|
1.8.1 (346)
|
Released on February 29, 2024
- Deliver results faster when typing in the
Open System Library with String Literal window.
- Fixed a bug where a visionOS component was reported as requiring a version of watchOS.
- Fixed a bug that would cause some macOS-defined launchd jobs to be missing from the
Launch Information inspector, when the associated
component was opened — which could be particularly confusing if you got there by using
Open System Component and matched on a launchd
job definition.
|
|
1.8 (342)
|
Released on February 11, 2024
- Added File > Open System Component (Control-Cmd-O), which allows
you to open a component of macOS itself, by searching for a specific name (or portion thereof).
This can be used to open:
- system frameworks (including those in PrivateFrameworks);
- system dylibs, even those moved into the DYLD shared cache and not actually on disk; and
- system executables started as launchd jobs.
After typing a name, simply pick the desired component from the list to open it.
[Read More]
- Added File > Open System Library with String Literal (Shift-Control-Cmd-O),
which also allows you to open a system framework or dylib, but by searching for a specific string
embedded in the library. This is similiar to searching the output of
strings(1), at
least in concept, but it works on (the vast majority of) system libraries that have been moved
into the DYLD shared cache.
[Read More]
- Added Component > Analyze Executable Using Hopper Disassembler (Shift-Cmd-D),
which points Hopper at the selected component's executable,
and automates through the various Hopper loading option dialogs. This even works for system frameworks
that have been moved into the DYLD shared cache, thanks to Hopper's ability to read that cache —
and support for using AppleScript to automate it.
[Read More]
- From the Executable Information inspector, you can now
directly open any of the system frameworks or libraries in a new Apparency window. Under
Dynamically Linked Libraries, select a library and choose
Open Library in Apparency — or just double-click. This
works only for libraries that are referenced by an absolute path (not
@rpath or other
DYLD variable paths, which are probably somewhere else in the current window anyway).
- Ability to open system dylibs that have been moved into the DYLD shared cache, and thus
don't even exist on disk, such as /usr/lib/libobjc.A.dylib. Although you can't use the
File > Open dialog for these — there's nothing to choose! —
there are several other ways to open these:
- use File > Open System Component and type the base name of the library,
such as “libobjc”: you can then select the library to open;
- if you have an opened component that uses that library, open the
Executable Information inspector and double-click on
the library; or
- if you know the canonical path for the library, use the
appy command line tool.
Whichever way you open the dylib, you can see its linked libraries, examine its embedded strings
(see below) and/or pass it to Hopper for reverse engineering.
- Added Component > Show String Literals from Executable (Shift-Option-Cmd-X).
This inspector shows the constant strings that are built into the Mach-O executable. This is
similar to what you'd get by running
strings(1), although Apparency doesn't
look for strings as aggressively (or heuristically) as strings(1). Apparency searches
only in Mach-O sections that are declared to contain NULL-terminated C strings.
You can filter and sort the list of strings in various ways, which can be helpful when you are
reverse engineering an executable. Importantly, you can use this inspector on a framework or dylib
that has been moved into the DYLD shared cache.
[Read More]
- Enhanced the File > Open > Look for components in de facto “code places”
option to be more aggressive about finding bundles and/or code in non-standard places. This mode
is a tradeoff between completeness and performance, but we may have overstressed performance in the past.
Now, in addition to searching the Resources folder, it will also search non-standard directories
at the top-level of the bundle Contents. Whether there are any such places varies with the app:
most have none, some have a few, Xcode has many. Note that if you enable this option on a particularly
large and complex app (like Xcode), you may experience a delay before the Apparency window appears (one reason
that we don't turn this on by default).
|
|
1.7 (316)
|
Released on November 5, 2023
- Enhanced the Launch Information inspector
to show implicit launch constraints,
which are those associated with the components of macOS itself. Open a macOS component in
Apparency, and use
Component > Show Launch Information to see the constraints that apply.
Use Window > Implicit Launch Constraints to see all of the implicit
constraints defined by macOS.
Props to Csaba Fitzl for reverse-engineering
and documenting this mechanism.
- Improved the handling of components that are ad hoc-signed by the macOS linker. The linker does this signing to meet
the Apple Silicon requirement that all executables have a code signing digest, or cdhash.
This used to be shown as having Conflicting signatures,
which was technically accurate (because the Intel code is usually unsigned) but was nevertheless
confusing. Now, in the most typical case of linker signing, the Signed By will be
Linker (Ad-Hoc).
- Enabled the Show Code Signature button (on the toolbar or the info pane) for more
cases of Conflicting signatures, especially those
involving ad-hoc signatures. This allows you to see the details for each processor architecture. For
example, this can be useful on certain apps exported by Script Debugger's
Export Run-Only command.
- For macOS Sonoma “web apps” — created in Safari using File > Add to Dock —
Apparency now shows a Kind Detail of “Safari Web App” in the info pane.
- Fixed a bug where certain macOS frameworks wouldn't open correctly, showing the error
bundle format is ambiguous (could be app or framework).
This could happen after a macOS update, if the framework now resides on a a
“cryptex”
rather than on the
Signed System Volume.
(This can happen with Rapid Security Response updates, but also with updates like Safari, which installs
new versions of WebKit and related frameworks.) Apparency will now correctly recognize the special status
of macOS system frameworks, even on the cryptex volume.
- Fixed a bug where opening a component using the “appy” command-line tool could silently fail,
especially if the given path happens to be a symbolic link, such as /Applications/Safari.app (which
links to a path on a “cryptex” volume). Apparency will now properly open the target of
the symlink — or will show an error if it can't do so.
- Removed support for macOS 11 (Big Sur).
|
|
1.6.1 (294.3)
|
Released on October 20, 2023
- Fixed a bug that could cause Apparency to crash on startup, if you happened to have an installed
launchd job in which the definition plist has a
Program key with an unexpected type.
Apparency reads all of the launchd job definitions to associate
them with components, for showing in the Launch Information inspector.
However, it dealt badly with some technically-out-of-spec keys that don't seem to bother launchd.
Now Apparency is more circumspect.
|
|
1.6 (294)
|
Released on September 23, 2023
- Compatibility updates for macOS 14 (Sonoma).
- Added new Launch Information inspector, which shows:
- The info pane now shows the number of Launchd Jobs that reference the
selected component; if there are any, you can click the link button to open the
Launch Information inspector for more details.
- Improved the Kind Detail (in the info pane) for a number of newer App Extension types,
and fixed a few types that had been incorrectly described.
- When inspecting an Info Property List, Entitlements or a Launchd Job Definition, you can
Control-click on an item (dictionary key or array item) to copy various bits
to the clipboard: the key, the value or a new property list with just that item, in XML
format. For Info Property List files, you can also copy the
plutil(1) or
PlistBuddy(8) command that would extract that value from the property list,
for pasting into Terminal or using in scripts.
- When searching an Info Property List, Entitlements or a Launchd Job Definition, recent
search terms will now be preserved across components and app launches.
- Added support for opening an xcframework: this allows you to inspect the code signature
on the xcframework itself (encouraged with Xcode 15 workflows), and examine the individual
frameworks that it contains for each platform.
- When generating Quick Look previews, Apparency will now skip verification of the code signature if it
might take any meaningful amount of time. Previously, the Quick Look preview used the
same heuristics as the app, but it is just too easy to trigger an
unwanted preview request for a large app, just by clicking around in the Finder or an Open panel.
You might click away immediately, but macOS doesn't notify us that the preview was cancelled, and
so our Quick Look Preview extension process — which, in Activity Monitor, might be called
Open and Save Panel Service (Apparency) or Apparency (Finder) —
can churn through a lot of CPU to produce a preview that nobody wants! This might result in some
Quick Look previews — ones that you do want — showing
Skipped verification due to size; if this occurs,
click Open with Apparency to see the verification results in the app.
|
|
1.5.1 (285)
|
Released on April 4, 2023
- Added the required (minimum) macOS version to the info pane (and also to the Quick Look
preview). This is extracted from the Info.plist, or failing that, the Mach-O binary
deployment target version. If there are different requirements for different architectures,
Apparency will show the oldest supported version: if you require more detail, you can use
Component > Show Info Property List,
and/or Component > Show Executable Information.
[Read More]
- Improved explanation for a code signature with an expired certificate: we no longer claim
the certificate is “not trusted by macOS” since it clearly is (for some purposes),
but instead explain that macOS mostly doesn't care. We also show the expiration date
more prominently.
- Added Component > Open Component With Archaeology, for when you need
a lower-level view of a bundle or Mach-O executable.
|
|
1.5 (277)
|
Released on October 22, 2022
- Compatibility updates for macOS 13 (Ventura), including:
- Recognize new bundled helper daemons and agents (managed via the new
SMAppService API)
If Apparency finds launchd plists in Contents/Library/LaunchAgents or
Contents/Library/LaunchDaemons, it will ensure that the referenced helper binary is
shown as a component, with a kind of “Background app service agent” or
“Background app service daemon.” If you select such a component, you can use
Component > Show Launchd Configuration to view
the associated launchd job definition plist.
- Fix a problem where opening a system framework (whose binary has been moved to the
DYLD Shared Cache) would produce a “bundle format is
ambiguous” message. (Apple changed the bundle structure of these system frameworks again, so
that now instead of missing a top-level binary symlink, as on Big Sur and Monterey, they have a
broken symlink at that location.)
- Stubbornly refuse to let our Preferences menu item
be renamed to “Settings.” Sure, it's very generous of Apple to
to automatically change this one string for us, but the menu item is referenced in
dozens of other places in our alerts and documentation, and we just don't
see the value in changing every one of those and having them be wrong for users on
Monterey and Big Sur...
- Fixed a bug where a code signature might have been incorrectly reported as valid if
the executable was corrupted (or tampered with) only for an inactive processor
architecture. For example, if you were running Apparency on an Apple Silicon Mac, and select a
component that has both Apple Silicon — 64-bit and
Intel — 64-bit support, and if the Apple Silicon part
was valid but the Intel part was corrupted, Apparency would show the signature as verified.
Now it will properly report Can't verify signature in
this case. Use Component > Show Code Signature to see details for each architecture.
- Fixed a bug where a code signature from an expired certificate was properly shown as
such, but the Gatekeeper status was evaluated as if the signature was trusted, which
was confusing. Now the Gatekeeper status is shown as
Can't evaluate in such cases.
- Added Component > Quick Look Component to show an inline preview of
the selected component. Although this isn't especially useful for bundles and Mach-O executables
(where it tends to produce a preview generated by Apparency itself), it can be
useful when an app contains script components that are previewable as text. (You might need to
enable searching in de facto “code places” in order
to see such scripts.)
- When requesting Quick Look previews, Apparency tries to “convince” macOS to choose a
better preview extension for some files, by making a temporary copy with an
adjusted file name. For example, a Perl script named installcli might be
uselessly previewed as a Unix Executable File, but Apparency knows
it's a Perl script (from the
#! directive) and will ask Quick Look to preview
it as installcli.pl instead -- thus showing the actual source text of the script.
When this trick is used, Apparency will show a pencil icon next to the file name at the top of
the preview: click this for details about the file kinds that Apparency inferred and how it
renamed the temporary copy.
- When holding down Option to use Component > Show Executable in Finder, or
Edit > Copy Path for Executable, the executable path for a framework will be
resolved of symlinks, so that one gets directly to the versioned executable.
- Tweaked the validation of App Store receipts so that the Receipt Verified
status — shown in Component > Show App Store Receipt —
more closely matches the result of modern Apple sample code.
- Removed support for macOS 10.15 (Catalina).
|
|
1.4.1 (218)
|
Released on March 14, 2022
- Added File > Show Entitlements for All Executables (Command-Control-A)
to show a single “merged” view of all entitlements across all components of an app. You can
also select an entitlement and copy the identifying information for all components that request it,
in a form that can be pasted directly into a PPPC Profile.
[Read More]
- Tries harder to avoid showing “stale” component information — especially
version strings — when an app has been recently updated. This was an issue with macOS caching
of bundle information. The Quick Look preview was especially susceptible, since the lifetime of
our app extension process is completely under the control of the Quick Look mechanism. We believe
that stale info is less likely to appear now, but there may still be circumstances where Quick Look
previews themselves are cached.
- Make the Quick Look preview activate for more file kinds, including App Extensions (such as those for
sharing, photo editing or widgets), Network Extensions, Endpoint Security Extensions and DriverKit
Extensions. These are mostly only buried inside app bundles, but it can still be useful to
Quick Look them from Suspicious Package.
- Find components in Contents/Library/LaunchServices — these are usually
“privileged helper tools,” which the app can install (with password authorization) via
the ServiceManagement framework. If such a component has an embedded launchd plist — as is
required by
ServiceManagement — this can be viewed using Component > Show Launchd Configuration.
- Find components in Contents/Applications as an additional
de facto “code place”.
- More standard Info.plist and entitlement keys are linked to Apple documentation, via
Open Apple Documentation for Key button.
- Recognize apps with TestFlight signatures as Apple-signed code, akin to App Store signing.
- Addition of “appy” command-line tool, for quickly opening an item in Apparency
from the Terminal. See Help > About the Command-Line Tool for installation instructions.
|
|
1.4 (175)
|
Released on December 7, 2021
- Make the Quick Look preview activate for more file kinds, including standalone (old-style)
Quick Look generators, (old-style) Spotlight importers, generic bundles and kernel
extensions. [The latter works only on macOS 11 (Big Sur) or later, since kernel extensions
finally got a system-defined UTI in the same release that deprecated them!]
- Show the component Kind in the Quick Look preview, and fix several issues around the
display of the icon, executable information and sizing for certain standalone executable
types, such as Mach-O dylibs and shell scripts.
- Various fixes to make Quick Look
previews from Suspicious Package more clear and
useful, and to ensure that items exported from a package are presented properly, even
if found in a temporary directory -- as will be the case for items auto-exported by
Suspicious Package for previewing, and then opened in Apparency proper.
- Added an option to look for components in de facto
“code places”.
- The attributes on the info pane are more universally selectable and copyable.
[Read More]
- Improved handling when opening the main executable of
a bundle directly, e.g. opening X.app/Contents/MacOS/X instead of X.app.
- Improved handling of certain Apple-signed software where the code signature
couldn't be verified due to “custom omit rules.”
- Additional detail for Component > Show Notarization Ticket,
including the actual notarized hashes and how they map onto architecture-specific
components within the app.
- Removed support for macOS 10.14 (Mojave).
|
|
1.3 (130)
|
Released on August 28, 2021
- Compatibility updates for macOS 12 (Monterey), including:
- In the info pane, allow the Identifier, Version and
Signed By values to be selected and, therefore, copied.
- Fixed a bug where an app's main executable might show up as a separate component. (This would
happen only when the app was on the data volume of a system volume group other than the booted one.)
- Fixed a bug where the Edit and Component menu
items related to shared app group containers
might not be visible through the Accessibility interface — which could also impact apps
such as Many Tricks Menuwhere.
- Fixed a bug where the search field in the Entitlements inspector could stop working after changing
processor architectures.
- More quickly stop any running code signature verification when closing an Apparency
window. Unfortunately, the code signing API limits how efficiently we can stop verification
that is already under way, but Apparency is now better about not starting irrelevant
verification work after the window is closed.
- Squashed some memory leaks in the determination of Gatekeeper policies.
|
|
1.2 (118)
|
Released on March 7, 2021
- Runs natively on Apple Silicon Macs.
- Improved compatibility with macOS 11 (Big Sur), including:
- Adopted the new “unified” style for the toolbar, and updated the icons
to fit in better with the general Big Sur “design language” —
especially when the toolbar is configured for Icon Only mode.
- Updated to a new iOS-style
Big Sur-style app icon. We're still not fans, but since our app icons were all
circles before, we can't get too snotty about them all being “squircles”
now. Having every icon on the system be the same shape seems a dubious improvement
to macOS, but our icons aren't going to change anything.
- Fixed other display and icon issues throughout the app.
- Added Component > Show Provisioning Profile, which will be enabled for
certain apps that use iCloud or other services and features that Apple restricts more tightly,
at least outside of the App Store.
(A provisioning profile is also used to restrict an app to running on specific devices, but
this much less likely for macOS apps than for iOS ones.)
- Where an app has a provisioning profile, Components > Show Entitlements will
show which entitlements are provisioned and which are not (and which do not
require provisioning). This appears as an icon in the last column.
- Added Component > Show App Store Receipt, which will be enabled for any
app installed from the Mac App Store. This allows you to see attributes
of the receipt, including original purchase attributes, and to examine the
validity of the receipt and the Apple signature thereon. If a receipt
is found, File > Show in App Store will show the product page for the app in
the App Store.
- Added handling of a notarization ticket, where one is “stapled” to the
main app bundle. Where this is found and verified, you'll see the Notarization
given as Granted — Stapled Ticket
for the component called out in the ticket. You can also use
Component > Show Notarization Ticket to examine the Apple
signature on the ticket.
- Added Component > Show App Container in Finder, and
Edit > Copy Path for App Container, for apps and other
components that use the App Sandbox. The app container can also be revealed using
the new Show Container toolbar button.
- Added Component > Show Group Container in Finder, and
Edit > Copy Path for Group Container, for components that
opt into shared app groups.
- Added recognition of System Extensions (such as Network Extensions and Endpoint
Security extensions) as components that can exist inside an app bundle, and
improved determination of the Kind Detail for various extension kinds.
- Improved checking and reporting of the trust associated with code-signing
certificates. Component > Show Code Signature now describes the category
of certificate, from amongst the various types that can be issued or used by Apple,
as well as other signature- and certificate-related attributes. It also more
clearly shows when certificates have expired (in the absence of a verified
signing time).
- From the Executable Information sheet, allow Edit > Copy of a selected
Dynamically Linked Library, Runtime Search Path or DYLD Environment row. (For a library, the
original library install path is copied.)
- Made the Signature column more clear for certain cases, such as where Gatekeeper
would reject a verified (but insufficient) signature.
- Made the Quick Look preview more usable from the Finder's preview pane, i.e.
View > Show Preview. Since the preview pane is typically much smaller,
and since some information is shown directly by the Finder at the bottom of that
pane, Apparency now uses a more compact format here. When using View > as Gallery,
or the classic separate window of File > Quick Look Item,
Apparency still creates a larger preview. Unfortunately,
Apple provides no proper way for us to detect what context we're being shown in, so
there's a bit of guesswork involved here, but we think it at least works better than it did.
- Fixed some bugs in the handling of the toolbar, including the fact that changes made via
View > Customize Toolbar did not get saved, and that items
pushed into the trailing “overflow” section of the toolbar did not get enabled properly.
|
|
1.1.1 (75)
|
Released on November 6, 2020
- Updated for general compatibility with macOS 11 (Big Sur) — albeit with some caveats.
- On Big Sur, when opening a system framework on the new sealed system volume,
Apparency finds the executable in the DYLD shared cache so that the Executable Information
is still available. Also, Apparency no longer shows a bunch of errors about the now-broken code signature on
such system frameworks. See more info here.
- If a component is signed by a now-revoked certificate, allow Show Code Signature,
so one can see the details of the certificate and/or export it for further analysis. (In this situation,
codesign(1) does not provide useful certificate details nor allow it to be exported.)
- Enable a standalone Mach-O binary to be opened even if it lacks an executable bit, at least via drag-and-drop
or from another app — like Suspicious Package, which intentionally strips the executable bit from Mach-O
binaries in the installer scripts but still ought to be able them in Apparency!
|
|
1.1 (66)
|
Released on August 21, 2020
- Enhancements for opening “universal” apps that support more than
one processor architecture, such as an app updated for the new Apple Silicon Macs,
or an older one that still has 32-bit support.
- Added the Executable type to the Info pane: this shows the supported processor
architectures. Click on this text to see the underlying symbolic names for the architectures, such
as
x86_64 or arm64.
- Enhanced the Executable Information sheet to show the processor architecture, and to
allow choosing from among the architectures provided by the app or component.
- Show the new Apple Silicon processor architecture where supported, in both
the info pane and the Executable Information sheet. [This doesn't mean that Apparency itself is
a “universal” app: see more info here.]
- Enhanced code signature handling to examine every supported architecture — there
is a distinct signature for each one — and flag any differences between them: see
more info here.
- Added the supported architectures to the Quick Look preview on macOS 10.15 (Catalina) and beyond.
- Added Downloaded details to the Info pane, when available: click to cycle
amongst the download date, app and kind.
- Enhanced Executable Information sheet to show the target platform, which is usually
simply macOS but can sometimes be something else, like
UIKit for Mac (“Catalyst”).
- Added option in Preferences > General to show the
code signing options in the Info pane.
- Added Edit > Copy Code Signing Identity (Cmd-Ctrl-C) to copy the
designated requirement of the component, such as
for pasting into a PCCC profile.
- Improved handling of components with non-Mach-O executables (such as interpreted scripts).
- Enhancements in performance and responsiveness, especially when opening large apps.
- Added an Internet Access Policy to
Apparency: this is a mechanism defined by Objective Development, the makers
of Little Snitch. If you use
Little Snitch, you'll get more useful information about
Apparency's network connection attempts — which are for one purpose only:
the periodic checking for an updated version of the app.
|
|
1.0 (43)
|
Released on June 27, 2020
- Initial release of Apparency.
|