Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add 2 fields to code signature #1249

Closed
Trinity2019 opened this issue Feb 2, 2021 · 4 comments
Closed

Add 2 fields to code signature #1249

Trinity2019 opened this issue Feb 2, 2021 · 4 comments
Labels
enhancement New feature or request ready Issues we'd like to address in the future.

Comments

@Trinity2019
Copy link
Contributor

Trinity2019 commented Feb 2, 2021
edited
Loading

Summary

Add following fields to code_signature:

code_signature.team_id
code_signature.signing_id

Motivation:

performance enhancement: Collecting the team id and signing id can be done very fast whereas the signer name can be slow so there are cases where a data shipper may not want to report the signer name and just report the team id and signing id.

Need to point out team id and signing id are *OS(including macOS) specific and important for *OS. Combined together they are enough for *OS to identify/verify the origin and authenticity of a software vendor's code. Apple takes care of the uniqueness of team id and also checks the reputation of the team/company. Signing id is also important for *OS to identify applications from a software vendor.

Other big venders uses team id and signing id(a.k.a. bundle id) for profiling/whitelisting/etc. purpose:
https://docs.microsoft.com/en-us/mem/intune/configuration/kernel-extensions-settings-macos
https://derflounder.wordpress.com/2018/04/12/whitelisting-third-party-kernel-extensions-using-profiles/
https://www.jamf.com/jamf-nation/discussions/28183/configure-apple-team-id-in-mdm-profile

Detailed Design:

  • example team_id:
    EQHXZ8M8AV // which is a team id for Google
    UBF8T346G9 // which is a team id for Microsoft
    suggested datatype for team id will be string
  • example signing_id:
    com.apple.xpc.launchd // which is the signing id for /sbin/launchd
    com.apple.xpc.proxy // which is the signing id for /usr/libexec/xpcproxy
    suggested datatype for signing id is string
@Trinity2019 Trinity2019 added the enhancement New feature or request label Feb 2, 2021
@ebeahan
Copy link
Member

ebeahan commented Feb 2, 2021

Thanks for the detailed write-up, @Trinity2019! Would you be willing to open a PR for these changes?

I'm not familiar with code signing between different OSs, so the answer to the following may be a simple "no". 😅

Are there similar values/IDs provided by different OSs that would ever be relevant values for these fields, in addition to macOS/OSX?

@Trinity2019
Copy link
Contributor Author

Trinity2019 commented Feb 2, 2021
edited
Loading

Hi @ebeahan thanks for quick response!
I just did some research and found the similar thing on Windows. On a Windows 10, open "Windows Powershell" as administrator. Type in following command:
get-appxpackage
It'll show the information of store apps on that Windows. Here's some examples:

Name              : Microsoft.ZuneMusic
Publisher         : CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Architecture      : X64
ResourceId        : 
Version           : 10.20122.11121.0
PackageFullName   : Microsoft.ZuneMusic_10.20122.11121.0_x64__8wekyb3d8bbwe
InstallLocation   : C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.20122.11121.0_x64__8wekyb3d8bbwe
IsFramework       : False
PackageFamilyName : Microsoft.ZuneMusic_8wekyb3d8bbwe
PublisherId       : 8wekyb3d8bbwe

Name              : DellInc.DellUpdate
Publisher         : CN=F005DA31-7CE1-4D3E-ABEE-08A4AFF4F592
Architecture      : X86
ResourceId        : 
Version           : 4.1.15.0
PackageFullName   : DellInc.DellUpdate_4.1.15.0_x86__htrsf667h5kn2
InstallLocation   : C:\Program Files\WindowsApps\DellInc.DellUpdate_4.1.15.0_x86__htrsf667h5kn2
IsFramework       : False
PackageFamilyName : DellInc.DellUpdate_htrsf667h5kn2
PublisherId       : htrsf667h5kn2

Name              : NVIDIACorp.NVIDIAControlPanel
Publisher         : CN=D6816951-877F-493B-B4EE-41AB9419C326
Architecture      : X64
ResourceId        : 
Version           : 8.1.960.0
PackageFullName   : NVIDIACorp.NVIDIAControlPanel_8.1.960.0_x64__56jybvy8sckqj
InstallLocation   : C:\Program Files\WindowsApps\NVIDIACorp.NVIDIAControlPanel_8.1.960.0_x64__56jybvy8sckqj
IsFramework       : False
PackageFamilyName : NVIDIACorp.NVIDIAControlPanel_56jybvy8sckqj
PublisherId       : 56jybvy8sckqj

So on Windows, the closest match to *OS team id is PublisherId: 56jybvy8sckqj is NVIDIA; htrsf667h5kn2 is Dell; 8wekyb3d8bbwe is Microsoft.
The close match to signing id is PackageFamilyName: NVIDIACorp.NVIDIAControlPanel_56jybvy8sckqj for NVIDIA's ControlPanel app; DellInc.DellUpdate_htrsf667h5kn2 for DellUpdate app, etc.
Or packageIdentityName(which is Name in above examples) is also a close match to signing id on macOS: NVIDIACorp.NVIDIAControlPanel for NVIDIA ControlPanel app.

@ebeahan ebeahan added the ready Issues we'd like to address in the future. label Feb 9, 2021
@Trinity2019 Trinity2019 mentioned this issue Feb 17, 2021
Merged
@ebeahan
Copy link
Member

ebeahan commented Feb 18, 2021

Closed via #1269

@ebeahan ebeahan closed this as completed Feb 18, 2021
@Trinity2019
Copy link
Contributor Author

Thank you @ebeahan for all the help! and thanks @rw-access for the PR review!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request ready Issues we'd like to address in the future.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ebeahan @Trinity2019