signature check of fat binaries (keybase#16111)

serpacifico · Feb 19, 2019 · cfe1f89 · cfe1f89
1 parent 8278989
commit cfe1f89
Show file tree

Hide file tree

Showing 7 changed files with 12 additions and 12 deletions.
diff --git a/osx/Helper/Info.plist b/osx/Helper/Info.plist
@@ -9,11 +9,11 @@
 	<key>CFBundleName</key>
 	<string>Helper</string>
 	<key>CFBundleVersion</key>
-	<string>1.0.39</string>
+	<string>1.0.40</string>
 	<key>KBBuild</key>
 	<string>3</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.0.39</string>
+	<string>1.0.40</string>
 	<key>SMAuthorizedClients</key>
 	<array>
 		<string>anchor apple generic and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = &quot;99229SGT5K&quot;) and (identifier &quot;keybase.Installer2&quot; or identifier &quot;keybase.Keybase&quot;)</string>

diff --git a/osx/Helper/KBHelper.m b/osx/Helper/KBHelper.m
@@ -241,7 +241,7 @@ - (void)checkKeybaseResource:(NSURL *)bin withIdentifier:(NSString *)identifier
     NSString *nsRequirement = [NSString stringWithFormat:@"anchor apple generic %@ and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = \"99229SGT5K\")", identifier];
 
     SecRequirementCreateWithString((__bridge CFStringRef)nsRequirement,kSecCSDefaultFlags, &keybaseRequirement);
-    OSStatus codeCheckResult = SecStaticCodeCheckValidityWithErrors(staticCode, kSecCSDefaultFlags, keybaseRequirement, NULL);
+    OSStatus codeCheckResult = SecStaticCodeCheckValidityWithErrors(staticCode, (kSecCSDefaultFlags | kSecCSStrictValidate | kSecCSCheckNestedCode | kSecCSCheckAllArchitectures | kSecCSEnforceRevocationChecks), keybaseRequirement, NULL);
     if (codeCheckResult != errSecSuccess) {
       *error = KBMakeError(codeCheckResult, @"Binary not signed by Keybase");
     }

diff --git a/osx/Helper/fs.m b/osx/Helper/fs.m
@@ -56,7 +56,7 @@ +(void)checkKeybaseResource:(NSURL *)bin identifier:(NSString *)identifier error
     NSString *nsRequirement = [NSString stringWithFormat:@"anchor apple generic %@ and (certificate leaf[field.1.2.840.113635.100.6.1.9] /* exists */ or certificate 1[field.1.2.840.113635.100.6.2.6] /* exists */ and certificate leaf[field.1.2.840.113635.100.6.1.13] /* exists */ and certificate leaf[subject.OU] = \"99229SGT5K\")", identifier];
 
     SecRequirementCreateWithString((__bridge CFStringRef)nsRequirement,kSecCSDefaultFlags, &keybaseRequirement);
-    OSStatus codeCheckResult = SecStaticCodeCheckValidityWithErrors(staticCode, kSecCSDefaultFlags, keybaseRequirement, NULL);
+    OSStatus codeCheckResult = SecStaticCodeCheckValidityWithErrors(staticCode, (kSecCSDefaultFlags | kSecCSStrictValidate | kSecCSCheckNestedCode | kSecCSCheckAllArchitectures | kSecCSEnforceRevocationChecks), keybaseRequirement, NULL);
     if (codeCheckResult != errSecSuccess) {
       *error = KBMakeError(codeCheckResult, @"Binary not signed by Keybase");
     }

diff --git a/osx/Installer/Info.plist b/osx/Installer/Info.plist
@@ -15,25 +15,25 @@
 	<key>CFBundlePackageType</key>
 	<string>APPL</string>
 	<key>CFBundleShortVersionString</key>
-	<string>1.1.72</string>
+	<string>1.1.73</string>
 	<key>CFBundleSignature</key>
 	<string>KEYB</string>
 	<key>CFBundleVersion</key>
-	<string>1.1.72</string>
+	<string>1.1.73</string>
 	<key>KBFuseBuild</key>
 	<string>3.8.2</string>
 	<key>KBFuseVersion</key>
 	<string>3.8.2</string>
 	<key>KBHelperBuild</key>
-	<string>1.0.39</string>
+	<string>1.0.40</string>
 	<key>KBHelperVersion</key>
-	<string>1.0.39</string>
+	<string>1.0.40</string>
 	<key>LSMinimumSystemVersion</key>
 	<string>$(MACOSX_DEPLOYMENT_TARGET)</string>
 	<key>LSUIElement</key>
 	<true/>
 	<key>NSHumanReadableCopyright</key>
-	<string>Copyright © 2018 Keybase. All rights reserved.</string>
+	<string>Copyright © 2019 Keybase. All rights reserved.</string>
 	<key>NSMainNibFile</key>
 	<string>MainMenu</string>
 	<key>NSPrincipalClass</key>

diff --git a/osx/KBKit/KBKit/Component/KBAppBundle.m b/osx/KBKit/KBKit/Component/KBAppBundle.m
@@ -68,7 +68,7 @@ - (void)validate:(NSString *)sourcePath completion:(KBCompletion)completion {
     return;
   }
   CFErrorRef err;
-  if (SecStaticCodeCheckValidityWithErrors((SecCodeRef)staticCodeRef, kSecCSDefaultFlags, requirementRef, &err) != errSecSuccess) {
+  if (SecStaticCodeCheckValidityWithErrors((SecCodeRef)staticCodeRef, (kSecCSDefaultFlags | kSecCSStrictValidate | kSecCSCheckNestedCode | kSecCSCheckAllArchitectures | kSecCSEnforceRevocationChecks), requirementRef, &err) != errSecSuccess) {
     completion(KBMakeError(-1, @"Failed to validate bundle signature: Check"));
     return;
   }

diff --git a/packaging/desktop/kbfuse.sh b/packaging/desktop/kbfuse.sh
@@ -15,7 +15,7 @@ cd $dir
 client_dir="$dir/../.."
 fuse_dir="$client_dir/osx/Fuse"
 tmp_dir="/tmp/desktop-kbfuse"
-installer_url="https://prerelease.keybase.io/darwin-package/KeybaseInstaller-1.1.72-darwin.tgz"
+installer_url="https://prerelease.keybase.io/darwin-package/KeybaseInstaller-1.1.73-darwin.tgz"
 
 if [ "$EUID" -ne 0 ]; then
   echo "Please run as root"

diff --git a/packaging/desktop/package_darwin.sh b/packaging/desktop/package_darwin.sh
@@ -97,7 +97,7 @@ shared_support_dir="$out_dir/Keybase.app/Contents/SharedSupport"
 resources_dir="$out_dir/Keybase.app/Contents/Resources/"
 
 # The KeybaseInstaller.app installs KBFuse, keybase.Helper, services and CLI via a native app
-installer_url="https://prerelease.keybase.io/darwin-package/KeybaseInstaller-1.1.72-darwin.tgz"
+installer_url="https://prerelease.keybase.io/darwin-package/KeybaseInstaller-1.1.73-darwin.tgz"
 # KeybaseUpdater.app is the native updater UI (prompt dialogs)
 updater_url="https://prerelease.keybase.io/darwin-package/KeybaseUpdater-1.0.6-darwin.tgz"