Hey Apple, were you hosting hacked copies of Xcode?

Using the validation method recommended by Apple, a check of a Xcode 6.4 -- downloaded from Apple servers -- came up negative. Here's how to check your copy

Hey Apple, were you hosting hacked copies of Xcode?

[Update: According to Apple, the validation procedure described in this article may not work with Xcode versions earlier than 7.0. See this follow-on article for details.] 

Yesterday morning, Apple sent out an email to developers advising them that Apple had “removed apps from the App Store that were built with a counterfeit version of Xcode, which had the potential to cause harm to customers.”

Apple also suggested, as Fahmida Rashid reported Monday, that counterfeit copies of Xcode downloaded from third-party servers, not Apple’s, were responsible for creating the malware-infected apps. Concurrent with the email, a post on the Apple developer blog appeared suggesting that developers validate their copy of Xcode to ensure it wasn’t a counterfeit copy spewing XcodeGhost malware.

Well, I tried validating my copy of Xcode using Apple’s validation method, and the results were alarming -- the Xcode 6.4 copy on my Mac, installed on July 8, 2015, at 12:24 p.m. directly from Apple, was not valid. I have never downloaded any copy of Xcode from anywhere except Apple servers.

Beginning yesterday, I've contected Apple multiple times and the company has not responded. 

Apple has not notified me that it has removed any of my apps from the App Store, so I'm assuming the ones I've compiled are fine for now. But I haven't uploaded any new versions in months.

I recommend checking your own copy of Xcode using the method recommended by Apple. The command-line utility spctl will check the digital signature on applications. Make sure to use these options: 

spctl --assess --verbose /Applications/Xcode.app 

Despite the fact that you'll be using the so-called verbose option, the answer doesn't contain much information. Apple says these are the only acceptable answers:

 /Applications/Xcode.app: accepted

source=Mac App Store

/Applications/Xcode.app: accepted


/Applications/Xcode.app: accepted

source=Apple System

When I tested my version, I saw:

/Applications/Xcode.app: a sealed resource is missing or invalid

Which resource? I don't know and the verbose option won't help me. 

It's possible to find out a bit more by using the command-line utility codesign. This will tell you a bit about the digital signature on Xcode:

codesign --display --verbose=4 /Applications/Xcode.app

You can search deeper if you choose. I used the forensics software md5deep to check out my Xcode.app directory. You can look at the hash values of my files here.

To see if I could pinpoint which file is bad, I compared my md5deep results with a fellow Mac developer who's also still running version 6.4. Once he started the process, he found out that spctl calls his version of Xcode bad, too.

My friend is frantically updating his version of Xcode and checking his apps. But could this simply be an error in diagnosis -- or were both of our copies of Xcode 6.4 hacked with XcodeGhost? Could the failed signatures be caused by another attacker? Could Apple's digital signature process have loopholes and failure modes that we're only now discovering? We have no way of answering any of these questions at this point.

If anyone can compare my md5deep results to a legit version of 6.4 and offer any illumination on what's changed, we would appreciate the assistance.

Meanwhile, we await Apple’s response.

Copyright © 2015 IDG Communications, Inc.