Welcome to the MacNN Forums.

alex_kac · May 29, 2006, 07:44 PM

Authenticode signing is a way to sign binary files (Dlls, EXEs) on Windows, Java, etc... to authenticate a binary having been developed by a specific software house or something like that.

One thing I noticed today while going through the Authenticode signup at Thawte is they have a section for "Apple Developer Certificate" for "These certificates can be used by Apple developers with a future version of the Apple Mac OS to sign software for electronic distribution."

A few things intrigue me. First I am not aware of signing for OS X at this time. I might be wrong...but I haven't seen it discussed before. Second the "Future version of the apple mac OS" part is interesting. Is this about Leopard?

So what do you think? Do current devs have the ability to use this now?

Mithras · May 29, 2006, 08:46 PM

Interesting! No, I'm not aware of software signing for OS X now. And yes, I do think it's a very good idea. Malware will make its way to the Mac sooner or later, and it's best if Apple starts putting in the security infrastructure sooner rather than later.

Chuckit · May 29, 2006, 09:39 PM

I've said it before, I'll say it again: If you think somebody's going to pay Thawte a gazillion dollars a year to distribute his $10 shareware, you're off your rocker. Signing software either a) severely limits your options as to what you can use, or b) is useless because you're using unsigned software anyway. As security, I don't think it's particularly awesome.

Mithras · May 29, 2006, 10:18 PM

I agree, but it's more likely to be helpful to someone like my wife or mom, who don't (intentionally) run any shareware anyway, just Safari, Mail, and Word. Code signing can help them if something tries to hijack one of those standard apps.

alex_kac · May 29, 2006, 10:46 PM

I don't believe that signing should be required. But I do think the OS should support it. Here is the difference. A signed app can't be modified which would be good to ensure that what you have is exactly what was shipped. No virus or trojan or anything that's infected it.

Its only about $200 for a signing certificate. $10 shareware apps can support that easily. I know - I write $10-$25 shareware apps for Windows Mobile, a smaller market than Mac OS X apps are.

Catfish_Man · May 29, 2006, 11:09 PM

Originally Posted by alex_kac

I don't believe that signing should be required. But I do think the OS should support it. Here is the difference. A signed app can't be modified which would be good to ensure that what you have is exactly what was shipped. No virus or trojan or anything that's infected it.

Why wouldn't providing an md5 checksum and a nice GUI tool for using it do about the same thing?

alex_kac · May 29, 2006, 11:13 PM

Well mainly because its not the same thing at all. For the user - sure. But how many grandmas are going to run this tool on their system files and apps daily or hourly?

Chuckit · May 30, 2006, 01:00 AM

How could a checksum be more troublesome than an overpriced certificate?

And quite frankly, if $200 per year per app is pocket change to you, it sounds like your apps are selling pretty well. I don't make my living selling cheapware and I wouldn't want to just throw a couple hundred away for no good reason.

alex_kac · May 30, 2006, 02:32 PM

Again, $200 a year would not be required. Nobody said that it would be required to sign the apps. It would be an added option. That's all. I'm not sure what's so bad about this.

Chuckit · 03:30 PM

EDIT: Actually, never mind.

Millennium · May 30, 2006, 02:42 PM

Originally Posted by Chuckit

How could a checksum be more troublesome than an overpriced certificate?

How do you certify that the checksum is valid? Anyone who hacks a site to put a malicious binary in place of the genuine one is probably capable of altering what the site says the checksum is supposed to be.

Person Man · May 30, 2006, 07:03 PM

Originally Posted by alex_kac

Again, $200 a year would not be required. Nobody said that it would be required to sign the apps. It would be an added option. That's all. I'm not sure what's so bad about this.

No, but it would create a class-system of first-class (signed) applications and second-class (unsigned) applications.

There are better ways of doing security. This is not one of them.

alex_kac · May 30, 2006, 09:29 PM

If this is the entire security system - sure. But its not. Its part of a whole class. Its also used in Java, Solaris, Windows, and other OS's. Its a VERY good way of doing things.

And it does not create a class-system. Look at Windows. Most apps are not signed. The OS is. And that's really what this is about. For the companies that want to - this is very good. For those that don't - its no different than now.

I think you guys are putting your head in the sand just because its mostly associated with Windows.

Person Man · May 31, 2006, 01:07 PM

Originally Posted by alex_kac

I think you guys are putting your head in the sand just because its mostly associated with Windows.

No. An association with Windows has NOTHING to do with it.

This topic has been discussed several times before:

http://forums.macnn.com/showthread.php?t=286044

http://forums.macnn.com/showthread.php?t=232745&page=2

And the general concensus has been that signing apps will do absolutely no good for overall security.

From the first thread linked to above:

Originally Posted by Big Mac

all the applications currently available are unsigned, and treating them as second class citizens makes absolutely no sense. It could not possibly serve security interests if 95% of installed applications were flagged as potential security risks. If Apple even tried to implement your suggestion, there would also likely be lawsuits from a whole host of third party developers with existing applications now disadvantaged by being flagged as potential risks.

From the second thread linked to above:

Originally Posted by piracy

App signing is fine, but that doesn't guarantee that an exploit still can't occur. Who's the signing authority? Why can't an app be signed containing "malicious" code? What even *is* malicious? The only thing signing does is provide accountability - it doesn't guarantee an app doesn't do something you don't want it to do. If Apple is the signing authority, a great deal of applications out there still wouldn't be signed, reducing the utility of such a signing initiative unless it could reach 90% or more of all applications and updaters that might be run on OS X. Further, app signing fundamentally only protects again a subset of trojan and/or social engineering type scenarios...the impact of which even without app signing would always be ridiculously low. Yes, it would suck if YOU were a victim of such a trojan, but the overall penetration into the Mac marketplace at large would always be statistically negligible. And finally, as long as you're downloading updaters and applications from reputable sources, your likelihood of being caught in the extremely unlikely scenario where you might be downloading a trojan from an otherwise seemingly reputable source that *has not yet been discovered*, and processes started to "shut it down", is extremely, extremely low. Besides, the first iTunes 2.0 installer would have been signed...

So, if 95% of applications are unsigned, and get flagged as such, the average user will just click through that warning without even reading it, as most people do now on Windows.

Signing is not a viable solution to security problems. The big problem is EDUCATION! If we spent as much time and energy on properly educating people as we do on developing ineffective security systems which are fine IN THEORY, but fall flat on their face in practice, we would not need to put as much security infrastructure in place. (Note that I said "as much." Some security infrastructure is ALWAYS necessary.)