Verifying Codebook Downloads

👷🏽‍♂️ This page is still under construction! In the meantime you can find lots of helpful FAQ articles on our discussion forum.

Introduction

Codebook is an application that runs natively on four different operating systems: Android, iOS, macOS, and Windows. Each platform has its own mechanisms for delivering software to your device securely, either through a store or some sort of direct download. Since documentation of the security of the iTunes App Store, Mac App Store, and Google Play store is pretty readily available for those vendors, this article will focus on the security of downloading the Windows and Mac versions of Codebook directly from zetetic.net. We'll also discuss protections in place to protect you from downloading malicious binaries posing as Codebook.

HTTPS

We always distribute Codebook downloads over HTTPS, and redirect all of our HTTP requests on zetetic.net to HTTPS, so it would be extremely difficult to download either the Mac or Windows version without an encrypted connection. Using HTTPS not only helps to ensure the privacy of your download, it makes it difficult (though not impossible) for an actor to intercept the communication and send some other data to you instead. As of the time of this draft (currently Feb 15th, 2018) the encryption certification we use for HTTPS is a 2048-bit key certificate issued by Thawte, SHA-256 fingerprint: 3E 6C 9A 2B D0 EB 7D 65 8A 0B 4B 76 54 06 A5 F2 81 95 A1 EB A1 EF 21 56 64 91 D7 4C 87 15 64 45

Verifying macOS downloads

Codebook for macOS (the direct version, not the Mac App Store version) is distributed as a ZIP archive that contains a code-signed macOS application (Codebook.app). That binary is signed with Zetetic's Developer ID Certificate from Apple. macOS has a feature known as Gatekeeper that verifies the binary has been signed by Zetetic and that it hasn't been tampered with in any way (changing the binary invalidates the signature).

To enable (or confirm) this behavior on your Mac, go to System Preferences > Security & Privacy, and ensure that "App Store and identified developers" is checked under "Allow apps downloaded from:"

System Prefences Privacy & Security window

You can also check via the command line to see whether or not the downloaded app is validated using the system security policy tool in Terminal:

$ spctl -a -v --type execute /Applications/Codebook.app
/Applications/Codebook.app: accepted
source=Developer ID

In the output in response to our command above we can see that the system security policy (Gatekeeper) has validated Zetetic's signature and the integrity of the binary, approving it for execution. If we were to modify the binary (for instance, Show Package Contents, and remove one of the image resources), the code signature would be invalidated, and the check above would fail. At that point you'd no longer be able to launch the application.

Verifying Windows downloads

Codebook for Windows is distributed as an MSI installer package. The installer and the application itself are code-signed using Microsoft Authenticode technology. Code-signing Codebook for Windows allows a user to ensure the integrity and authenticity of the application on their machine. When the installer and application are code-signed, a digital signature is embedded within the files that can then be verified by Windows later. If the application binary was tampered with, the digital signature would become invalid and the user would be notified upon execution.

Code-signing alone is not enough, as malware too can be code-signed. Windows includes a feature called SmartScreen that is used to validate the reputation of an application. While many components are taken into account when determining the reputation score, code-signing is one part in which the origin of the software publisher, identified by the digital signature are utilized.

During installation, Windows will validate the digital signature embedded within the installer. The User Account Control displayed below during an installation shows the verified publisher based on the code signature:

You can also manually check the status of the of the Authenticode signature embedded in either the application or the installer package by executing the following commands from PowerShell:

(Get-AuthenticodeSignature "C:\Program Files (x86)\Zetetic LLC\Codebook\Codebook.exe")
(Get-AuthenticodeSignature "CodebookSetup.msi")

An example of running these commands can be found below: