One of the new features in Leopard that people may not notice at first is code signing. It's not the sort of thing that makes for a flashy demo, so you may not have noticed.
When a software developer creates an application they can now optionally add a cryptographically-secure signature to it which can later be used to find out if the application was modified. It can also be used to identify a new version of an application in relation to an older version of the same application. If both are signed in the same way, Mac OS X won't notify you about the update and ask if it's OK for the new version to use the same keychain information as the old one.
Beginning with Mac OS X 10.5 Apple signs all of their applications.
What does modified mean in this situation? It's not as clear as one might think, but the basics are:
- Modifying the executable, the part that actually runs the program, will invalidate the signature.
- Removing platform-specific code (just the Intel or PowerPC part) can be an exception to this (more detail below).
- Removing language-specific localizations-- such as the parts needed to present menus and windows in a different language-- can be safely removed without invalidating the signature.
Macaroni and Code Signing
Which brings me to my main point. The authors of 1Password have run into some trouble with applications whose signatures get invalidated, in their case Safari's signature. As they describe in their Switcher's Blog, some of their customers found that 1Password no longer worked with Safari, and some detective work revealed that the problem was an invalid code signature.
Unfortunately while doing this they made the mistake of including Macaroni in the list of applications that could cause code signatures to become invalid. Almost immediately I started getting email from concerned users thinking that they needed to shut down Macaroni to protect their Macs. In fact Macaroni does not and has never removed platform-specific code from applications.
Many users have requested this feature since Intel Macs first appeared, and I did investigate it, but it seemed to be a technical and support mine field and so I left it out. It's not necessarily a bad idea to remove PowerPC code if you have an Intel Mac, or vice versa, but it seems like doing so is more of an expert move, to be done if you feel you have a good technical understanding of what you're doing and why. And if you do, you probably don't need Macaroni to help you with it. You could create a custom Macaroni job to automate the cleanup for you, but I still maintain that it has no place in the standard set of Macaroni jobs.
And now, a demo.
For demonstration purposes I'm going to look at Safari and Mail, both included with Leopard, and see what does and doesn't invalidate their signatures. I will of course be working on copies of the applications, because I'm going to be messing with their internals for your entertainment.
Demo: Localization cleanup
First I'll select Safari and open up the "Get Info" window. As you can see all of the languages Apple ships with it are present. There are 18 in all, though they don't all show up without some scrolling. Mail produces the same result.
I'll also verify that I'm starting with valid code signatures on both:
$ codesign -vvv Safari.app Safari.app: valid on disk $ codesign -vvv Mail.app Mail.app: valid on disk
Now I'll run Macaroni and have it remove localized files. After doing this, I bring up the "Get Info" window again and verify that everything except English has been removed:
And how about those code signatures?
$ codesign -vvv Safari.app Safari.app: valid on disk $ codesign -vvv Mail.app Mail.app: valid on disk
Looking good.
Demo: Platform code cleanup
Now I'm going to strip out the PowerPC code, leaving me with copies of the applications that work only on Intel Macs. I don't have any of the fancy utilities that does this for you, so instead I'm going with the command line and Apple's standard tools. There's more than one way to do this, but the easiest is probably to use "ditto". Besides copying files, ditto will optionally strip out platform-specific code while copying.
$ ditto --rsrc --arch i386 Safari.app Safari-i386.app $ ditto --rsrc --arch i386 Mail.app Mail-i386.app
And the signatures?
$ codesign -vvv Mail-i386.app/ Mail-i386.app/: valid on disk $ codesign -vvv Safari-i386.app/ Safari-i386.app/: a sealed resource is missing or invalid /tmp/Safari-i386.app/Contents/Resources/SafariSyncClient.app/ Contents/MacOS/SafariSyncClient: resource modified
Hmm, not so good for Safari there. Mail looks OK though.
Should you care?
If you're using both 1Password and you strip platform-specific code from your applications, you should be aware of this. As the 1Password developers have discovered, an invalid code signature can prevent their tool from working. This is exactly the kind of thing that stopped me from adding this kind of application stripping to Macaroni.
If you don't use 1Password, it's probably OK to strip platform-specific code if you want. Invalid code signatures might mean you'll have to enter your password more often after updating applications, but aside from that it doesn't look like you'll notice it. It may not be worth the effort though. Leopard's Mail.app starts out at 286.5MB. After removing localizations that drops by more than 90%, to 24.7MB. Removing PowerPC code on an Intel Mac reduces it further to 21.6MB, only another 1% or so off of the initial size.
Either way though, Macaroni's not going to hurt your code signatures.
Thu, 11/15/2007 - 22:37
This got me curious, as the method I've typically used to strip universal binaries is just to use "lipo -thin" (never even knew there was such an option in ditto). I tried running this on Safari's main executable (Contents/MacOS/Safari), and codesign -vvv reports Safari to still be valid afterwards. I wonder what the difference is between what lipo and ditto are doing? Maybe there's some other resources in the app bundle that ditto is stripping besides the main executable?
Thu, 11/15/2007 - 23:04
Brian, the key there is in the error message I got after thinning Safari. When you use ditto, it runs through the entire application bundle and things whatever it finds, but when you use lipo you target individual binaries. For some reason the SafariSyncClient binary doesn't seem to survive thinning. If you used lipo on that you'd get the same error as I did. I used ditto partly because it was easy and partly because it re-created the problem described in the Switchers Blog post.
Wed, 11/21/2007 - 03:38
According to the docs, the Resources directory is sealed with a checksum when the application is signed. liposucking the SafariSyncClient changes the checksum of the Resources directory, and there you go: no more signed Safari. Interestingly the Release Notes say "Do not put helper applications, plugins, and other separately signed code into the Resources directory of a bundle. The Resources directory is directly sealed to the main executable. Put plugins into the Plug-Ins directory. Put helper tools into the executable directory. Put helper applications (with their own bundles) into the support directory", which it seems Safari fails at...SafariSyncClient should rightly go in /System/Library/Application Support/Safari and be signed with the Safari codesigning identity.
Wed, 11/21/2007 - 13:26
Thanks, leeg, that makes perfect sense.
Post new comment