
Validating Your Version of Xcode - davidbarker
https://developer.apple.com/news/?id=09222015a
======
cjensen
Am I understanding this correctly: the devs who downloaded Xcode from an
unknown source _disabled gatekeeper_ to get it to run?

That's unbelievably stupid dev behavior, if true.

~~~
klausa
I see a lot of people saying they disable Gatekeeper on purpose.

Is the "right-click and open" trick that disables Gatekeeper _for that app_
generally unknown? Or do people value not being assed to do it more than
(potential) security upsides?

~~~
galad87
The right click trick works only if the app is not signed. If the app
signature is invalid it won't work. You have to disable gatekeeper completely
to open the invalid Xcode version.

~~~
jonknee
> The right click trick works only if the app is not signed. If the app
> signature is invalid it won't work.

Is it possible that the malware version of Xcode had its signature removed?

------
zmxv
The XCode trojan author is believed to have also backdoored the Unity3D
engine.
[https://news.ycombinator.com/item?id=10256998](https://news.ycombinator.com/item?id=10256998)

------
e28eta
So, the next Trojan version of Xcode also needs to replace or corrupt spctl.

I should look at it (on iPad currently), but it seems like the right
combination of a custom Certificate Authority added to the keychain and
signing your malicious Xcode with a certificate signed by the CA would help.
Maybe also change the quarantine metadata on the file?

~~~
joosters
I can't remember if Xcode asks for admin privileges or not when you install
it...

...mind you, I guess that doesn't matter. If I unknowingly had a hacked
version and it prompted me for my password at install, I would enter it.

~~~
deathanatos
It does — it requires root to agree to the XCode license:

[https://stackoverflow.com/questions/26197347/agreeing-to-
the...](https://stackoverflow.com/questions/26197347/agreeing-to-the-xcode-
ios-license-requires-admin-privileges-please-re-run-as-r)

This seems to even be required to run things like the stock git or gcc, which
I've always wondered how that isn't a violation of the GPL.

~~~
seiji
Yeah, I ran across "You must agree to Apple Terms and Conditions" when running
command line _make_ after an Xcode update last week.

So, then you have to run _sudo make_ to invoke the global license agreement
console interface, then you manually type 'agree', then it runs the original
command, except now you're running under sudo. In this case, that means it ran
_make_ as root, leaving root-owned artifacts all over my source tree.

------
0x0
Some news sources said Angry Birds 2 was trojanized, but "only" for the
Chinese version. Anyone have any more info on that? Because I didn't think you
could have separate binaries per location? Unless it is actually two entirely
separate apps? And why would they even have a separate binary for the Chinese
market (and why would they use a different build environment?)

~~~
chrisdroukas
It appears that a Chinese company named Kunlun licensed IP from Rovio and is
developing Angry Birds apps specifically for the Chinese market. Perhaps
they're also distributing the app themselves.

[http://www.rovio.com/en/news/press-releases/621/rovio-
gets-w...](http://www.rovio.com/en/news/press-releases/621/rovio-gets-wings-
to-fly-angry-birds-higher-in-china/2015)

~~~
0x0
Interesting.

Can you imagine the damage done to Rovio's credibility, simply because their
licensee got hit? The news sites only talk about "You should delete Angry
Birds 2". Nobody ever mentions or explains this third party.

------
gress
The responses on this thread seem to prove that Apple knows what it is doing
with its security strategy. The fact that people blindly disable protections
and end up causing massive malware outbreaks is exactly the reason they are
introducing things like Gatekeeper and Rootless. Arguably, this incident is
evidence in favor of them locking down Gatekeeper further.

------
simonvc
What output is expected when you run the command? I get:

    
    
      $ spctl --assess --verbose /Applications/Xcode.app
      /Applications/Xcode.app: rejected
      source=obsolete resource envelope
    

I downloaded XCode via the app store, but have disabled gatekeeper (re-enabled
it before running this command).

~~~
Laaw
I got:

    
    
        /Applications/Xcode.app: accepted
        source=Mac App Store
        override=security disabled
    

Which I _think_ means I have Gatekeeper disabled, but it still gave me the
'accepted' response.

~~~
perrycynic
Spctl(1) gives you Gatekeeper's acceptance status. If you disabled it, it will
(almost) always say "accepted", but in this case it may be "accepted because
you turned me off, you XXX." Check the spctl(1) manpage for more options. A
recent version will support the --enforce-assessment option to tell you what
the real answer is. And turn the dang thing back on while you're at it. :-)

------
hjuutilainen
The problem with "spctl" is that it also evaluates trust which depends on your
system settings and you have to pay attention to the output (as pointed out in
the article). If you only want to verify the code signature _and_ provide your
own requirement string, you could use something like (long options for
legibility):

    
    
        $ codesign --verify --verbose --deep --test-requirement "=anchor apple" /Applications/Xcode.app/
    

The "anchor apple" means Apple’s own code, signed by Apple ("anchor apple
generic" for developer IDs too).

Add verbosity for all the gory details:

    
    
        $ codesign --verify --verbose=999 --deep --test-requirement "=anchor apple" /Applications/Xcode.app/

~~~
perrycynic
Note that "anchor apple" means "signed by Apple's build system". It will not
cover the Xcode you get from the Mac App Store (it uses a different kind of
signature). This incantation is good enough to check for "an Xcode I
legitimately got from a web page download."

------
patmcc
I'm getting "a sealed resource is missing or invalid", with a copy of Xcode I
know was installed from the App Store. Any ideas?

~~~
davidkhess
If you use `codesign -v --verbose /Applications/Xcode.app` you may see:

    
    
      file added: /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/share/man/whatis
      file added: /Applications/Xcode.app/Contents/Developer/usr/share/man/whatis
    

That should be safe.

It's a bit of a shock that Apple:

1) is modifying sealed containers post-install (it's the weekly periodic job
that rebuilds whatis database from installed man pages)

2) doesn't realize this and has put out instructions that will cause lots of
false positives

~~~
patmcc
Thanks! Yep that was it, I owe you one.

------
ksec
Yes, there are connection problem downloading Xcode from Apple'site. Since
there is GFW.

But my biggest question of why, Apple manage to get CDN for their Live
Streaming Event, App Store, and Mac Apps but not for their developer
references and tools.

A honest mistake? Or Sloppiness from their Cloud "Services" again?

------
ghshephard
Presuming, of course, that whatever process may have corrupted your version of
Xcode didn't also corrupt spctl.

Heh.

~~~
andreyf
That shouldn't be possible after OS X 10.11:
[https://en.wikipedia.org/wiki/System_Integrity_Protection](https://en.wikipedia.org/wiki/System_Integrity_Protection)

------
hamstergene
I've just run the recommended check on freshly downloaded older versions
(5.1.1 and 4.6.3), and their both appear rejected (source=matched cdhash).

~~~
perrycynic
These are explicit overrides programmed into Gatekeeper to deal with weak
Xcode signatures during the transition time to stronger signatures. They're
not a danger. Of course, Apple will tell you that you should use newer
devtools than that. :-)

------
mwcampbell
I wonder how Apple could even tell that the apps in question were built with a
counterfeit version of Xcode.

~~~
0x0
They probably scan for tell-tale trojan strings (like the C&C hostname) in the
binaries.

------
pawelkomarnicki
I always download the XCode from AppStore, I didn't even know you can do it
from another source :D

