🔒 [security] Validate code signature on auto-update#34
Conversation
- Parse hdiutil attach output dynamically to determine correct mount-point - Use codesign --verify to check signature validity of downloaded app before installation Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
|
👋 Jules, reporting for duty! I'm here to lend a hand with this pull request. When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down. I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job! For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with New to Jules? Learn more at jules.google/docs. For security, I will only act on instructions from the user who triggered this task. |
1 participant
🎯 What:
The application's auto-update mechanism previously downloaded a DMG, mounted it, and blindly copied the updated application bundle into
/Applications/Click2Minimize.appwithout performing any verification.This behavior exposed users to significant security risks. Because the update mechanism did not verify the application's integrity or signature before installation, it was vulnerable to Man-in-the-Middle (MITM) attacks during the download process (if TLS was compromised or bypassed) or malicious modification of the downloaded file locally. If an attacker could replace the legitimate
.dmgwith a tampered version, the application would automatically install and prompt the user to run the malicious payload with the application's inherited permissions. Additionally, the previous implementation hardcoded the volume mount point, which is susceptible to path hijacking/TOCTOU if a malicious actor pre-created the volume path.🛡️ Solution:
/Volumes/Click2Minimize), thehdiutil attachcommand now uses the-plistflag. ThedownloadDMGmethod parses the XML output usingPropertyListSerializationto dynamically identify the exactmount-pointallocated by the system, mitigating path prediction vulnerabilities./Applications, the implementation now invokes/usr/bin/codesign --verify -v <app_source_path>. The copy operation only proceeds ifcodesignexits with a status of0, confirming the application's signature is valid and intact. If verification fails, the update process is cleanly aborted and the user is redirected to the manual download page.hdiutil -plistoutput asynchronously usingreadabilityHandlerinstead of a synchronous blocking read inside theterminationHandlerto avoid a common deadlock pattern when standard output exceeds pipe buffer limits.PR created automatically by Jules for task 15054131464811650009 started by @hatimhtm