Retrieve and verify a package certificate

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Retrieve and verify a package certificate

Postby TheDarkKnight » Tue Mar 08, 2016 4:15 pm

In order to verify the signature of an application on disk, we can use SecStaticCodeCheckValidityWithErrors, which works as expected.
However, if this is used on a signed package, the following error occurs: -

The operation couldn’t be completed. (OSStatus error -67062.)


Where 67062 also represents that the code isn't signed.

It appears that SecStaticCodeCheckValidityWithErrors only works with binary code or application bundles. To confirm this, calling codesign also fails to verify the signature of a package.

It's not overly surprising, as a pkg isn't actually code, but rather data.

So, how can we programmatically obtain the certificate and verify the signature of a package (pkg), without resorting to calling an external process such as pkgutil?
TheDarkKnight
 
Posts: 26
Joined: Wed Dec 16, 2015 10:30 am

Re: Retrieve and verify a package certificate

Postby Siguza » Thu Mar 24, 2016 8:52 pm

I found a thing on GitHub called xar-trust-signature which seems to be exactly what you're looking for.
It basically boils down to using the xar library to load the certificates, using some ssl library to check their validity, and then using the Security framework to check whether they're trusted by the system.
There doesn't seem to be any API for all that, but the .m file in that repo contains a function that takes a file path and returns a boolean indicating whether or not that path denotes a validly signed xar archive.
User avatar
Siguza
Unicorn
 
Posts: 158
Joined: Thu Jan 28, 2016 10:38 am

Re: Retrieve and verify a package certificate

Postby TheDarkKnight » Tue Apr 05, 2016 2:08 pm

Thanks Siguza,

I posed the same question to Apple and they state that there's currently no supported SDK method to check the signature of a package, so I've filed an enhancement request (for what its worth!).

I also discovered the xar header and using that we can check the validity. Whilst I think it is unlikely any time soon, it is possible that the archive format of a pkg could change. After all, it used to be a bundle before they started using the xar archive.
TheDarkKnight
 
Posts: 26
Joined: Wed Dec 16, 2015 10:30 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 1 guest