10.12.3 Combo update failing code sign verification, certificates fail, and mysterious error message from the Mac Store

Question

Level 1

19 points

10.12.3 Combo update failing code sign verification, certificates fail, and mysterious error message from the Mac Store

Apple Care was totally stumped by this problem and I'm not sure where else I'd be able to verify this sort of information.. I'm hoping someone here can help provide some sort of an explanation so I can lower my threat level back to elevated.

I ran codesign -vvv on my download package of macOS Sierra 10.12.3 Combo which returned ".../macosupdcombo10.12.3.dmg: code object is not signed at all"

I immediately reached for the nearest tin foil hat andx proceeded to check it with the only app in the Mac store that verifies code and certificates RB App Checker Lite (side note: it works very well, more people should be using these kinds of assurances). It returned a longer list of issues than I've ever seen before.

I went back to download it again and some other various updates from the support.apple.com/downloads website the same place I just had downloaded the one above from a few minutes before and was given this error message after the website slowed to a craw land only loaded the page's header:

I spoke with Apple Care over the phone about all of this and was not given any sort of assistance at all and it seemed like the woman who helped me didn't believe I actually got this from their website. She asked how I did it because we were in a screen sharing session at the time and she could see it was a real webpage linking to Apple which I'm not noticing is cut off from my screenshot.

I tried again 2 later to determine if it was safe to install the software that I just downloaded but 2 hours into me being routed along the chain of command I was transferred to a supervisor who suggested there had been some sort of testing done when in fact there was nothing of the sort, not even a sysdiagnose command in the terminal and I had to even tell them what that is... So now I am still concerned for the authenticity of this update I downloaded from one of the only two official sources, disapointed in their lack of interest in assisting what seems like a potential security issue, and pretty surprised to find out that such attitudes exist.

Can anyone shed some light on all this?

The session was ended abruptly which almost didn't seem like legitimate Apple Care behavior and I realize by this point after two hours of typing I could have been a little more understanding of the limitations of his understanding of the operating system but I've never encounctered less than friendly Apple employees. I'm wondering could this have been a faked chat/download/website??

MacBook Pro with Retina display, macOS Sierra (10.12.3)

Posted on Feb 25, 2017 12:31 PM

Reply

Answer 1

ChaseDaniel Author

Level 1

19 points

Feb 25, 2017 12:36 PM in response to ChaseDaniel

I hope that the error message isn't too blurry, think I distorted the proportions when I made it larger here. I forgot to mention the main problem with it is it says I'm using an incompatible browser that's before 10.6.6 (Snow Leopard) and I'm clearly on Sierra even the tabs from back then are easily distinguishable.

Reply

Answer 2

cdhw

Level 4

3,594 points

Feb 26, 2017 5:44 AM in response to ChaseDaniel

It seems to me that the root cause is that "This root certificate is not in your keychain", i.e. somehow the root certificates installed on you Mac, which are stored in the System Keychain have been deleted or corrupted. This is sufficient to explain pretty much all your issues. The two most likely causes for this are a faulty/corrupt disk drive and or the machine owner unintentionally modifying the System Keychain without knowing what they are doing.

The remedy is to make sure your Mac is properly backed-up, use Disk Utility to verify that the disk is okay, and then reinstall macOS.

How to reinstall macOS - Apple Support

I would expect a straightforward 'reinstall' to do the trick, which will leave your user data and settings intact. If you suspect you have been 'hacked', then perform a wipe-and-install then bring back only documents from your backup.

It is possible to install system root certificates by hand if you have a second Mac to transfer them from, but if you had the skill-set needed to do this reliably I doubt you'd be seeking advice here.

C.

Reply

Answer 3

ChaseDaniel Author

Level 1

19 points

Feb 26, 2017 8:50 AM in response to cdhw

Thanks for the reply. I hope it is that simple really. That's very concerning then that if my keychain were corrupted somehow that it would display all 169 "System Roots" certificates in my keychain as valid. If a keychain were corruptable so easily this is a potential major vunerability...although certificates are described by infoSec people as easily exploitable anyway and I believe there was even once an major incident with the App Store. It also doesn't explain the odd message I got from the support.apple.com/downloads website.

This computer has been such a nightmare I bought a second one and have been too afraid to use it. I'm starting to think that there is something actually wrong with the logicboard. I've never even called Apple Care once in the last 10 years and still have more issues I haven't had the time to wrap my head around.

I know that the cause of these problems can sometimes be difficult to pinpoint but I'm worried that wiping the hard drive is more of a bandaid on the recurrent issues. I guess I will save a time machine of this disk again for record keeping and rm -fdRv / then reinstall the OS from Internet Recovery...or maybe just skip that and do it from the Recovery HD. I've had a lot of Macs now and never had one with any sort or quantity of issues as this one. I ordered it like a few mintues after the page became available and got it on the first Monday they started shippping the 2016s and am starting to think a rush job may have impacted a number of things. This new keyboard noise things everyone's talking about is a million times less troublesome than what I have dealt with.

Thanks for your input though, I'd love to have it be fixed and if you have anything more concerete to support the corrupted keychain theory that would be reassuring to see. I will write the CAs right now and include my details of what happened maybe they will have additional info and comment on the website issue.

I just read this discussion and am totally freaked out right now. ALL System Root Certificates Invalid in 10.12.3! I have very good reasons to fear this type stuff too.

Reply

Answer 4

cdhw

Level 4

3,594 points

Mar 3, 2017 5:19 AM in response to Lexiepex

Codesign is the wrong tool to use to assess disk images. According to

https://developer.apple.com/library/prerelease/content/technotes/tn2206/_index.h tml

the correct method works as follows:

$ spctl -a -t open --context context:primary-signature -v MyImage.dmg

/Users/me/Downloads/MyImage.dmg: accepted

source=Developer ID

Haven't tried it myself.

C.

Reply

Answer 5

Jun 9, 2017 3:38 PM in response to etresoft

What exactly makes you say its completely normal? Linc Davis' bash script Question regarding the messages in the system log identified at least one bad kernel extension and single user mode identified even more, specifically those ???? ones.

Unknown architecture isn't "normal."

"Stop using unsupported symbols

In addition, the exported KPI symbol lists are cleaned up for the 64-bit environment. If your code uses functions that are not exported by the 64-bit kernel, you will receive compile-time or load-time errors. https://developer.apple.com/library/content/documentation/Darwin/Conceptual/64bi tPorting/KernelExtensionsandDrivers/Kern…

".kpi" means its a network kernel extensions which "monitor and modify network traffic, and can receive notification of asynchronous events from the driver layer, such as interface status changes."https://developer.apple.com/library/content/documentation/Darwin/Conceptual/NKEC onceptual/intro/intro.html

Reply

Answer 6

etresoft

Level 9

56,326 points

Jun 9, 2017 5:33 PM in response to chase_daniel

chase_daniel wrote:

Linc Davis' bash script Question regarding the messages in the system log identified at least one bad kernel extension and single user mode identified even more, specifically those ???? ones.

If you want more information about Linc Davis' bash script, you will have to find him and ask him. No one here knows.

Reply

Answer 7

cdhw

Level 4

3,594 points

Feb 26, 2017 9:59 AM in response to ChaseDaniel

I don't have any 'theory' all I see is evidence that some part of your system that uses root certificates to validate signatures isn't working. This could be a corrupted keychain, or any number of other possiblilities. The good news is that as an end-user you only have one remedy for these and it's the same remedy for all of them:

1. Make a backup

2. Restart in Recovery Mode

3. Use Disk Utility to verify the target drive

4. Reinstall OS X

If this doesn't work, try again but for step 3 use Disk Utility select the drive and click the button labelled "Erase".

C.

Reply

Answer 8

etresoft

Level 9

56,326 points

Feb 26, 2017 11:12 AM in response to ChaseDaniel

Hello again ChaseDaniel,

I downloaded that update file and got the same results you did. Digital signatures are a complex mechanism. Most tools you will find are designed for 3rd party, stand-alone apps. They may not return correct results for Apple software.

This topic is too advanced for Apple Support. They won't be able to help.

All Apple apps are localized in many different languages, including Japanese.

Reply

Answer 9

ChaseDaniel Author

Level 1

19 points

Mar 1, 2017 1:23 AM in response to etresoft

Thanks that is good to hear I guess. I still am pretty convinced there is something abnormal happening. And it doesn't explain at all how I got that error message from Apple.com even the AppleCare person was confused and thought I made it and called them to mess with them.

That last discussion made me look at my kext which I hadn't been really been super aware of until 2 days ago.

I have 2 2016 MBPs 15" very similar upgrades. One has been basically kept in the box, other is the problem. One is showing 86 kext and the other has about 150. None are prelinked on either and the first 6 address are not x86 architecture, they're coming up as "????/????"

And my idea?

Reply

Answer 10

dialabrain

Level 10

135,827 points

Mar 1, 2017 2:38 AM in response to ChaseDaniel

FWIW, I would point out "RB App Checker Lite" hasn't been updated since Dec 2015, long before Sierra's release so any results could be suspect. There is no mention of Sierra compatibility on the developer's web site.

Reply

Answer 11

etresoft

Level 9

56,326 points

Mar 1, 2017 6:51 AM in response to ChaseDaniel

Hello again ChaseDaniel,

People don't normally go looking for kexts. If you want to, and have questions, you'll need to give us some context. How are you looking at them? Where do you see those ???? strings? Please be as absurdly specific as possible.

Reply

Answer 12

dialabrain

Level 10

135,827 points

Mar 1, 2017 7:00 AM in response to ChaseDaniel

etresoft is correct. I certainly never bothered looking for .kext files until just now. 😎

FWIW, on the iMac I happen to be sitting in front of, there are 259 of the little buggers. Which means nothing.

Reply

Answer 13

dialabrain

Level 10

135,827 points

Mar 2, 2017 4:13 PM in response to ChaseDaniel

Hello again Chase.

Once again etresoft is correct. You should listen to him. As it turns out according to him he has a "twisted imagination" which allows him to comprehend things the rest of us don't understand.

You can trust his posts.

Reply

Answer 14

ChaseDaniel Author

Level 1

19 points

Mar 2, 2017 9:27 PM in response to dialabrain

That's a very odd thing to be perfectly normal. Do you mind sharing some documentation on what you're saying? The very first kernel extensions that start the bootstrap process are of an architecture my computer claims to not even understand.

Reply

Answer 15

etresoft

Level 9

56,326 points

Mar 3, 2017 8:54 AM in response to cdhw

ChaseDaniel was running codesign against the package itself, not the containing disk image. But generally, spctl does provide much more detailed information about signatures. It is much slower though. You can run it against the installer package too.

Threads like this are getting to be more and more common. Apple tries hard to present a "seamless" ecosystem, but lately they have been struggling with that. So people see the facade of grandeur and polish and like what they see. But then they peek into one of those seams and see the sausage being made. It is perfectly understandable that they are going to be confused by this paradox of perfection that they have come to believe in and the messy reality before their eyes that they cannot deny.

We can't heap too much blame on Apple though. It is an industry-wide phenomena. Just the other day someone made a typo at Amazon and took down a fair portion of the Internet, including much of Apple. In my background, everything was scripted and tested for years before deployment. But today, there is a concept of "DevOps", where people are doing development on live, running code. The messiness at places like Apple and Amazon will only get worse. If they can't turn it around, it is inevitable that whole ecosystems will collapse upon themselves like a house of cards.

Unfortunately, the idea of "turning it around" isn't even on the table. Apple will just pull the Terminal so people can't look inside anymore, like on iOS. Amazon will just fire the person who made the typo.

Reply