spctl always rejects signed executables (not bundles)
| Originator: | mouse008 | ||
| Number: | rdar://25618668 | Date Originated: | 2016-04-08 |
| Status: | Open | Resolved: | |
| Product: | Mac OS X | Product Version: | 10.11.4 |
| Classification: | bug | Reproducible: | always |
The following illustrates the problem. Try to validate security policy for an executable provided and signed by Apple itself, say /usr/bin/perl: $ spctl -a -vvvv -t exec /usr/bin/perl /usr/bin/perl: rejected source=obsolete resource envelope origin=Software Signing $ spctl -a --raw /usr/bin/perl /usr/bin/perl: rejected <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>assessment:authority</key> <dict> <key>assessment:authority:source</key> <string>obsolete resource envelope</string> <key>assessment:authority:weak</key> <true/> </dict> <key>assessment:cserror</key> <integer>-67002</integer> <key>assessment:remote</key> <true/> <key>assessment:verdict</key> <false/> </dict> </plist> $ codesign -vvvv /usr/bin/perl /usr/bin/perl: valid on disk /usr/bin/perl: satisfies its Designated Requirement $ codesign -display --requirements - --verbose=4 /usr/bin/perl Executable=/usr/bin/perl Identifier=com.apple.perl Format=Mach-O universal (i386 x86_64) CodeDirectory v=20100 size=223 flags=0x0(none) hashes=6+2 location=embedded Platform identifier=1 Hash type=sha1 size=20 CandidateCDHash sha1=9300c0e021f7b525002e4b83f9c1cdb4201da168 Hash choices=sha1 CDHash=9300c0e021f7b525002e4b83f9c1cdb4201da168 Signature size=4105 Authority=Software Signing Authority=Apple Code Signing Certification Authority Authority=Apple Root CA Info.plist=not bound TeamIdentifier=not set Sealed Resources=none Here's what syslog entries say: 4/8/16 00:18:34.674 syspolicyd[905]: assessment denied for perl com.apple.message.domain: com.apple.security.assessment.outcome2 com.apple.message.signature2: bundle:UNBUNDLED com.apple.message.signature3: perl com.apple.message.signature5: UNKNOWN com.apple.message.signature4: 1 com.apple.message.signature: denied:obsolete resource envelope SenderMachUUID: 1AE9CFA9-82E6-....... 4/8/16 00:18:34.674 syspolicyd[905]: com.apple.message.domain: com.apple.security.assessment.whitelist2 com.apple.message.signature: perl-55554944f0661fba7f9c37c98f8302dcb246618d com.apple.message.signature2: 9300c0e021f7b525002e4b83f9c1cdb4201da168 com.apple.message.result: fail com.apple.message.signature3: f112f9a3fcbce80855d1f43b0d5d230f48fae84c com.apple.message.reason: -67002 SenderMachUUID: 1AE9CFA9-82E6-....... Apple responded: Please know that our engineering team has determined that this issue behaves as intended based on the information provided. Gatekeeper (as of 10.11.4) rejects anything that isn’t an app (or “like” an app, such a widget). This is part of a general hardening effort.
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!