AD5011: RequireCodeSignature¶
Summary¶
| Property | Value |
|---|---|
| ID | AD5011 |
| Name | RequireCodeSignature |
| Category | Security |
| Severity | Warning |
| Applies to | Mach-O (macOS/iOS) |
Description¶
Code signing provides integrity verification and is required on iOS. On macOS, code signing enables Hardened Runtime, Library Validation, and other security features. Unsigned binaries cannot use modern security features and may be blocked by Gatekeeper.
How It Works¶
The rule checks for the presence of an LC_CODE_SIGNATURE load command in the Mach-O binary. This indicates the binary has been code signed.
Why This Matters¶
Code signing is the foundation of Apple's security model. Without it, none of the advanced protections (Hardened Runtime, Library Validation, notarization) can be enabled, and the binary cannot prove its authenticity.
Apple Security Chain¶
Code Signing enables:
└→ Hardened Runtime
└→ Library Validation
└→ Notarization
└→ Gatekeeper approval
└→ User trust
Without code signing, entire chain breaks.
Platform Requirements¶
| Platform | Code Signing Requirement |
|---|---|
| iOS | Mandatory (won't run without) |
| watchOS/tvOS | Mandatory |
| macOS App Store | Mandatory |
| macOS Gatekeeper | Required for approval |
| macOS (developer) | Optional but recommended |
Security Benefits¶
| Benefit | Description |
|---|---|
| Integrity | Binary hasn't been modified |
| Identity | Comes from known developer |
| Revocation | Can be invalidated if compromised |
| Entitlements | Controlled capability access |
Hardened Runtime Requires Signing¶
Hardened Runtime protections:
- Disables debugger attachment
- Blocks runtime code modification
- Prevents loading unsigned libraries
- Restricts dyld environment variables
All require valid code signature.
Tampering Detection¶
Signed binary:
1. Attacker modifies code
2. Signature verification fails
3. OS refuses to run binary
4. Attack prevented
Unsigned binary:
1. Attacker modifies code
2. No verification possible
3. OS runs modified binary
4. Attack succeeds
Code Signing Types¶
| Type | Use Case |
|---|---|
| Development | Testing on device |
| Ad Hoc | Limited distribution |
| App Store | App Store distribution |
| Developer ID | Outside App Store |
Notarization (macOS)¶
Beyond code signing, Apple notarization:
Code Signing + Notarization:
- Apple scans for malware
- Binary registered with Apple
- Gatekeeper approves instantly
- User sees "verified developer"
Security Benefits¶
- Integrity verification: Detects tampering with the binary
- Hardened Runtime: Only signed binaries can enable Hardened Runtime
- Library Validation: Prevents loading unsigned libraries
- Gatekeeper: macOS blocks unsigned apps from untrusted sources
- iOS requirement: All iOS apps must be signed
Without Code Signing¶
- No integrity verification
- Cannot enable Hardened Runtime protections
- Cannot enable Library Validation
- May be blocked by Gatekeeper
- Cannot run on iOS
Resolution¶
Xcode¶
Code signing is configured automatically for most projects:
- Select your target
- Go to Signing & Capabilities
- Ensure a valid signing identity is selected
Command Line¶
# Sign with a Developer ID (for distribution)
codesign -s "Developer ID Application: Your Name" binary
# Sign for local development
codesign -s - binary
# Sign with Hardened Runtime
codesign -s "Developer ID Application: Your Name" --options runtime binary
Verify Code Signature¶
# Check if binary is signed
codesign -dv binary
# Verify signature is valid
codesign --verify --strict binary
When to Suppress¶
This rule may be suppressed for:
- Development builds: Ad-hoc signing during development
- Build artifacts: Intermediate build outputs before final signing
- CI/CD pipelines: Signing happens in a later stage
Important Notes¶
- Signing alone doesn't enable Hardened Runtime; use
--options runtime - iOS requires a valid Apple-issued certificate
- macOS Notarization requires code signing with Hardened Runtime
Related Rules¶
- AD5012 - Memory protection checks