as a developer, I have access to only Apple Development certificate available at Apple Developer account.

The rules as to exactly which members of your team can do what are complex. For the details, see Developer > Support > Articles > Program Roles.

So to just validate/test my application, is there any way to check revocation status of file signed by Apple Development certificate.

Again, I’m not sure why you’d want to do that. Bad actors aren’t shipping Apple Development signed code because it doesn’t buy them anything more than unsigned code [1]. They both get blocked by Gatekeeper.

However, if you want to do that then the revocation policy (SecPolicyCreateRevocation) is the only feasible way to do that. If that’s not working, I don’t have a lot of good advice for you. It’s possible that we simply don’t maintain a revocation list for development certificates. That’d make sense because, as I’ve explained on that thread, there’s no much point checking for revocation.

It’s possible that one of the CSPs on the Apple PKI might address this issue; I’ve never read them in that level of depth.

It's also possible that Apple Platform Security might have some info relevant to your task.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Or ad hoc signed code , as require by Apple silicon.

Check revocation of certificates
 
 
Q