Verification of App Signature
Reading the blog post https://blog.agilebits.com/2012/03/01/do-you-know-where-your-software-comes-from-gatekeeper-will-help/ I tried to validate my copy of 1Password I'm currently testing for 30 days. I downloaded the app from https://agilebits.com/onepassword.
Terminal output:
$ codesign -vvv -R="identifier com.agilebits and anchor trusted" /Applications/1Password\ 5.app --prepared:/Applications/1Password 5.app/Contents/Frameworks/AgileLibrary-Mac.framework/Versions/Current/. --validated:/Applications/1Password 5.app/Contents/Frameworks/AgileLibrary-Mac.framework/Versions/Current/. --prepared:/Applications/1Password 5.app/Contents/Frameworks/HockeySDK.framework/Versions/Current/. --validated:/Applications/1Password 5.app/Contents/Frameworks/HockeySDK.framework/Versions/Current/. --prepared:/Applications/1Password 5.app/Contents/Frameworks/OnePasswordCore-Mac.framework/Versions/Current/. --validated:/Applications/1Password 5.app/Contents/Frameworks/OnePasswordCore-Mac.framework/Versions/Current/. --prepared:/Applications/1Password 5.app/Contents/Frameworks/OnePasswordDatabase-Mac.framework/Versions/Current/. --validated:/Applications/1Password 5.app/Contents/Frameworks/OnePasswordDatabase-Mac.framework/Versions/Current/. --prepared:/Applications/1Password 5.app/Contents/Frameworks/OnePasswordDataModel-Mac.framework/Versions/Current/. --validated:/Applications/1Password 5.app/Contents/Frameworks/OnePasswordDataModel-Mac.framework/Versions/Current/. --prepared:/Applications/1Password 5.app/Contents/Frameworks/OnePasswordUI-Mac.framework/Versions/Current/. --validated:/Applications/1Password 5.app/Contents/Frameworks/OnePasswordUI-Mac.framework/Versions/Current/. --prepared:/Applications/1Password 5.app/Contents/Helpers/1Password Updater.app --validated:/Applications/1Password 5.app/Contents/Helpers/1Password Updater.app --prepared:/Applications/1Password 5.app/Contents/Helpers/pngquant --validated:/Applications/1Password 5.app/Contents/Helpers/pngquant --prepared:/Applications/1Password 5.app/Contents/Library/LoginItems/2BUA8C4S2C.com.agilebits.onepassword4-helper.app --validated:/Applications/1Password 5.app/Contents/Library/LoginItems/2BUA8C4S2C.com.agilebits.onepassword4-helper.app /Applications/1Password 5.app: valid on disk /Applications/1Password 5.app: satisfies its Designated Requirement test-requirement: code failed to satisfy specified code requirement(s)
The last line looks bad. From reading the blog I expected to get the following ouput:
/Applications/1Password.app: valid on disk /Applications/1Password.app: satisfies its Designated Requirement /Applications/1Password.app: explicit requirement satisfied
Did I miss something?
Furthermore I'm curious where to find the checksums for your apps. For security reasons I'd like to check whether the app downloaded from the Mac App Store is still the same which has been submitted by Agilebits (and hasn't been modified by Apple or another man in the middle).
Thanks in advance!
Comments
-
That's a really excellent question, @HappyUser!
I just tried here and was able to reproduce what you're seeing. I was able to get it to show up right by tweaking the command slightly to be:
codesign -vvv -R="identifier com.agilebits.onepassword4 and anchor trusted" 1Password\ 5.app
It looks like Apple's recommendation for this changed at one point where the identifier should now be the bundle identifier and not just the prefix.
We have MD5 sums available for our apps, but only the Webstore versions of them. You can access them by going to our release notes page, and every download URL has a corresponding MD5 url. All you need to do is add ".md5" to the URL and you'll get an MD5 sum of that download. For example : https://cache.agilebits.com/dist/1P/mac4/1Password-5.1.zip.md5
We can only provide the MD5 sums for the our Webstore versions, because the reality is that Apple does in fact change our app while it's in their hands. Part of the Mac App Store submission process is a re-signing of the app. This would change the checksum. The re-signing on their part is necessary as this is part of what allows them to only allow Mac App Store-certified apps to have access to resources like iCloud.
I hope this answers your questions. I love it when users ask this kind of stuff.
Rick
0