"The process has no code signature. The executable can be maliciously modified without being detected."

General discussions about Little Snitch
Post Reply
akseeker
Posts: 3
Joined: Tue Aug 29, 2017 10:16 am

"The process has no code signature. The executable can be maliciously modified without being detected."

Post by akseeker » Tue Aug 29, 2017 10:31 am

Getting Little Snitch warnings of "The process has no code signature. The executable can be maliciously modified without being detected." for a formerly trusted site/URL.

Is this a feature of the new Little Snitch? I don't recall that verbiage in the previous version.

Is this something the developers need to modify in their apps?

Any ideas?

full text of a recent warning:

Code: Select all

freshclam
wants to connect to cdn.clamxav.com on TCP port 80 (http)
The process has no code signature. The executable can be maliciously modified without being detected.

IP Address: 89.255.250.53
Reverse DNS Name: No Reverse Name
Established by: /usr/local/clamXav/bin/freshclam
Process ID: 15660
Code Signature: not signed
User: root (U ID: 0)

ctwise
Rank 1
Rank 1
Posts: 21
Joined: Tue Apr 14, 2009 3:19 pm

Re: "The process has no code signature. The executable can be maliciously modified without being detected."

Post by ctwise » Tue Aug 29, 2017 2:28 pm

Little Snitch tracks the application signatures that macOS supports. Applications are signed by developers using the development certificates they get from Apple. All apps purchased through the Mac App Store are signed. Developers can also sign apps outside of the app store. As far as I know, only *.app bundles can be signed which means that apps that install command-line tools outside of their app bundles can't sign those command-line tools. So /usr/local/clamXav/bin/freshclam won't have a signature.

Signatures are used to verify that an application comes from a "known" developer and they verify that an application hasn't been altered since installation. If you later update an app you would expect to get a LittleSnitch warning that the application signature had changed. If you _hadn't_ updated the app and got a LittleSnitch warning, then you should immediately be suspicious. It's possible the app modified _itself_ but it's also possible some other application/virus/malware modified it.

akseeker
Posts: 3
Joined: Tue Aug 29, 2017 10:16 am

Re: "The process has no code signature. The executable can be maliciously modified without being detected."

Post by akseeker » Tue Aug 29, 2017 9:58 pm

Got a reply from ClamXAV:

ClamXAV Support wrote:The "no code signature" message refers to the tool we're using to perform the download - what it's telling you is that although ClamXAV is signed by us, one of the download tools we use isn't signed. This is perfectly normal and nothing to worry about at all.

We have changed this in a future version of ClamXAV so that the whole toolchain is signed and we expect to release the update this week. Please can you download the new version and check that you're no longer warned about this by Little Snitch.


So it appears it's an app-specific thing.

christian
Objective Development
Objective Development
Posts: 1443
Joined: Thu Nov 09, 2006 11:46 am

Re: "The process has no code signature. The executable can be maliciously modified without being detected."

Post by christian » Tue Sep 05, 2017 10:40 pm

The reaction - a fix within a week - shows that Little Snitch indeed revealed a security risk. Luckily the developers are aware of this and provide a fix in a timely manner.

marco
Objective Development
Objective Development
Posts: 64
Joined: Mon Jul 28, 2014 3:00 pm
Location: Vienna, Austria

Re: "The process has no code signature. The executable can be maliciously modified without being detected."

Post by marco » Wed Sep 06, 2017 9:01 am

ctwise wrote:As far as I know, only *.app bundles can be signed which means that apps that install command-line tools outside of their app bundles can't sign those command-line tools. So /usr/local/clamXav/bin/freshclam won't have a signature.


Just to clarify: Plain old executables like command-line tools can actually be signed just the same as app bundles (also .framework bundles, .dylib libraries, etc.). Little Snitch does check that, too.

ctwise wrote:If you later update an app you would expect to get a LittleSnitch warning that the application signature had changed.


Actually, the relevant parts of the code signature do not change when you install an update of an app. The signature is used by macOS as well as Little Snitch to identify the app across version changes. It contains the bundle identifier of the app (like at.obdev.LittleSnitchConfiguration) and the developer’s unique team identifier that is provided by Apple (like MLZF7K7B5R for Objective Development). The only reason the code signature of an app or a process needs to change is if one or both of those two identifiers change.

If that happens, Little Snitch will alert you if you have existing rules that require the old code signature. Also, macOS forces the app to ask again for permissions to access your Contacts, Calendars, Reminders, Location, Keychain Access, etc.

One of the most likely scenarios for this is when a developer sells the code of an app to another developer and therefore the next version of the app will have a code signature with a different team identifier.

Post Reply