WhatsYourSign – Display Cryptographic Signing Information on Mac’s

Verifying a file’s cryptographic signature can deduce its origin or trustability. Unfortunately on macs there’s no simple way to view a file’s signature via the UI. WhatsYourSign adds a menu item to Finder.app. Simply right-, or control-click on any file to display its cryptographic signing information!

WhatsYourSign is a utility with a simple goal: from the UI, make it trivial to view any file’s cryptographic signing information. A file or binary’s cryptographic signature is important as it can determine its creator (Apple proper, a 3rd-party, etc). Moreover, it can help determine whether a file should be trusted. For example, binaries signed by Apple can (always?) be trusted, while files that are unsigned may be untrusted or even malicious.

Also read: MacOS Kernel Unpatched Vulnerability Publicly Disclosed

To install WhatsYourSign, first download the zip archive containing the application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive:

Then, simply double-click on ‘WhatsYourSign Installer.app’. Click ‘Install’ (or ‘Upgrade’) to install the tool:


Once WhatsYourSign is installed, one can simply control- or right-click on any file, then select the ‘Signing Info’ menu option to view information about the file’s cryptographic signing information.


Clicking on the ‘Signing Info’ menu option will display an informative window that displays the selected file’s cryptographic signing information (or lack thereof). Files that are signed by Apple proper will contain a green lock icon:


Files that are signed, but do not belong to Apple proper (i.e are from the Mac App Store, or simply signed with an Apple Developer ID) will contain a black lock icon:


Finally, files that are unsigned will contain a red unlock icon:


Also, signed items, who’s signing certificate has been revoked, will similarly contain a red unlock icon. For example, the certificate used to sign the Transmission application (that was infected with OSX/KeRanger), was revoked by Apple:


WhatsYourSign will also compute hashes for any item. Note that for Application bundles the hash values represent the hash of main executable binary. Simply click on the ‘view hashes’ text to view an item’s MD5, SHA1, and SHA256 hashes:


For any item that is entitled, WhatsYourSign will extract such entitlements. (For more information on entitlements, see Apple’s documentation on the subject). Simply click on the ‘view entitlements’ text to view an item’s entitlements. For example, here we can see the system_shove binary contains the all powerful com.apple.rootless.install entitlement:


To uninstall WhatsYourSign simply re-run the ‘WhatsYourSign Installer.app’. Clicking the ‘Uninstall’ button will fully remove WhatsYourSign from your mac:


Components/Capabilities/Footprints
The following table briefly summarizes WhatsYourSign’s components, capabilities, and system footprint:

Executable Component Capability System Footprint/Impact
WhatsYourSign Installer.app Installs or uninstalls WhatsYourSign Install:
a) copies WhatsYourSign.app into the /Applications directory
b) registers the Finder extension WhatsYourSign.appex
(found within WhatsYourSign.app/Contents/Plugins)

Uninstall:
a) unregisters the Finder extension, WhatsYourSign.appex
b) removes the /Applications/WhatsYourSign.app directory (which also removes WhatsYourSign.appex)

WhatsYourSign.app A container for the Finder extension, WhatsYourSign.appex None
WhatsYourSign.appex The persistent WhatsYourSign component.

Provides the ^-click ‘Signing Info’ menu option

None
Also read: EvilOSX – Pure python post-exploitation RAT for macOS & OSX

WhatsYourSign contains no networking capabilities.

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *