Jump to content
gerrogg

Signature file with software download?

Recommended Posts

Are you asking about downloading the app or the malware definitions?

Share this post


Link to post
Share on other sites

What do you mean "signature file" ?

A file can be digitally signed and that's by applying a Digital Certificate embedded in the file as a Publisher's Certificate.  An application can be digitally signed by embedding a Publisher's Certificate in the executable.

There are no accompanying signature files.  Anti malware signature files are not signed.  Other than signing an executable some documents like a PDF can be digitally signed.

Share this post


Link to post
Share on other sites

I mean like when I download Tails, it comes with a signature file to verify the binaries.

Share this post


Link to post
Share on other sites

The app is signed with a valid Apple Developer ID which can be checked using RB App Checker Lite:

Evaluating the application “Malwarebytes”.

The application was signed by “Apple Root CA”, “Developer ID Application: Malwarebytes Corporation (GVZRY6KDKR)”.
    The (unverified) signing-time is: Dec 7, 2018 at 4:21:32 AM.
    The object code format is “app bundle with Mach-O thin (x86_64)”.
    The signature contains the Team ID “GVZRY6KDKR”.
    Both bundle and signing identifiers are “com.malwarebytes.mbam.frontend.launcher”.
    The signature specifies explicit requirements. 
        The requirements specify the Team ID “GVZRY6KDKR”.
            This matches the Team ID contained in the signature.
    The signature specifies resource rules (v1). 
    The signature specifies resource rules (v2). 
    Gatekeeper assessment: PASS (Developer ID). 
    Requirements and resources validate correctly.

The code signature has the UUID “4A35FB14-76C7-51BA-0786-1EB99E369243”.
    Executable code for x86_64 has the UUID “A95E705C-4318-3926-935C-233110D9710E”.

A signing-time snapshot of the application’s Info.plist was found. 
    Version 3.6 (3.6.21.2055) Copyright © 2018 Malwarebytes. All rights reserved.

The signature contains 3 certificates. 
    Certificate “Apple Root CA”: 
        Your keychain contains this trusted root certificate.
        Will expire on Feb 9, 2035.
    Certificate “Developer ID Certification Authority”: 
        Will expire on Feb 1, 2027.
    Certificate “Developer ID Application: Malwarebytes Corporation (GVZRY6KDKR)”: 
        Will expire on Apr 19, 2022.
        SHA1 fingerprint: “707A109F12B9A504136DC5933D12234A0824B7FD”.
        Team ID or Organizational Unit: “GVZRY6KDKR”.
            This matches the Team ID contained in the signature.

The application is probably from an authorized Apple Developer.

The application is not sandboxed.

The code signature contains entitlements. 
    Other entitlements:
        com.apple.security.get-task-allow: YES.

No auxiliary executables have been found.

or WhatsYourSign

1021991562_ScreenShot2019-01-24at8_04_29PM.png.0e8a73156e9eab0b64c75187f776c4ff.png

Share this post


Link to post
Share on other sites

I don't know what "Tails" is but...

You verify the binaries by their checksum and by their Digital Signature if they are signed.  The OS goes through an Online Certificate Status Protocol ( OCSP ) server that verifies its status such is if the Certificate was revoked.

For example here is a windows based Malwarebytes file.  What it shows in the file and its Properties which shows a Digital signatures Tab and the Certificates assigned to the binary.

Image1.jpg.53faaa3ef6a5aa085f8ba59845581bd6.jpg

This shows expanded information of the certificate...

Image2.thumb.jpg.133daa19d6cb3e2f1ea95672bfa4cdac.jpg

 

This shows the Certificate Path from the Certificate Authority ( CA )  to the Publisher ( Malwarebytes ).

Image.jpg.d827a672eb76e60b09081e3f05aedca1.jpg

 

Now you can see how Apple does an apple Development ID and how a Publisher's Certificate is used to authenticate the Authenticity and "trust" of an application.

 

 

Edited by David H. Lipman

Share this post


Link to post
Share on other sites
26 minutes ago, gerrogg said:

I mean like when I download Tails, it comes with a signature file to verify the binaries.

That approach is rarely used these days with the advocation of macOS Gatekeeper protection. Assuming you still have Gatekeeper enabled, Gatekeeper will scan the downloaded Malwarebytes-Mac-x.x.x.x.pkg file and notify you if it is not properly signed. 

If the Malwarebytes web site were hacked and a fake .pkg file were substituted that was validly signed by a malware developer (which has happened on a couple of other sites in the past) they would undoubtedly post a fake hash to match, if Malwarebytes were ever to implement such a system in the future. Apple would need to revoke that developerID and Malwarebytes would need to remove the malware and patch the means by which they were hacked. So having a hash signature would be of little or no use to you.

Share this post


Link to post
Share on other sites

Just to add to what has already been said, for instructions on how to validate the integrity of the installer and the software, see:

https://support.malwarebytes.com/docs/DOC-1994

Once installed, Malwarebytes for Mac does its own internal validity checks as well, and will alert you if it has been modified.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.