https://github.com/osquery/osquery logo
Join Slack
Powered by
Hi, I'm trying to understand how the `signature` t...
# macos
m
Hi, I'm trying to understand how the 
signature
table works on macOS in terms of the validation of a signature. I have a binary which has a valid ad-hoc signature(no team identifier and authority is available). I would expect the 
is_signed
value to be 
0
, but I'm getting 
1
. Is it an expected behavior for being signed when there is a valid signature without team identifier and authority?
a
Not directly answering the question, but there’s tools like Apparency that are probably a nice way to check signatures…
There’s an ObjectiveSee one as well
m
Yeah, I used the WhatsYourSign tool as well. It displays an ad-hoc valid signature for the malicious binary. So, 
signed = 1
in osquery does not mean the signature adn hence the binary is trusted. It's kinda confusing 😕
s
Well… The binary is signed, right? I think you’d need to look at team_identifier and authority
m
the binary is signed, but the team_identifier and the authority is empty
s
Are they empty for a not-ad hoc signed binary?
Quickly testing my machine:
Copy code
osquery> select path, signed, team_identifier, authority from signature where path in ('/usr/local/kolide-k2/bin/osqueryd', '/usr/local/kolide-k2/Kolide.app');
+-----------------------------------+--------+-----------------+-----------------------------------------------------------------------------+
| path                              | signed | team_identifier | authority                                                                   |
+-----------------------------------+--------+-----------------+-----------------------------------------------------------------------------+
| /usr/local/kolide-k2/Kolide.app   | 1      | X98UFR7HA3      | Developer ID Application: Kolide, Inc (X98UFR7HA3)                          |
| /usr/local/kolide-k2/Kolide.app   | 1      | X98UFR7HA3      | Developer ID Application: Kolide, Inc (X98UFR7HA3)                          |
| /usr/local/kolide-k2/Kolide.app   | 1      | X98UFR7HA3      | Developer ID Application: Kolide, Inc (X98UFR7HA3)                          |
| /usr/local/kolide-k2/bin/osqueryd | 1      | 3522FA9PXF      | Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF) |
| /usr/local/kolide-k2/bin/osqueryd | 1      | 3522FA9PXF      | Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF) |
| /usr/local/kolide-k2/bin/osqueryd | 1      | 3522FA9PXF      | Developer ID Application: OSQUERY A Series of LF Projects, LLC (3522FA9PXF) |
+-----------------------------------+--------+-----------------+-----------------------------------------------------------------------------+
m
No, if the app is signed and notarized, I get the team_identifier and authority information.
s
Does that help? If you want to understand what it’s doing, best thing is to look at the source for for 
genSignature
https://github.com/osquery/osquery/blob/f3d84bb1b4ff3ac80260f33cba90e51cb6affe79/osquery/tables/system/darwin/signature.mm#L216
m
So, my confusion is about the meaning/interpretation of the 
signed
value.
s
This is a wrapper over SecStaticCodeCheckValidityWithErrors And it looks like 
signed=1
happens when it returns success.
m
Although I can define a criteria like 'if signed = 1 and authority is null, then the signature is untrusted*',* maybe there could be a new colum 
trusted
for that.
Apparently, the signature verification operation does not care whether or not the signature is trusted
b
signed
just indicates the presence of a valid signature. Ad-hoc or otherwise
It does not indicate the validity of the binary
👍 1
a
'trusted by Apple, so gatekeeper/amfid will allow it' is always going to be dependent on if Apple revokes it or not for that binary/cert/team ID
👍 1
m
I see, now it's more clear to me.
12 Views
Open in Slack
PreviousNext
Powered by