Adium

Adium, application security, and your keychain

As of Adium 1.2.4, the Adium binary is signed. This means that our cryptographic signature is embedded in official releases of the application, and that any changes to that bundle will invalidate the signature and thereby alert your system (assuming it is running Mac OS X 10.5 or later) that the integrity of the program is compromised. One of the most obvious advantages of this besides basic security is that you should no longer be prompted to allow new versions to access your keychain items; the security layer can tell with confidence that Adium 1.2.5 is signed by the same folks who signed Adium 1.2.4 and that it should be allowed without question.

If you mess with the Adium binary in any way, you will invalidate the signature, and access to secure resources — specifically keychain items where your passwords are stored — will be disallowed by Mac OS X. Don’t do that.

A prime example (seen in our IRC support channel recently) are the programs such as Monolingual designed to “slim down” Universal Binary (a.k.a. “fat binary”) programs which have both PPC and Intel code. Removing part of the code invalidates the signature. This leads to warning messages.

Apple is encouraging all developers to sign their applications; this won’t be a (non-)problem restricted to Adium. Since only copies of Adium built by the Adium team in our super-secret underground lab are signed, you can of course make your own build and change it however you want — this includes removing one architecture or the other.

While you’re at it, get involved in development! :)

19 Responses to “Adium, application security, and your keychain”

  1. Matt Says:

    Hey,

    Good to hear! I am curious about what you’re doing to protect your private signing key, though.
    I hope it’s not in a position to be easily compromised! ;)

  2. Lucky Says:

    So if I slim it and it will ask for password, will it be ok after i type it and OK?

  3. Anonymous Says:

    Would this affect a Chroot’ed Adium, Even if the whole Adium.app is contained in the jail?

  4. Evan Schoenberg Says:

    @matt: Not to worry: It’s in a lock box.

    @lucky: I’m not sure how the system handles invalid signatures. Try it and let us know! :)

    @anonymous: I don’t know what chroot has to do with application signing.

  5. Lucky Says:

    It’s close to what I thought. Instead of asking for Keychain access, it asked for for each password of each id I was using. http://img210.imageshack.us/my.php?image=screenshot1gp8.png

    To you guys think there could be a way to “fix” this? I prefer to have my binaries slimmed.

  6. Zac West Says:

    @lucky: That entirely defeats the purpose of the keychain, and is more so a security nightmare than anything. Imagine an Application modifies Adium.app, you see that, enter your password, voila: you lose your accounts.

    If you want to “slim” your binaries, you’re going to need to compile your own Adium.

  7. Anonymous Says:

    Yahoo! Japan has changed protocol AGAIN.
    I don’t know why Yahoo!Japan changes protocol many times at so short span.lol

  8. Thomas Says:

    Hmm, I don’t trust any application on my computer, that why I don’t work as an admin.

    Now I have to trust someone I don’t know?

    I don’t like that. I really like to know if their is way to not trust signed code, since it is not trustworthy, well not every case trustworthy.

  9. David Smith Says:

    No code is trustworthy. Ken Thompson demonstrated this to great effect in his famous “Reflections on Trusting Trust” talk, a transcript of which is available here; http://cm.bell-labs.com/who/ken/trust.html

  10. Evan Schoenberg Says:

    @thomas: signed code doesn’t gain any new privileges, nor is it automatically trusted in any way. Code signing allows trsut you grant once to propagate to other versions of the same program which have the same signature; having given Adium access to a specific item in your keychain, subsequent versions will also have that specific access allowance.

  11. Taylor Carrigan Says:

    What does this mean for those of us who like using custom .NIBs to make Adium’s contact list look more like iChat with an enclosed list (bar at the bottom), or various other styles that have been released?

  12. Zac West Says:

    It means you’ll have to compile your own Adium to modify the nibs (which I think is already the case, since we cut out information from the release nibs that prevents them from being edited)

  13. Lucky Says:

    Hey check thisout! http://osx.iusethis.com/app/versions/4116

    Is this a life saver or what? :P

  14. Tim Says:

    @lucky, regarding the newly released Xslimmer: Does it work with the new Adium? Ever since Leopard was released, I haven’t used this app due to the code signing and don’t want to reinstall my OS just to try this.

  15. Lucky Says:

    @tim

    That’s exactly why I posted that url where you can see that they even mention that Xslimmer is now more compatible with Adium.

    Reinstalling an OS? How does Xslimmer affect that? :P

  16. Adium speichert keine Passwörter mehr » Frank Helmschrott Says:

    [...] auf eine recht neue Veröffentlichung von Adium selbst gestoßen bin. Mitte April war im Blog von Adium zu lesen, dass das Binary (die Programmdatei) ab sofort signiert ist und durch die Signatur [...]

  17. terlik Says:

    thank yo

  18. Resuna Says:

    Thanks for the warning, I guess I’ll have to see about disabling this paranoid security theatre in all my apps when I upgrade to leopard.

  19. paresh Says:

    nice, thankful to ur warning.