Tool: OSX Installer Verifier
The OSX Installer Verifier verifies OS X installer app bundles. Along with the command line tool, we are providing an independent and publicly verifiable database of file hashes for a number of Mac OS X Installer apps.
This tool does exactly what it says: The OSX Installer Verifier verifies OS X installer app bundles. Along with the command line tool, we are providing an independent and publicly verifiable database of file hashes for a number of Mac OS X Installer apps via github .
The only legitimate way to get OS X installers is via the Mac App Store. This restriction incurs several problems: The Mac App Store internally verifies downloads using an undocumented black-box mechanism. Also, the Mac App Store requires a personalized account, e.g. via credit card verification. This implies that only credit card owners with unhindered access to the internet and to the App Store may choose to trust that an already running OS X App Store client is not compromised with a backdoor and properly verifies the integrity of future downloads.
Apple does not provide simple file hashes or external verifiable signatures in a standard format which would allow third parties to detect tainted downloads. Instead Apple fully relies on their self-designed code signing format that is using complicated binary blobs which are parsed by different parsers from different code bases in different places. This overcomplication allows for various problems to arise. One of those problems is that verification of a signature is only possible with Apple tools like the codesign command line utility. The other problem is that this tool is unreliable as the following example shows, in which we try to validate the current installer and the command line utility just errors out:
$ codesign -v /Applications/Install\ OS\ X\ El\ Capitan.app/ /Applications/Install OS X El Capitan.app/: resource envelope is obsolete (custom omit rules)
But even in cases when the tool works there are way too many components to the verification process, for example that not every file inside a bundle must be covered by code signing information. This means without a detailed check it would not be known if really all files were verified. And this all assumes that the various code signature binary blob parsers cannot be tricked into wrongly stating that a modified file is correctly signed. That serious problems like this can happen was shown not long ago by the "goto fail;" incident where a codesign error in Apple's code skipped the actual verification check for certain signatures completely. Betting on the idea that something like this will never happen again seems unwise.
Furthermore with legal and technical means in place for state sponsored attacks, the fact that all downloads via the Mac App Store are clearly identifying the user could be a serious problem. Also people are downloading anything from the internet assuming it is legitimate, as we have seen recently with a backdoor in a widely spread fake Xcode.app, which in turn let a lot of App Store apps built with the fake Xcode.app be compromised.
We strongly believe software verification should be transparent to the user and it should be possible for a concerned end user to verify the integrity of the software running on their system. Unfortunately Apple does not provide a suitable way for end users to verify the integrity of their downloads from the Mac App Store.
It was therefore required to start our own open source database of assumed good files. Our tool creates SH256 hashes of all files contained in an app bundle. This set of hashes can be compared with our hash database that comes with the tool for offline usage. The process of creating hashes for large files can take a minute, so the result may be stored for later analysis.
The hash database consists of a JSON file for each hash set. You are invited to participate via pull request or dispute the validity of hashes by creating an issue.
tl;dr
Now, let's see the tool in action:
git clone https://github.com/sektioneins/osx_verify cd osx_verify ./osx_verify.py --scan /Applications/Install\ OS\ X\ El\ Capitan.app [+] loading database [+] scanning files in /Applications/Install OS X El Capitan.app... (this may take a while) [+] comparing... [+] ----------- [+] Results for Install OS X Mavericks 10.9.3.app (./db/Install OS X Mavericks 10.9.3.app.json): [+] 1211 files are different. use --verbose to see details [+] Results for Install OS X Mavericks 10.9.1.app (./db/Install OS X Mavericks 10.9.1.app.json): [+] 1211 files are different. use --verbose to see details [+] Results for Install OS X Mavericks 10.9.5.app (./db/Install OS X Mavericks 10.9.5.app.json): [+] 1211 files are different. use --verbose to see details [+] Results for Install OS X Mavericks 10.9.0.app (./db/Install OS X Mavericks 10.9.0.app.json): [+] 1210 files are different. use --verbose to see details [+] Results for Install OS X Mountain Lion 10.8.2.app (./db/Install OS X Mountain Lion 10.8.2.app.json): [+] 1205 files are different. use --verbose to see details [+] Results for Install OS X Lion 10.7.3.app (./db/Install Mac OS X Lion 10.7.3.app.json): [+] 1164 files are different. use --verbose to see details [+] Results for Install OS X 10.10 Developer Preview.app (./db/Install OS X 10.10 Developer Preview.app.json): [+] 360 files are different. use --verbose to see details [+] Results for Install OS X Yosemite 10.10.1.app (./db/Install OS X Yosemite 10.10.1.app.json): [+] 350 files are different. use --verbose to see details [+] Results for Install OS X Yosemite 10.10.5.app (./db/Install OS X Yosemite 10.10.5.app.json): [+] 350 files are different. use --verbose to see details [+] Results for Install OS X 10.11 Developer Beta 1.app (./db/Install OS X 10.11 Developer Beta 1.app.json): [+] 275 files are different. use --verbose to see details [+] Results for Install OSX 10.11.2.app (./db/Install OS X El Capitan.10.11.2.app.json): [+] perfect match [+] bye.
Ben Fuhrmannek and Stefan Esser