User profile for user: enteq
enteq Author
User level: Level 1
94 points

A 3rd-party installer made certificate trust setting changes: how to identify the changes in Keychain Access.app?

Hi, I have a question about how to identify changes to my certificate trust settings made by a 3rd-party installer.


I just installed a macOS utility called "Plantronics Hub", which is used to manage settings and firmware for audio headsets made by Plantronics (now Poly).


During the install process, a dialog popped up with a Touch ID prompt, saying the installer wanted to "make changes to the System Certificate Trust Settings".


While my brain was still processing what that meant, my finger had already touched the Touch ID sensor and the install completed. I was left thinking "Oh no, what have I done!", and it was too late to stop it.


I then opened Keychain Access.app to see if I could identify what changes the installer had made to my certificate trust settings. This is where my uncertainty begins.


In Keychain Access.app, under the "System" keychain, I immediately saw a new self-signed root certificate called "Plantronics Hub" which says "This certificate is marked as trusted for all users". So this is almost certainly what it installed - or _one_ of the things it installed.


And clearly it's a problem: I don't want my system trusting random self-signed root certificates from hardware vendors. I only want my system trusting bona fide Certificate Authorities. If this certificate's private key was ever compromized, a malicious actor could then issue arbitrary certificates in any domain, and my macOS machine would blindly trust them!


So obviously I'll be deleting that.


But how can I tell if this was the _only_ change to my certificate trust settings made by this installer? Ideally there'd be some kind of "recently updated" view in Keychain Access.app, but there is no such view. I can see when certificates were issued and when they will expire - but I cannot see who installed them or when they were installed. There's no obvious way to tell which certificates were pre-installed by Apple, and which have been added later, and the difference between the "System" keychain and the "System Roots" keychain is not clear or explained in the documentation.


My concern is: what if the installer made other changes? How can I tell? Any help appreciated.


MacBook Pro 15″

Posted on Jul 10, 2023 12:08 PM

Reply
Question marked as Best reply
User profile for user: etresoft
etresoft
User level: Level 8
46,936 points

Posted on Jul 10, 2023 12:41 PM

enteq wrote:

My concern is: what if the installer made other changes? How can I tell? Any help appreciated.

Unfortunately, the only way is to review what the installer does. I recommend the Suspicious Package app for such tasks: https://www.mothersruin.com/software/SuspiciousPackage/


I went ahead and looked myself. The included uninstaller doesn't seem to delete the certificates, so you'll definitely have to do this manually.


It stores one certificate in "$HOME/Library/Application Support/Plantronics/.REST". If you have already removed this certificate from the system keychain, then you should be good. But you can go ahead and remove the "Plantronics" folder too.


It also adds a certificate to all profiles inside "$HOME/Library/Application Support/Firefox/Profiles/". Look for a "cert_override.txt" file in each. Other apps could have added their own entries to this file, so it may not be safe to completely delete it. Open each one and verify.


I think that's all.


You can also review Apple's default certificates form this page: Available trusted root certificates for Apple operating systems - Apple Support



View in context

Similar questions

2 replies
Question marked as Best reply
User profile for user: etresoft
etresoft
User level: Level 8
46,936 points

Jul 10, 2023 12:41 PM in response to enteq

enteq wrote:

My concern is: what if the installer made other changes? How can I tell? Any help appreciated.

Unfortunately, the only way is to review what the installer does. I recommend the Suspicious Package app for such tasks: https://www.mothersruin.com/software/SuspiciousPackage/


I went ahead and looked myself. The included uninstaller doesn't seem to delete the certificates, so you'll definitely have to do this manually.


It stores one certificate in "$HOME/Library/Application Support/Plantronics/.REST". If you have already removed this certificate from the system keychain, then you should be good. But you can go ahead and remove the "Plantronics" folder too.


It also adds a certificate to all profiles inside "$HOME/Library/Application Support/Firefox/Profiles/". Look for a "cert_override.txt" file in each. Other apps could have added their own entries to this file, so it may not be safe to completely delete it. Open each one and verify.


I think that's all.


You can also review Apple's default certificates form this page: Available trusted root certificates for Apple operating systems - Apple Support



Reply
User profile for user: enteq
enteq Author
User level: Level 1
94 points

Jul 10, 2023 12:58 PM in response to etresoft

Thanks so much for this.


I deleted the self-signed root certificate "Plantronics Hub" from the "System" keychain within Keychain Access.app, and I also deleted the files you mentioned, so I think I'm good now.


Unbelievably, after I closed all my windows I noticed a macOS dialog that had been sitting there the whole time which said:

    Keystroke Receiving
    
    "Plantronics Hub.app" would like to receive keystrokes from any application.
    
    Grant access to this application in Security & Privacy preferences, located in System Preferences.
    
    [Open System Preferences] [Deny]


I guess it would be stating the obvious to ask: WTF?!?


Unfortunately I needed this utility to disable the annoying "mute on" and "mute off" voice alerts and other gratuitous bleeps and bloops that my headset emits during the course of normal use.


In future, I guess I should sure I only ever install crapware like this in a throwaway VM or something....



Reply

A 3rd-party installer made certificate trust setting changes: how to identify the changes in Keychain Access.app?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up