OS X 10.5 Leopard brings a new Code Signing security feature that helps verify the integrity of an application. Applications are signed by their creators before being distributed using their private key, and then can be verified on the customer's machine using the companies public key.
The OS X Keychain Services leverage this new Code Signing feature to verify the signature of each application before it will allow access to the contents of the keychain. By verifying the signature, the OS X Keychain Services can detect when a potentially malicious change has been made to an application and thereby protect your sensitive data by denying the changed application access.
Since the upgrade to Leopard, many 1Password users have written in to mention that they cannot access their data, usually from within Safari. At first we were confused why the keychain data could not be accessed from within Safari, yet it was accessible from other browsers and the 1Password application.
It sounded like code signing could be the issue, and indeed it was. Today I received a call from a Senior Engineer at Apple who works on the Keychain team. As I was discussing code signing with him and how it could be the culprit, I mentioned that many users like to reclaim disk space by using applications like XSlimmer (see update) and other cleaning programs. Once he researched these tools he said his "jaw hit the floor" and exclaimed that all of these tools must be avoided when using code signing.
Sure enough, Code Signing does its job very well on Leopard, and after running one of these tools the signature of Safari becomes invalid. You can verify this yourself by using the codesign tool from Terminal. Here is the error given when Safari's signature no longer matches:
We ran XSlimmer on Safari in order to verify that the signature would break. XSlimmer is not alone in this 'application slimming' category, however, and other applications perform similar actions. I have not verified these applications first hand, but 1Password users that had invalid Safari code signatures reported that they had used Monolingual, Trimmit!, DeLocalizer, and Macaroni (See update below). In fact, any application that modifies Safari's resources can potentially cause an issue; users also reported Safaricon and Service Scrubber invalidated their Safari application signature.
Regardless of which application makes the change, once the Safari signature is invalid, the OS X Keychain Services will treat Safari as a suspect and deny it access to the keychain contents. The error code returned from Keychain Services in this situation is not consistent, but we have verified that the error codes -67061 and -25293 can be the result of this problem.
The morale of the story is that Code Signing and "application scrubbers" don't mix. I loved using these space saving tools in the past, but with Leopard you must be very careful with them. If you are on Leopard, I recommend you avoid cleaning Safari, but if you really feel strongly about saving a gigabyte of space, be sure to avoid cleaning any signed applications.
It seems that Safari is uniquely affected by these changes. Indeed, even Apple's documentation states "each architecture component is signed independently, it is all right to perform universal-binary operations (such as running the lipo command) on signed programs". It therefore seems to be a problem with the Code Signing and the Safari application, and not a problem with 'slimming applications'. With that said, I recommend you do not perform any changes to the Safari application's resources. Slimming the other Apple applications is apparently fine.
Restoring Safari to "Factory Defaults"
If the signature on your Safari application is invalid, you should restore Safari to its "factory defaults". You can use Time Machine to restore the original Safari files, or copy the entire /Applications/Safari folder from another machine. My preferred option in this situation is to use Pacifist to install the original Safari application from your Leopard Installation DVD.
UPDATE Nov 14, 2007 10:55PM EST: Tom Harrington from AtomicBird vehemently states in the comments that Macaroni does not have any effect on code signing. This is in direct contradiction to what several users of 1Password stated. It is unclear why there is a discrepancy here. In any event, verify your code signature using the terminal command shown above before emailing authors of these applications.
UPDATE Nov 14, 2007 11:05PM EST: There are also reports that changing the application signature can create problems with Leopard's firewall: LEOPARD CODE-SIGNING AND THE APPLICATION FIREWALL.
UPDATE Nov 15, 4:45OM EST: Francois, a 1Password user, wrote in to say "I want to clear up the situation regarding Safari code signing and Macaroni. I'm using Macaroni on Leopard since 3 weeks and I didn't notice any apparent issue with Safari, Keychain, 1Password or any other app". This combined with ralphdaily's comment below and correspondence with Tom Harrington makes it look like Macaroni has gotten a bad rap. OTOH, I have no idea why some users reported that it did cause issues. Perhaps they were using another application as well; I do not know for sure. In any event, if you are using Macaroni then keep using it! If you codesign command starts to fail, contact Tom and he will help; he obviously cares very much about his product, which I find commendable.
UPDATE Nov 15, 5:30PM EST: Jorge from XSlimmer commented that the latest version of XSlimmer has blacklisted Safari (and I imagine all other signed apps as well). If you grab the latest version of XSlimmer, you should be fine.
UPDATE Nov 15, 5:45PM EST: Daniel Jalkut from Red Sweater Software, whom I have great respect for, cautioned me in the comments that I should not be throwing around "accusations". I did not mean to accuse anyone but rather wanted to repeat what the Apple engineer told me (who literally hurt my ear he exclaimed so loudly). With that said, I have great respect for Daniel and so if that is how the post sounded, I do apologize. I changed it considerably so as to not give that impression.
UPDATE Nov 15, 6:00PM EST: Robert Roark commented that slimming other Apple applications does not invalidate their signatures. Robert speculates that it is a Safari specific phenomenon. This would coincide with Apple's documentation that states "each architecture component is signed independently, it is all right to perform universal-binary operations (such as running the lipo command) on signed programs".
UPDATE DEC 10: New version of Xslimmer recognizes signed applications. From the VersionTracker release notes: Xslimmer 1.2.8 honors the code signing technology introduced in Leopard, intended to ensure the integrity of applications. Xslimmer will not slim signed resources whose signature integrity has been required as "mandatory" by the developer. Most signed applications will still show important space savings, since it is usually not necessary to sign all of their components and resources.
